A fake industrial prototyping company created by cybersecurity researchers has become the target of real-life cyber-attackers.
Researchers at Trend Micro established the faux firm and maintained it for a six-month period in 2019 to learn about the threats facing companies that use Operational Technology. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud.
The fake concern consisted of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines that ran the factory. Among these machines were several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations, and a file server.
The honeypot went live on May 6, with a fake client base composed of large anonymous organizations from critical industries. By July 24, a threat actor had entered the fake company’s system and downloaded a cryptocurrency miner. Researchers observed the attacker returning regularly to relaunch their miner.
By August, researchers had observed multiple incidences of compromise, with one threat actor performing reconnaissance activities and another causing system shutdowns. Ransomware attacks using Crysis and a Phobos variant were carried out against the fake company in September and October, respectively.
Greg Young, vice president of cybersecurity for Trend Micro, said the research indicated that industrial companies are primarily vulnerable to bog standard cyber-threats.
He said: “Too often, discussion of cyber threats to ICS has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely.”
Young warned owners of small smart factories against the dangers of thinking that their company’s size makes them somehow immune to the threat of cyber-attack.
He said: “Owners of smaller factories and industrial plants should not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line.”
Smart factory owners can reduce the risk posed by malicious threat actors by minimizing the number of ports they leave open and also by strictly enforcing access control policies.