CyberWire Daily - Implications of data leaks of sensitive OT information. [Research Saturday]
Episode Date: March 19, 2022Guest Nathan Brubaker from Mandiant joins Dave Bittner on this episode to discuss Mandiant Threat Intelligence's research: "1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Inf...ormation." Data leaks have always been a concern for organizations. The exposure of sensitive information can result in damage to reputation, legal penalties, loss of intellectual property, and even impact the privacy of employees and customers. However, there is little research about the challenges posed to industrial organizations when threat actors disclose sensitive details about their OT security, production, operations, or technology. In 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands of victims by disclosing terabytes of stolen information on shaming sites. This trend, which Mandiant Threat Intelligence refers to as “Multifaceted Extortion,” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year. Nathan walks us through their research and findings. The research can be found here: 1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Our partners in ITU have been kind of tracking this stuff a bit more closely than we had.
I noticed that there had been some media attention to a couple of different specific
leaks over the past couple of years. We were curious and dug a bit deeper and found quite a bit of OT,
like pretty much everything an attacker would ever want to plan any type of attack, essentially.
That's Nathan Brubaker. He's a director at Mandiant.
The research we're discussing today is titled
One in Seven Ransomware Extortion Attacks Leak Critical Operational Technology Information.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars
on firewalls and VPNs, yet breaches continue to rise Thank you. exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And so that really piqued our interest,
and we were a bit concerned about,
obviously very concerned about what potential information
would be out there in one of our many customers.
And so
we kind of kicked off this process, which is enormous. It was an enormous lift. And it wasn't
like we worked 24-7 on this, but it's a good kind of back project to have. From a scale perspective,
to give you an idea, we calculated out about there were 20, about 2600 leaks that probably
600 leaks that probably happened roughly in the 2021 timeframe for the year of 2021.
And then to kind of scope our research, we essentially cut that in half by trying to look for organizations that likely had OT in their networks or control systems with
the hopes that we would not have to waste our time on the other 1300 that didn't. And so from there, we had about, like I said, 1,300 organizations. And to get that even
kind of cut down even farther, since that would be many hundreds of terabytes of data,
we started to dig through and look at, one, there's challenges for downloading these leaks
because they're owned and operated on sites by actors that don't have the greatest infrastructure.
And or there might be dozens of people trying to download them.
Some of the data might be corrupted or things like that.
So based on our kind of initial triage from just a technical perspective, is it possible?
Some of the data, to give you an idea, even if we could download it, would take many days to download just for one of those 1,300 leaks.
So we could do a couple of different things to kind of scope that down.
Like I said, some of it relates to, is the data in there even usable from a technical perspective?
And we just kind of discarded anything that wasn't since we had such a huge data set.
And then from there, some actors would actually provide file listings and things like that.
And we also have some tooling that allows us to go through those kind of parsed lists
to give us an idea about what might be of interest in these different data sets or different leaks.
And from there, we were able to scope it down to a couple hundred
samples. And we essentially did more of the same, but a bit deeper for those couple hundred and got
to about 70 that we eventually did much more in-depth analysis of. So to give you a farther
idea about the scope of this, 70 of them, we don't know the exact file size because it's enormous and really hard to calculate,
but I would guess in the 20 to 30 terabyte range
for those 70 leaks.
And so that's clearly an enormous amount of information
to go through.
And really, one huge takeaway
that I kind of want to highlight up front here
is we took a very, very wide rather
than deep approach to this. As you can kind of tell, if you take a look at the blog, we have a
graphic on there that kind of shows you these different numbers I'm talking through. But we,
to get through that 30 terabytes, 20, 30 terabytes, we essentially went through each one. And once we
found some OT or ICS documentation, we stopped there and moved to the next one. Now, this is not what an
actor would do. An actor most likely would have more constraints on resourcing than we would,
and or would have a much more focused interest. And so if they, for example, had a specific target
that they're looking for, they could monitor for leaks related to that target. And when one pops
up, they could then go
and dig through that specific leak or theoretically buy access to the leak before anyone else has
access, as some actors do that. But once they are focused only on, for example, we routinely focus
on individual targets during our research and focusing our efforts on a much smaller data set allows us to
derive a lot more data. So this is all to say, I would expect those kind of 10 different leaks that
we found data in is probably a very small actually sample of what is actually out there. Certainly in
those 10, I would imagine there's quite a bit more OT documentation. And I would also hazard a guess
that there's quite a bit more in many of the others as well.
Yeah, I mean, your report talks about this notion of multifaceted extortion,
which certainly anyone who's been following the evolution of ransomware is aware that,
you know, the ransomware actors kind of upped their game to the point where it wasn't just
that they were locking up your files, they were exfiltrating them,
and then part of the threat was that they were going to share them.
And that's really what you're digging into here.
