Ransomware scum have put a target on the no man’s land between IT and operations – Source: go.theregister.com

Criminals who attempt to damage critical infrastructure are increasingly targeting the systems that sit between IT and operational tech.

These in-between systems are no man’s land, according to Tim Conway, the technical director of SANS Institute industrial control systems (ICS) programs. They’re not classic IT systems that run core business applications, or operational tech (OT) that drives heavy industrial infrastructure.

In the case of a petroleum pipeline, middle systems live in the facilities that store and distribute fuel, and separate home heating oil from gasoline, diesel, and jet fuel.

“It’s the system in the middle, and the impact of ransomware [on in-between systems] affects the integrity of the product,” Conway told The Register. Back to that petroleum pipeline, where if the wrong product comes down the line the system isn’t sound.

“You can’t continue to operate from a safety perspective. You’re not going to put jet fuel in a car. You’re not going to put home heating oil in a jet,” Conway said.

Getting to yes

All businesses have these middle systems, and digital crooks realize that encrypting them isn’t as difficult as developing ransomware to target OT. But the operational impacts of attacks on in-between tech can be worse than the effects of attacks on IT or OT, and this means the victims are more likely to pay the extortion demands.

“The IT side is how we manage our business, the OT side is why we’re a business, and as ransomware groups start to move closer and closer to those OT assets, it becomes a completely different discussion in boardrooms on do we pay, and how quickly do we pay,” Conway said.

He used an example of a pharmaceutical company at which attackers target in-between systems that print product labels to illustrate how these attacks change decision-making processes.

“If you were a pharmaceutical [company], and we wanted to cause problems in the batch or the dosage or blend of a particular drug. We might not be able to get deep into the network to those industrial control systems, but we could manipulate the product labeling so the label that gets stamped onto a particular pill is wrong,” Conway said. “It has the same result. All those things go out in the market. People get poisoned, people die.”

“If you start from the perspective of: ‘We don’t negotiate with terrorists, or we won’t pay ransom’ it’s one thing if you’re talking about data,” he added. “It’s another thing if you’re talking about human health and safety, and then it’s a completely different equation of: ‘Do we pay to save lives?’ And that’s an easy answer.”

A growing threat

Every year, SANS Institute experts research the most dangerous new attack techniques, then decide on the five they believe pose the greatest risk.

This year, two of the top five are specific OT and ICS in critical infrastructure: Ransomware and destructive cyber-attacks.

Ransomware gangs have shown a “definite movement toward critical infrastructure” according to Conway, who said there’s a simple reason for their changed behavior.

If you’re talking about human health and safety, then it’s a completely different equation of: ‘Do we pay to save lives?’ And that’s an easy answer

When it comes to critical services like water stations and energy grids, it’s easier for ransomware operators to infect the IT side of the house. This is what they did with the Colonial Pipeline attack. While that attack hurt the organization’s billing systems and led to panic buying and shortages at gas stations along the US East Coast, it’s OT such as pumping systems remained operational.

The Change Healthcare attack also involved ransomware aimed at IT systems and had a similarly disruptive impact on America’s healthcare system. While the malware encrypted the payment processing and claims systems, it ultimately prevented pharmacies from filling patients’ prescriptions and meant hospital patients couldn’t receive needed medical treatment.

In the ransomware race, crims are moving closer to those OT assets.

Prior to 2024, just seven known malware variants targeted ICS systems. Last year, criminals created and deployedtwo more specifically designed to disrupt critical industrial processes.

“This is the sector to go after,” Conway said. “It’s faster to pay, and get back online quickly, so this is certainly shaping the behaviors of criminal financial groups to go after in big ways.”

Destructive ICS attacks

Ransomware crews aren’t the only miscreants targeting these sectors, however. Russia, China, and Iran have all tried to inflict damage on critical safety systems. And this brings us to SANS’ second ICS-specific threat: destructive ICS attacks from sophisticated nation-state actors.

“When we’re talking nation-state [attacks], you have a series of geopolitical events that have to occur before you start seeing activity in this area,” Conway noted, adding that during his nearly three decades in security, he can’t remember a time with so many simultaneous geopolitical conflicts.

“You look at the geopolitical situation with China and Taiwan, and you have that as a backstory of supply chain concerns,” he added.

This led to Chinese government groups burrowing into American energy grids, prepositioning for future destructive attacks, and attacking government, telecommunications, and IT service providers’ networks in the US and abroad.

“You look at what’s happening in Eastern Europe, with Ukraine and Russia, and we’re seeing more and more and more critical infrastructure focused attacks since 2022 than we had ever seen before,” Conway continued.

If you just cause an outage, you’ve taken the bullet out of the gun, and that can be recovered in hours

In a particularly grim scenario, Russian malware called FrostyGoop targeted temperature controllers that supplied central heating to more than 600 apartment buildings in Lviv, Ukraine, and shut off the heat to thousands of civilians during a period of sub-zero temperatures in January 2024.

“And then you look to the Middle East and the events that occurred in Israel on October 7 with groups coming out of Iran that say: ‘We are going to go after any country that’s using technology that’s made by Israel,'” Conway said.

He’s talking about CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC)-affiliated group that broke into water systems in late 2023 and was later spotted using custom malware called IOCONTROL to attack and remotely control US and Israel-based water and fuel management systems.

• Malware variants that target operational tech systems are very rare – but 2 were found last year
• Ransomware batters critical industries, but takedowns hint at relief
• Hacktivism resurges – but don’t be fooled, it’s often state-backed goons in masks
• You think ransomware is bad now? Wait until it infects CPUs

This ability to remotely control and manipulate critical system is especially dangerous, and it signals a shift in what attackers are doing with this illicit access, Conway added.

They’re no longer just trying to cause an outage. Instead, government-backed goons want to keep the systems up and running so they can cause damage across longer periods of time.

“If you just cause an outage, you’ve taken the bullet out of the gun, and that can be recovered in hours,” he explained.

On the other hand, if the ICS system remains “up and operational, you can manipulate it in ways where you cause equipment damage in that substation that take[s] anywhere from four to 18 weeks to replace,” Conway noted. “A large water pump or an aquifer could take years to replace.”

This requires a different approach to defending critical networks, he said. “Instead of thinking: How quickly can we restore? We need to pivot to [asking]: how quickly can we detect if an adversary is manipulating the system to cause destruction?” ®