Uptime at Any Cost: Why Cyberactors Increasingly Targeted Manufacturing in 2021
As the COVID-19 pandemic forced people to spend more time isolated at home, they bought stuff. Home office equipment, televisions, video game consoles, manicure and pedicure tools, hair clippers, athleisure wear, books, and ingredients for sourdough starters were just some of the items that filled people’s physical and virtual carts as they tried to make their home life more enjoyable amidst lockdowns and closures. And despite many of these measures being lifted, the consumer demand for goods—not services—that took off in the second quarter of 2020 has not slowed down.
During the first quarter of 2022, 88.8 percent of surveyed manufacturers said they were positive about their company’s outlook and expected a 6.1 percent growth rate in sales during the next 12 months, according to the National Association of Manufacturers’ Manufacturers’ Outlook Survey.
“Demand for manufactured goods has remained strong despite a multitude of headwinds in the global economy,” the survey said. “The challenge for manufacturing firms has been in meeting that demand, with sizeable hurdles from supply chain disruptions, workforce shortages, soaring costs, and COVID-19.”
Another major hurdle that manufacturers were forced to clear in 2021 was a rise in cyberattacks. For the first time since 2016, manufacturing replaced financial services as the top attacked industry in 2021—representing 23.2 percent of the attacks that the IBM X-Force remediated last year. Most of these attacks were in the form of ransomware, according to the X-Force Threat Intelligence Index 2022.
“Sixty-one percent of incidents at Operational Technology (OT)-connected organizations last year were in the manufacturing industry,” the index found. “In addition, 36 percent of attacks on OT-connected organizations were ransomware.”
In an interview with Security Management, Charles DeBeck, senior cyber threat intelligence strategic analyst with IBM’s X-Force Incident Response and Intelligence Services, says he attributes the rise in attacks on the manufacturing sector to supply chain issues.
“Manufacturing was especially vulnerable and under a lot of pressure and stress to maintain their uptime,” DeBeck adds. “As a result, this made them a very tempting target to go after.”
For instance, in April 2021, Apple supplier Quanta Computer confirmed that it was the victim of a cyberattack targeting some of its servers. The REvil ransomware gang claimed at the same time that it had compromised Quanta and stolen blueprints for some of Apple’s newest products. Based in Taiwan, Quanta is a key player in Apple’s supply chain and provides services for Google parent company Alphabet, Facebook, and HP.
Bloomberg reported that REvil shared images on its Dark Web site that appeared to be schematics for a new Apple laptop. REvil pledged to continue sharing these files each day until Apple paid a ransom. REvil was later shutdown by the Russian government agency, the Federal Security Service (FSB), and it’s not clear if a ransom was ever paid.
Percentage of attacks that IBM X-Force remediated in 2021 that affected the manufacturing sector.
While this activity can be disruptive and expensive, other cyber threats can pose more serious ramifications for manufacturers. In 2021, Dragos—a cybersecurity firm specializing in detecting, monitoring, and mitigating threats to industrial control systems (ICS)—found that 65 percent of the incidents it tracked were focused on the manufacturing sector. Two ransomware groups, Conti and Lockbit 2.0, were responsible for 51 percent of the attacks.
“Some of these threats have shown the intent and capability to disrupt operations and even cause destructive effects,” Dragos explained in its 2021 ICS/OT Cybersecurity Year in Review report. “These threats may be in the early stages of their journey, and have only shown the intent to target industrial organizations by attempting to gain access to ICS/OT networks or collecting organizational information.”
One disruption in 2021 occurred when a malware intrusion hit Honeywell, impacting a limited number of its IT systems. Honeywell said in a statement that the intrusion did not have a “material impact” on the company, and that it had identified the point of entry, revoked all unauthorized access, secured its system, and notified law enforcement.
Honeywell is a major manufacturer, producing security equipment as well as products used by oil and gas manufacturers in North America. Dragos called the breach a “reminder of potential cyber threats to the manufacturing industry and the supply chain.”
The X-Force also identified another concerning trend that seemed to be on the rise in 2021 and into 2022: triple extortion.
“In this type of attack, threat actors encrypt and steal data and also threaten to engage in a distributed denial of service (DDoS) attack against the affected organization,” the index said. “This kind of attack is particularly problematic for organizations because victims have their networks held hostage with two kinds of malicious attacks—often simultaneously—and are then further victimized by the theft (and often leak) of data.”
Other business partners might be caught in the crossfire, too. The X-Force highlighted an observed increase in ransomware gangs targeting victim’s affiliates with separate ransom demands in exchange for preventing data leaks or business disruptions. For instance, targeting a business partner—such as an insurance provider or contractor—into paying a ransom to prevent client data from being leaked.
One of the groups engaged in this activity is ERYTHRITE. It targets organizations in Canada and the United States, including auto manufacturers, stealing user and administrative credentials for ICS/OT systems.
“ERYTHRITE performs highly effective search engine poisoning and deployment of credential-stealing malware,” according to Dragos, which has been tracking the group since May 2020. “Their malware is released as part of a rapid development cycle designed to be evasive to endpoint detection.”
Another group that targeted manufacturers during the first quarter of 2022 was the LAPSUS$ Group, which hit microchip company Nvidia on 23 February 2022 and took it offline for two days. Originally, some suggested that the incident was related to Russia’s invasion of Ukraine because Nvidia is one of the largest microchip providers for the United States.
But a statement from Nvidia said the company had no evidence the breach was related to the conflict.
“However, we are aware that the threat actor took employee passwords and some Nvidia proprietary information from our systems and has begun leaking it online,” the company said. “Our team is working to analyze that information. All employees have been required to change their passwords.”
LAPSUS$ also threatened to leak corporate data unless Nvidia paid a ransom and demanded that Nvidia remove limitations in a series of its firmware, potentially to help gamers and the crypto mining community because Nvidia graphics cards can detect when they are being used for crypto mining, according to Malwarebytes Labs.
Authorities arrested teenagers allegedly behind the LAPSU$ group following a series of ransomware incidents. While this may have disrupted operations, the group could rebrand and continue to target others later in the year, according to X-Force research.
The incidents at Honeywell and Nvidia illustrate that the pressure to have systems up and continuously running can stress security maintenance, potentially making manufacturers more vulnerable to compromises.
Sixty-one percent of incidents at Operational Technology-connected organizations last year were in the manufacturing industry.
“An alarming 47 percent of attacks on manufacturing were caused due to vulnerabilities that victim organizations had not yet or could not patch, highlighting the need for organizations to prioritize vulnerability management,” the X-Force report explained.
This is difficult for manufacturers because vulnerabilities are on the rise and their systems are often highly complex and require multiple different patching styles, DeBeck explains. Additionally, some latency systems are difficult to patch because “old systems are tough to update appropriately, or there might not be significant available support for them,” he adds.
The number of manufacturing industry incidents that Dragos investigated in 2021 raised some “troubling trends” when the company paired that information with assessments that found the manufacturing sector is “often the least mature in their OT security defenses,” according to the report.
Based on its analysis, Dragos assessed that 90 percent of the manufacturers it evaluated had limited visibility into their networks, 90 percent had poor network perimeters, 80 percent had external connectivity, and 60 percent shared credentials.
“Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations and OT environments, whether through the integration of OT kill processes into ransomware strains, the existence of flattened networks to prevent ransomware from spreading into OT environments, or through operators shutting down OT environments as a precaution while they attempt to stop IT ransomware from spreading to OT systems,” Dragos elaborated.
To help mitigate these threats, DeBeck says it’s important to prioritize and determine what needs to be addressed first. Manufacturers should conduct a strategic assessment of their threat profile and identify what’s most critical—what the crown jewels are and what protection of those assets looks like.
Both the X-Force report and the Dragos report provide additional steps manufacturers can take to monitor their systems and mitigate threats. Both groups, however, stressed that manufacturing will continue to be a target in 2022.
DeBeck, for instance, is monitoring threats to the supply chain that might impact other organizations.
“When you have organizations critical to others’ functionality, you can have critical downstream impacts,” he says. “We’ve seen incidents—and Nvidia is a good example—of an impacted organization that’s part of an overall ecosystem. Security practitioners need to be thinking, ‘What are the risks—and our risk profile—based on incidents like that?’”