Can you give us some insights as to how easy it is to find and access these files?
Is it exclusive or is it out there for just about anybody who's interested to go out and grab them?
Yeah, so a bit of both, right?
Some of the files, as I kind of mentioned before, are available for purchase.
They may give a teaser or something like that.
And if someone buys it, they can get exclusive access.
So there may be many more data sets or dumps that are not available publicly.
But all of this stuff, the 2,600 leaks,
and really down to whatever we ended up downloading,
were all freely available,
and we didn't have to sign up for anything
or get special access to get to.
Anyone with a Tor browser can get to these,
and some know how, clearly.
To give you an idea, actually,
many actors actually put this type of listing,
or at least that it's coming out on different
social media sites to kind of get people to their sites. So you don't even need to be on
Door Browser to see it coming. Can you give us an idea of the breadth of things that we're
talking about here, the actual data that's available? Yeah. Anything you could imagine, essentially. So we obviously
focused on the OT side of things. I briefly did want to talk about, there's obviously everything
else for the most part is IT related. And I don't want to downplay the criticality of that data
because any actor, no matter who they are and what kind of activity they want to carry out,
will likely need access to all of that IT data as well.
So even an attacker that's focused on an OT,
very specific cyber-physical attack that they want to cause a very specific outcome,
whatever it may be, they need to gain access to their systems initially.
So they would use much of the HR data, other types of purchasing data,
things like that to get a good insight into
what the company looks like and how to fish to gain initial access and then pivot around.
And all those things are really, really valuable from an initial compromise perspective.
And then also just getting to OT.
All that data that we actually found related to OT is all exactly what our red teamers
are looking for when they're going out on engagements,
trying to gain access to OT and planning to carry out a specific attack.
So I could go through a couple of them.
I mean, it's essentially anything from one of the most robust leaks had essentially like
all credentials for almost everything, documentation on process flows, on wiring diagrams, just really anything you could ever imagine,
which is very terrifying. But that was one very, very egregious leak. But then there's others where
it would be a bit less, or at least what we found would be a bit less, but still concerning. For
example, there are, and in the report we talk about more more. We have an appendix for our freemium subscribers.
We found information on a range of different specific targets.
We obviously have their names and stuff, but redacted it for this report.
And I will note, we have contacted anyone that would be relevant to help mitigate some of the risk on these things.
But we found things from pretty concerning organizations, like specifically a control systems integrator.
So those folks that are working with lots of different customers.
And this is one area where it's a common and an always dangerous kind of attack vector because it's an engineer or someone else coming in that's not part of your organization accessing your systems. And so this is like,
you know, if you go upstream, you can bypass some of the controls on systems. And we've seen this
at Mandiant historically, where a third party comes in to do, you know, whatever type of work
on the system, plugs into a network, opens up a direct path to the internet, and then that brings
in a threat actor. So that's just one case, a bit interesting.
There's a lot of the other ones are lots of similar types of documentation
on how their specific processes work,
lots of different information on accounts, accesses, credentials, things like that.
But there are interesting things like,
specifically from a satellite vehicle tracking service provider that we found on there.
They had like actual source code for one of their proprietary platforms that they use to track automobile fleets like using GPS and allows them to to an extent interact with some of those systems or some of those vehicles. We found a decent amount of information on the hydroelectric energy producer,
pictures of like HMIs,
guides on how to use different types of things.
Really, like I said,
all the things that an actor would need
to plan and potentially carry out a sophisticated attack.
If you are an actor with the goal
of causing some specific outcome from an attack,
and by this I mean like blowing something up theoretically if you want to go extreme.
But also you could just cause one process to change in a larger industrial process.
You need to have a very, very deep understanding for the most part of how that process works.
Because if you make one change upstream in the process, it's really hard to understand
because there's a lot of things that
play there from physics to engineering to chemistry that it's really difficult to calculate out
without adequate information and expertise. And so all of these kind of internal documents that
talk about those things and help identify how that process actually flows through to the end
product will help an actor plan out an attack like that
and also understand what the implications of their actions are.
So will it turn on alarms?
How do they mitigate those alarms?
All that kind of stuff.
You mentioned the challenge of merely downloading terabytes of information
that you were able to grab,
but then the next heavy lift is actually analyzing all of that data.
And that was a challenge as well.
Yeah, so we initially used some off-the-shelf tooling.
And I'll be honest, we have a bunch of internal tools already
that we use to track different data dumps and things like that as a company.
So it's important to note that because unless you're a pretty sophisticated actor,
you probably don't have that.
But that's kind of why I mentioned up front, most actors are going to focus on a couple of specific one or more specific targets.
And so they won't need to go through quite the level of effort that we did.
