Implications of data leaks of sensitive OT information.
Dave Bittner: Hello everyone and welcome to the Cyber Wires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Nathan Brubaker: Our partners in IT who have been kind of tracking this stuff a bit more closely than we had, had noticed that there had been some media attention to a couple of different specific leaks over the past couple of years. were curious and dug a bit deeper and found quite a bit of OT, like, pretty much everything an attacker would ever want to plan any type of attack, essentially.
Dave Bittner: That's Nathan Brubaker. He's a director at Mandiant. The research we're discussing today is titled, "One in Seven Ransomware Extortion Attacks Leak Critical Operational Technology Information."
Nathan Brubaker: And so that really piqued our interest. And were a bit concerned about – obviously, very concerned about what potential information would be out there in one of our many customers. And so we kind of kicked off this process, which is enormous – it was an enormous lift, and it wasn't like we worked 24/7 on this, but it's a good kind of back project to have. From a scale perspective, to give you an idea, we calculated out about there were 2,600 leaks that probably happened roughly in the 2021 time frame, for the year of 2021. And then to kind of scope our research, we essentially cut that in half by trying to look for organizations that likely had OT in their networks or control systems with the hopes that we would not have to waste our time on the other 1,300 that didn't. And so from there, we had about, like I said, 1,300 organizations.
Nathan Brubaker: And to get that even kind of cut down even further, since that would be many hundreds of terabytes of data, we started to dig through and look at, one, there's challenges for downloading these leaks because they're owned and operated on sites by actors that don't have the greatest infrastructure, and/or there might be dozens of people trying to download them. Some of the data might be corrupted or things like that. So, based on our kind of initial triage, from just a technical perspective, isn't possible, some of the data, to give you an idea, even if we could download it, would take many days to download just for one of those 1,300 leaks.
Nathan Brubaker: So, we could do a couple of different things to kind of scope that down. Like I said, some of it relates to, is the stuff even – is the data in there even usable from a technical perspective? And we just kind of discarded anything that wasn't, since we had such a huge data set. And then from there, some actors would actually provide file listings and things like that, and we also have some tooling that allows us to go through those kind of parsed lists to give us an idea about what might be of interest in these different data sets or different leaks. And from there, were able to scope it down to a couple hundred samples, and we essentially did more of the same but a bit deeper for those couple of hundred and got to about seventy that we eventually did much more in-depth analysis of.
Nathan Brubaker: So, to give you a further idea about the scope of this, seventy of them – we don't know the exact file size, because it's enormous and really hard to calculate, but I would guess in the twenty to thirty terabyte range for those seventy leaks. And so, that's...
Dave Bittner: Wow.
Nathan Brubaker: ...Yeah, that's clearly an enormous amount of information to go through. And really one huge takeaway that I kind of want to highlight upfront here is we took a very, very wide rather than deep approach to this, as you can kind of tell. If you take a look at the blog, we have a graphic on there that kind of shows you these different numbers I'm talking through. But to get through that thirty terabytes – twenty, thirty terabytes, we essentially went through each one, and once we found some OT or ICS documentation, we stopped there and moved to the next one. Now, this is not what an actor would do. An actor most likely would have some more constraints on resourcing than we would, and/or would have a much more focused interest. And so if they, for example, had a specific target that they're looking for, they could monitor for leaks related to that target. And when one pops up, they could then go and dig through that specific leak, or theoretically buy access to the leak before anyone else has access, as some actors do that.
Nathan Brubaker: But once they, like, are focused only on – for example, we routinely focus on individual targets during our research and focusing our efforts on a much smaller dataset allows us to derive a lot more data. So this is all to say, I would expect those kind of ten different leaks that we found data in is probably a very small actually sample of what is actually out there. Certainly in those ten, I would imagine there's quite a bit more OT documentation, and I would also hazard a guess that there's quite a bit more in many of the others as well.
Dave Bittner: Yeah, I mean, your report talks about this notion of multifaceted extortion, which, you know, certainly anyone who's been following the evolution of ransomware is aware that, you know, the ransomware actors kind of upped their game to the point where it wasn't just that they were locking up your files, they were exfiltrating them. And then part of the threat was that they were going to share them. And that's really what you're digging into here. Can you give us some insights as to how easy it is to find and access these files? Is it exclusive, or is it out there for just about anybody who's interested to go out and grab them?
Nathan Brubaker: Yeah, so, a bit of both, right? Some of the files, as I kind of mentioned before, are available for purchase, before they may give a tease or something like that. If someone buys it, they can get exclusive access. So there may be many more data sets or dumps that are not available publicly. But all of this stuff, the 2,600 leaks and really down to whatever we ended up downloading, were all freely available and we didn't have to sign up for anything or get special access to get to, anyone with a Tor browser can get to these and some know how, clearly. To give you an idea, actually, many actors actually put this type of kind of listing, or that at least that it's coming out, on different social media sites to kind of get people to their sites. So you don't even need to be on Tor browser to see it coming.
