One in seven ransomware targets Operational Technology data

According to Mandiant's analysis, Operation Technology data theft is attempted in one in seven ransomware attacks.

Posted on 02 February 2022 by Valentina Bernocco

At one time, ransomware was just trying to make quick money by blackmailing undifferentiated victims by encrypting their data or other methods of locking their computers or smartphones. Today they are a complex and diverse threat, which increasingly, in addition to immediate monetization, also has data theft targets extended from industrial espionage to the boycott of affected companies. A new analysis by Mandiant reveals that about one in seven ransomware points to critical data from Operation Technology (OT), present not only in the industrial production sector but also in critical infrastructures, oil & gas, aerospace, transport, engineering and other fields.

The consequences are many: the theft of critical OT data can disrupt the operation of services, can cause reputational damage and legal problems, complete with fines to be paid, and can also violate the privacy of corporate employees and customers. Mandiant speaks of "multiform extortion", indicating the many purposes of blackmail carried out by cybercriminals, and in 2021 at least 1,300 victims of this phenomenon would be.

Typically, each breach yields terabytes of stolen data to authors, which is then posted online on data leak or "public shaming" sites. By analyzing a semi-randomized sample of these databases, both via automated technologies and manually, Mandiant's researchers found a significant amount of sensitive OT documentation: network diagrams, engineering schematics, control panel images, information on third-party services. , passwords of administrators, and then again data relating to industrial processes, projects in progress and also to employees.

Among the specific cases described are a train builder (from which access credentials, various documents and backup files have been stolen), two organizations in the oil & gas sector (detailed documentation on networks and processes), a systems integrator control (engineering documents on their clients' projects), a hydroelectric power producer (financial and accounting data, but also lists of names, emails and employee login credentials), a provider of geolocation services (product diagrams, screenshots and source code of the proprietary platform), a renewable energy producer (contracts between the company and its customers).

Mandiant herself admits that if the investigation had dug deeper, not limiting itself to a representative sample, it would probably have uncovered further thefts. Already from this analysis it is possible to infer that, among the industrial companies affected by ransomware, one in seven has also suffered the theft of critical operational technology data. Once published online, these data become a springboard not only for the activities of cybersecurity researchers, as in this case, but also for competing operators of the victim company or, what is worse, for other cybercriminal actors.