Wipers and botnets dominate threats to manufacturing and energy IoT systems

Business news | August 4, 2022

By Nick Flaherty

Malware, IoT botnets and the Russia/Ukraine war were the biggest factors for threats to manufacturing and energy systems says a US analyst.

The latest IoT security report from Nozomi Networks Labs saw malicious IoT botnet activity was on the rise and growing in sophistication in the first half of 2022, driven by China and the US.

Since Russia began its invasion of Ukraine in February, the researchers saw activity from several types of threat actors, including hacktivists, nation-state APTs, and cyber criminals. They also observed the robust usage of wiper malware, and witnessed the emergence of an Industroyer variant, dubbed Industroyer2, developed to misuse the IEC-104 protocol, which is commonly used in industrial environments.

Nozomi Networks Labs set up a series of honeypots to attract malicious botnets and capture their activity in order to provide additional insights into how threat actors target IoT. In this research, Nozomi Networks Labs analysts uncovered growing security concerns for both hard-coded passwords and internet interfaces for end-user credentials.

March was the most active month with close to 5,000 unique attacker IP addresses collected with the top attacker IP addresses associated with China and the United States.

Manufacturing and energy continue to be the most vulnerable industries followed by healthcare and commercial facilities, with the number of impacted vendors up 27% and affected products up 19% from the second half of 2021.

A wiper is a type of self-replicating malware that erases all data or renders it useless. These are often used in cyber warfare, with the intention of causing an enemy to lose access to critical data by seeking out specific files and deleting them from the hard drive completely.

In February the CISA agency published an alert describing the types of destructive malware used to target various organizations in Ukraine, rendering computer systems inoperable:

HermeticWiper overwrites the master boot record, rendering the operating system unable to boot. HermeticWiper was used in conjunction with HermeticWizard, which provided worm functionality to spread HermeticWiper across entire networks.
IsaacWiper, also used in conjunction with Hermetic Wizard, overwrites user files with random data, rendering any attached storage disk unusable.
CaddyWiper works similarly to other wipers and attempts to replace victim files with “null” data and then wipe the master boot record (MBR), corrupting the victim’s stored data.
WhisperGate was discovered by Microsoft Threat Intelligence Centre (MSTIC) and aims to erase data, rendering devices inoperable.

“This year’s cyber threat landscape is complex,” said Roya Gordon, Nozomi Networks OT/IoT Security Research Evangelist. “Many factors including increasing numbers of connected devices, the sophistication of malicious actors, and shifts in attack motivations are increasing the risk for a breach or cyber-physical attack. Fortunately, security defences are evolving too. Solutions are available now to give critical infrastructure organizations the network visibility, dynamic threat detection, and actionable intelligence they need to minimize risk and maximize resilience.”

It also points to the Lapsus$ threat group, which the FBI added to its Most Wanted list for “Cyber Intrusions of United States-Based Technology Companies.” In March the group was responsible for several high level cyberattacks between the months of February and March of 2022, including attacks on Nvidia, Samsung, and Microsoft.

OT/IoT Security Report: Cyber War Insights, Threats and Trends, Remediations

www.nozominetworks.com