OT Data Stolen by Ransomware Gangs can Fuel Other Sophisticated Attacks, Reveals Research

New observation

• In 2021, Mandiant Threat Intelligence observed that over 1,300 organizations in the critical and industrial sectors were impacted by ransomware attacks.
• The attackers stole and disclosed terabytes of sensitive data on their data leak sites.
• This included network and engineering diagrams, images of operator panels, and information on third-party services, among others.

In-depth findings of exposed technical details

• According to Mandiant researchers, one in every seven data leaks that were posted on ransomware extortion sites in 2021 consisted of sensitive OT documentation.
• In one incident, the data stolen from an industrial and passenger trains manufacturer included credentials for an OEM, control architecture and communication channels for European tram vehicles, and backup files for Siemens TIA Portal PLC project files.
• In another case, the data compromised in two oil and gas organizations included network and process documentation, such as diagrams, HMIs, and spreadsheets.
• Meanwhile, the data stolen from a satellite vehicle tracking service provider contained products diagrams, visualizations, and source code from a proprietary platform.
• Additionally, the data pilfered from a renewable energy producer included legal contracts and agreements between the service provider and third-party companies.

The concerning part

• Unauthorized access to this type of data can enable attackers to conduct higher levels of cyber-physical attacks. 
• Furthermore, threat actors can also select their choice of targets based on the readily available sensitive data about the victim’s infrastructure, assets, security flaws, and processes. This will provide them with an accurate picture of the target’s culture, plans, and operations. 

The bottom line