But yeah, we kind of used some off-the-shelf tooling to begin with and where we could, we did that. And then we also build out some capabilities
internally to be able to better triage some of this just huge amounts of data. But I'll be honest,
in the end, a lot of the work was manual and it was people going through file listings and looking
at pictures and stuff like that. And these people are folks who know OT and ICS. And when they see
something, they'll know it's something of interest. And so we do
have an advantage there. And so if we're talking about kind of lower sophistication actors that
are looking to just poke around and do some things, they can certainly find some stuff of
interest. The impact of that is probably going to be a lot less critical than a well-resourced
industry competitor or a sophisticated actor supported by a government
or something like that. Can you give me some insights, you know, for folks who are not in
the world that you're in of this kind of analysis? What are the ethical concerns that come into play
here? When you're, you know, grabbing files that have already been stolen by someone else and put out there in public.
You know, the things that are in these files aren't, they're not Mandiant's business. You know,
the people out there, they don't want anybody to look at this stuff. Do you have to come at this
as knowing that you're a, you know, a good faith, good actor, and that your intentions are good,
and you're going to notify the people whose information you've found?
Yeah, I mean, it would probably be worse if we didn't do this, right?
So the alternative is no threat researcher does any research like this.
No one knows that they have any problem or they can kind of just turn a blind eye.
The issue here is, especially with OT data, this stuff doesn't change that much.
So a typical life cycle could be for tech in OT could be like 20 to 30 years
relative to the couple years in IT. And so if you have a tremendous amount of documentation that is
not going to be changed or the process it's documenting is not going to be changed for the
next decade or two, then you're in greater trouble than not knowing that these things are there.
Because maybe you forget about this in five or 10 years and an actor gets a hold of it.
And if it's 80% is still relevant, then that's a big concern.
So from our perspective, you know, we are certainly coming at this from a, we're here to help.
And like the one reason I love working for many is we are not ambulance chasers.
We don't do any of that.
I get to do whatever I think is valuable for our customers.
And also, honestly, we do a tremendous amount of work for folks who are not our customers.
So you mentioned kind of victim notification. So yeah, if we find things of value that we have
concerns about, we will notify whoever it is. And we have an organization internally that
helps set up these calls and talk to these organizations and offer support, much of it free. And then
obviously, like if people want to buy support, they can. But we have done a lot of good doing
this. And I'll be honest, there's probably no one that would do this type of work unless you
paid them a lot of money or they're a threat actor trying to do some bad things. So the
organizations are essentially getting free work out of us. So for the most part, people we've
talked to have been appreciative.
So what are your recommendations here?
I mean, based on this information that you've gathered, how can organizations protect this data knowing that this is one of the ways that it's being gathered up and shared?
Let's start if you haven't had an incident or that you don't know of one, then that's great.
And it's time to prepare for one because most organizations are going to have some sort of
security incident. Hopefully it's not bad, but you want to be ready. And so you can do things like
strengthen data handling policies, ensure information and access as an available to
people who should not have it. Really, really limit the amount of OT information that is passed
into IT wherever possible. And obviously, protect OT as best as possible. And there's a whole range
of things you could do there. But if you have had a leak like this, then it's important to
understand what's been leaked and mitigate as much as possible. And so you can do things like,
we have a deeper kind of technical list
of things that you can go through if you're curious on kind of what you could do, but you're
going to have to go through the information and that's going to be one of the bigger lifts.
Once you know kind of what your risk profile is or what the threat is, then you can start to
mitigate. But like, for example, if you want to address this before something happens, Mandiant
and others have offerings that allow you to kind of simulate this type of threat activity.
So see if actors can get into your networks and steal information of value.
Our red team routinely does this and customers find a lot of value about kind of the stuff that's exposed that they wouldn't expect or the ways in which actors can get through their networks to OT really easily.
they wouldn't expect or the ways in which actors can get through their networks to OT really easily.
Is this also the kind of thing where having someone keeping an eye on things from a threat intelligence point of view will help you know when these things are out there?
Yeah, certainly. There's always a need, well, for one, to have a robust multi-layered defense,
but also visibility into the threat landscape is really important, right?
So many organizations we talked to may not have known that their data was stolen. Now, for the
most part, if you are ransomed and the actor's trying to make money, they're going to tell you,
hey, I have your data and so forth. But I mean, most people don't know what to do then. The nice
thing is Mandiant has worked for decades now on this type of activity, negotiating with actors
and getting data back.
And so we are not only prepared to help remediate and respond, but also we have unparalleled visibility into the threat landscape, both from a kind of dark web perspective, but also
based on all of our, you know, thousands of hours of incident response that we do every year,
not to mention all of our kind of threat research from an intelligence perspective.
Our thanks to Nathan Brubaker from Mandiant for joining us. The research is titled,
One in Seven Ransomware Extortion attacks leak critical operational technology information.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.