Operational Technology (OT) Breaches

IT/OT convergence is moving operations in manufacturing, shipping, utilities, and other operational technology (OT) industries to the hybrid cloud. This shift has opened doors to new attack vectors and prompted more interest from bad actors towards OT. This page lists some notable OT incidents.

Maersk Case

In 2017, Maersk was infected by the NotPetya malware that brought down the vast majority of Maersk’s critical network and took hostage of most end-user clients and applications rendering them useless. Moreover, the malware damaged the fixed-line phones and wiped out Outlook contacts which disrupted the entire corporate communication and put the global operation to a halt. In fact, almost the entire Maersk fleet was out of operation for about two weeks.

Being faced with a malicious cyberattack, Maersk learned the hard way that their backup plan did not include images of their network setup. Fortunately, the company was able to retrieve an uninfected copy of its Active Directory from a Maersk office in Nigeria. The copy had been secure thanks to a power outage in the local area that had taken the server offline while the malware was spreading.

By gaining access to that copy and through a huge effort from the Maersk task team, they were able to successfully restore the core access to the essential data. The Maersk team even established contact with the NotPetya creator and gained valuable insight into this dangerous malware. Maersk became the first corporate in the world to reverse engineer the malware.

An interesting opinion of the leader of Maersk’s IT team who won over the cyberattack: “Automated detection and response are key. Automated protection is worth its weight in gold. And Privileged Access Management (PAM) takes on increasing importance. With a more limited number of privileged accounts, it is reasonable to assume that a much lower number of machines would have been infected, something like 5,000 rather than the 55,000 seen at Maersk," Adam Banks – Chief Technology and Information Officer of Maersk.

Norsk Hydro Case

In 2019, Norsk Hydro experienced a disruptive attack known as LockerGoga, which brought the giant Norwegian aluminum business down to its knees. LockerGoga is ransomware more sophisticated than NotPetya. Basically, LockerGoga can log existing users off, change their passwords, encrypt the files on servers in the network, and also post ransom messages on the screens of infected computers demanding the company to pay a ransom in bitcoins to gain back the control. 

From the investigation review, it turned out that the LockerGoga ransomware was able to enter the Norsk Hydro system when an employee opened an infected email sent by a trusted customer. This attack forced Norsk Hydro to switch to manual operations with pen and paper and the company suffered losses of tens of millions of dollars in damage. Even so, Norsk Hydro refused to pay the ransom and chose to be transparent about the cyberattack while actively seeking help from internal and external sources.

The attack is currently attributed to criminal hackers, but it remains under investigation. Norsk Hydro has recovered by gradually rebuilding its systems, improving its disaster recovery backup plans, and putting more focus on cybersecurity threat mitigation.

Tower Semiconductor LTD. (TSEM) Case

In 2020, TESM was targeted with a ransomware cyberattack which forced the corporate to halt its operations in certain manufacturing facilities as a preventive strategy. TSEM reported having paid the ransom (approximately $250,000 in Bitcoin) in an attempt to resume normal operations. Tower semiconductor also was implementing measures to prevent the attack from expanding wider. After paying the ransom, TSEM expects to return to normal operation almost immediately.

Florida Water Treatment Plant Case

In early 2021, a hacker was able to access a Florida water treatment plant monitor software that can adjust the level of sodium hydroxide (lye) in water via remote access.

The attacker attempted to adjust the lye level up to 11,100 ppm which potentially could have severely impacted the health of 15,000 citizens living in the area. Luckily, an employee noticed the suspicious remote access when the bad actor was operating the mouse on the screen to adjust the lye setting. He quickly changed the systems back to the normal settings and informed the management about disabling all remote access.

This attack is particularly serious since it could have potentially caused physical harm or even casualties, had it not been stopped. There are two key elements in this case: the water treatment plant used an outdated operating system (Windows 7) which is no longer supported by Microsoft. This opened backdoors to the attacker.

Another reason was the use of ungoverned shared accounts among the staff for remote access via the TeamViewer application.

Colonial Pipeline Case

Colonial Pipeline is responsible for gasoline supply in the East Coast, USA; also known as the largest petroleum pipeline in the US. In 2021, the system of Colonial Pipeline went down for several days due to the cyberattack from a group of criminal hackers based in Eastern Europe called DarkSide.

When the attack happened, it caused chaos in the gasoline supply chain on the East Coast, causing consumers to hoard gas and creating spikes in gas prices. This is considered the largest cyberattack in the energy industry in the United States. As a result of the ransomware attack, the company ended up paying at least 4,4 million USD in bitcoin to restore operations.

Under investigation, they found out that the breach may originate from a leaked password to an old account that had access to the virtual private network (VPN), which is used to make the remote access the corporate’s servers.

The account didn’t have multifactor authentication, so the username and password were the only two things the hacker needed to gain the access to the largest petroleum supplier in the USA. Intriguingly, Colonial Pipeline was able to recover part of its bitcoin deposit by following the trail from the hacker’s wallet. The Colonial Pipeline was able to resume normal operations without a prolonged disruption to its fuel supply.

SSH.COM solutions for OT

PrivX OT Edition can proide secure access Management for Critical Operational Technology (OT)
Just-in-Time (JIT) and Zero Trust access for on and off-site operators and maintenance engineers with PrivX OT Edition.

Download here

References

https://www.cyberscoop.com/norsk-hydro-lockergoga-ransomware/

https://news.microsoft.com/transform/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/

https://www.i-cio.com/management/insight/item/maersk-springing-back-from-a-catastrophic-cyber-attack

https://securityboulevard.com/2021/02/hacker-breaches-florida-water-treatment-plant-adds-lye-to-citys-water-supply/

https://www.calcalistech.com/ctech/articles/0,7340,L-3848490,00.html

https://www.forbes.com/sites/leemathews/2021/02/15/florida-water-plant-hackers-exploited-old-software-and-poor-password-habits/?sh=717c7283334e

https://www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices