In an era of unprecedented uncertainty, with so many devices scattered throughout enterprise networks, it’s challenging for OT and Industrial Control Systems (ICS) security professionals to keep pace with security demands.
Recent incidents and the large-scale disruptions and cost of ransomware operations illustrate the growing impact of cyber threat activity on enterprise risk across all industry segments. This risk is increasingly difficult to control and mitigate across both IT and OT environments.
While running industrial systems is eased by virtualization in the cloud and the advance of internet-connected devices, these technologies are also introducing new vulnerabilities and risks. In particular, edge devices, such as Internet of Things (IoT) objects, switches and routers to control data flowing in and out of the organization. Bordering IT and OT environments, they are critical to OT security and breaches can provide direct access into OT environments, completely bypassing IT networks.
Security leaders must demonstrate to the C-suite and the board that they understand the importance of both the continuity of operations and working in partnership with the whole business to effectively manage risk.
Our cyber threat intelligence and incident response analysts have gained first-hand visibility into the tactics, techniques and procedures (TTPs) employed by some of the most sophisticated cyber adversaries. This report reflects our analysis during the first half of calendar year 2021.
Accenture analysis in the first half of 2021 identified four trends affecting the IT and OT landscape:
Ransomware actors test new extortion methods
Ransomware actors are expanding data leak extortion and devising new methods to pressure victims. Response options are becoming more complicated.
Targets are shifting: The first months of 2021 targeted critical infrastructure and upstream providers, such as data-rich insurance companies.
Tactics are toughening: Ransomware negotiator Coveware reported multiple cases in late 2020 where data was destroyed rather than just encrypted, preventing data retrieval even after ransom payment.
Extortion is becoming personal: New exposure tactics, pioneered in 2020, have gathered speed, compounding data leak extortion damage, adding reputation damage to victim liability lists.
Tactics, Techniques, and Procedures (TTPs) are more advanced: Accenture CTI identified notable defense evasion tactics with Hades ransomware operators using tooling and hands-on-keyboard actions to disable endpoint defenses.
Organizations should focus on preparation, prevention and pre-encryption defenses.
Cobalt Strike is on the rise
The current high-profile success of Cobalt Strike abuse means the tool’s popularity is growing —a trend that will almost certainly continue through 2021.
Cobalt Strike is proliferating: Although in use for more than a decade, the number of Cobalt Strike-enabled attacks reportedly increased by 163% between 2019 and 2020.
Attack tools are evolving: Threat actors are evolving their own custom loaders to deliver Cobalt Strike—such as facilitating the SolarWinds campaign.
Malware is merging: For the first time, Accenture CTI has identified overlaps between the infrastructure of the information-stealing malware EvilGrab and Cobalt Strike Beacon in early 2021.
Organizations need to adopt new defensive tools that can counter this growing threat to penetration testing in critical production environments.
Commodity malware can invade OT from IT space
High-volume crimeware is a danger at the endpoint, enabling further intrusions within a victim network that can threaten both IT and OT systems.
First-stage commodity malware enables the deployment of further malware at the endpoint.
Second-stage commodity malware, or pseudo-malware such as pirated and abused Cobalt Strike instances, follow-on malware increases the risk of an infection spreading throughout an organization’s infrastructure and even to OT assets if configured for that purpose.
Active malware campaigns observed include Qakbot and IcedID, DoppelDridex and Hancitor.
Organizations need to consider prevention, rather than response, as the most effective defense against commodity malware threats.
Dark Web actors challenge IT and OT networks
Threat actors meet in forums to increase their pressure tactics, learn how to bypass security protections and find new ways to monetize malware logs.
CLOP and Hades ransomware are changing the game: Public reporting in early 2021 tied CLOP ransomware actors to a series of global data breaches exploiting a recently discovered vulnerability in the widely used Accellion File Transfer Appliance (FTA). Hades ransomware actors also gained traction in early 2021 and demonstrated their ability to bypass Endpoint Detection and Response tools1 and reach edge devices and OT networks.
Information is easy to buy and even easier to use: Accenture CTI observed a slight but noticeable increase in threat actors selling malware logs, which constitute data derived from information stealer malware.
Organizations need to share information among defenders to understand, prevent, identify and respond to threat activity.
1 Welling, Eric, “It’s getting hot in here! Unknown threat group using Hades ransomware to turn up the heat on their victims,” Accenture, March 26, 2021. Read blog.