Fake Factory Network Attacked With RAT, Ransomware and Malware
Researchers simulated a real-looking “Industrial prototyping” organization with fake employees, PLCs, and websites to study the types of cyber-attacks that commonly on such networks.
The plan was to create such a legitimate-looking network that no one could even doubt it’s being phony and to accumulate serious information related to cyber-threats and attacks to study and analyze them.
Behind researching these threats and attack mechanisms the motive was to dig out the threats that the “Industrial control system” (ICS) sector faces today.
Per sources, the sham company specifically let some ports of its network be susceptible to attack and Voila! It got hit with the most cliché of attacks that any IT network faces, including, Ransomware, Malware, Remote Access Trojans (RAT), Crypto-jacking, Online fraud and the “botnet-style” malware which hit the network’s robotic workstation.
A couple of the attackers went as far as shutting the factory via the HMI, locking the screen and opening the “log view of the robot’s optical eye”.
While one of the few attackers of the more mischievous inclinations worked on tactics like circumventing the robotics system to shut the HMI application and ultimately powering down the entire system, the others started the company network back and shut the bogus conveyor belt and then shut the network back again.
Per sources, the fake factory network was constructed of real ICS hardware and an amalgamation of physical hosts and virtual devices, mainly a Siemens S7-1200 PLC, an Omron CP1L PLC and two Allen-Bradley Micrologix 1100 PLCs.
The researchers as bait also used the common exposed passwords on the internet for the network’s administrative security, which happens to be a very basic mistake in the ICS sector.
The PLCs were used to imitate real processes like controlling the burner, the conveyor belt and palletizer for piling pallets using robotic arms. The plant network had three VMs including an engineering workstation for programming, a robotics workstation and HMI for controlling the factory.
Allegedly, per reports, later on, the fake network also opened up Remote Desktop Protocol, EtherNet/IP, and Virtual Network Connection ports to lure in more attackers.
Another attack that the researchers found out which deeply exhausted the server’s capacity, was for crypto-currency mining unlike what they thought it to be.
Per reports, the network was also attacked with ransomware called “Crysis”, which kept the network down for around four days while negotiating which led to HMI being locked down and loss of visibility into the plant operations.
If only the network were real, this ransomware would have wreaked major havoc owing it to 4 entire days of no production. This clearly reflects the kind of jeopardy the ICS sector could face.
One of the researchers pretending to be a worker at the fake company emailed the attackers to return their files and also mentioned that how they were working for a very important client and wanted to immediately run the production back.
The ransom stopped at $6,000 in email-exchange which didn’t need to be paid given that they already had backups and therefore were able to re-construct their systems. Following this little incident, another ransomware which goes by the name of “Phobos” tried to binge on the network.
And then came the attacker with quite a sense of humor. With a data destruction attack disguised as ransomware, the attacker renamed the network’s ABB Robotics folder. And when they didn’t agree to pay the ransom the attacker wrote a script that made browsers to porn sites appear whenever the network was started.
Hence, pretty evidently, in addition to never letting VNCs open without passcodes and reusing passwords across different systems, the researchers say, that this fake “Network” had everything that must NOT be done to keep the ICS sector safe and secure.