Dave Bittner: Can you give us an idea of the kind of the breadth of things that we're talking about here, the actual data that's available?
Nathan Brubaker: Yeah, it's anything you could imagine, essentially. So, we obviously focused on the OT side of things. I briefly did want to talk about, there's, obviously everything else, for the most part, is IT-related. And I don't want to downplay the criticality of that data, because any actor, no matter who they are and what kind of activity they want to carry out, will likely need access to all of that IT data as well. So even an attacker that's focused on an OT, very specific cyberphysical attack that they want to cause a very specific outcome, whatever it may be, they need to gain access to those systems initially. So they would use much of the HR data, other types of, like, purchasing data, things like that, to get a good insight into what the company looks like and how to phish to gain initial access and then pivot around. And all those things are really, really valuable from an initial compromise perspective, and then also just getting to OT.
Nathan Brubaker: All of that data that we actually found related to OT is all exactly what our red teamers are looking for when they're going out on engagements, trying to gain access to OT, and planning to carry out a specific attack. So, I could go through a couple of them. I mean, it's essentially anything from – one of the most robust leaks had essentially, like, all credentials for almost everything, documentation on process flows, on wiring diagrams – just really anything you could ever imagine, which is very terrifying. But that was one very, very egregious leak.
Nathan Brubaker: But then there's others where it would be a bit less, or at least what we found would be a bit less, but still concerning. For example, there are – and in the report we talk about more and we have an appendix for our premium subscribers – we found information on a range of different specific targets. We obviously have their names and stuff, but redacted it for this report. And I will note we have contacted anyone that would be relevant to help mitigate some of the risk on these things. But we found things from, like, pretty concerning organizations, like, specifically, a control systems integrator. So, those folks that are working with lots of different customers. And this is one area where it's a common and an always dangerous kind of attack vector because it's, you know, an engineer or someone else coming in that's not part of your organization accessing your systems. And so this is like, if you go upstream, you can you can bypass some of the controls on systems.
Nathan Brubaker: And we've seen this at Mandiant historically, where a third party comes in to do whatever type of work on the system, plugs into a network, it opens up a direct path to the Internet, and then that brings in a threat actor. So, that's just one case, a bit interesting. There's – a lot of the other ones are lots of similar types of documentation on how their specific processes work. Lots of different information on, like, accounts, accesses, credentials, things like that.
Nathan Brubaker: But there are interesting things like, specifically, from a satellite vehicle tracking service provider that we found on there. They had, like, actual source code for one of their proprietary platforms that they use to track automobile fleets like using GPS and allows them to, to an extent, interact with some of those systems or some of those vehicles. We found a decent amount of information on a hydroelectric energy producer, pictures of, like, HMIs, guides on how to use different types of things. Really, like I said, all the things that an actor would need to plan and potentially carry out a sophisticated attack.
Nathan Brubaker: If you are an actor with the goal of causing some specific outcome from an attack, and by this I mean like blowing something up, theoretically, if you want to go extreme. But also you could just cause one process to change in a larger industrial process. You need to have a very, very deep understanding for the most part of how that process works, because if you make one change upstream in the process, it's really hard to understand, because there's a lot of things that play there from physics to engineering to chemistry, that it's really difficult to calculate out without adequate information and expertise. And so all of these kind of internal documents that talk about those things and help identify how that process actually flows through to the end product, will help an actor plan out an attack like that, and also understand what the implications of their actions are. So, will it turn on alarms? How do they mitigate those alarms? All that kind of stuff.
Dave Bittner: You know, you mentioned the challenge of of merely downloading, you know, terabytes of information that you are able to grab. But then the next heavy lift is actually analyzing all of that data, and that was a challenge as well.
Nathan Brubaker: Yeah. So, we initially used some off the shelf tooling. And I'll be honest, we have a bunch of internal tools already that we use to track different data dumps and things like that as a company. So it's important to note that, because unless you're a pretty sophisticated actor, you probably don't have that. But that's kind of why I mentioned up upfront, most actors are going to focus on a couple of specific, one or more specific targets. And so they won't need to go through quite the level of effort that we did. But yeah, we kind of use some off-the-shelf tooling to begin with, and where we could, we did that. And then we also build out some capabilities internally to be able to better triage some of this just huge amounts of data.
Nathan Brubaker: But I'll be honest, in the end, a lot of the work was manual and it was people going through file listings and looking at pictures and stuff like that. And these people are folks who know OT and ICS, and when they see something, they'll know it's something of interest. And so, we do have an advantage there. And so if we're talking about kind of lower sophistication actors that are looking to just poke around and do some things, they can certainly find some stuff of interest. The impact of that is probably going to be a lot less critical than a well-resourced industry competitor or a sophisticated actor supported by a government or something like that.
Dave Bittner: Can you give me some insights, you know, for folks who are not in the world that you're in, of this kind of analysis, what are the ethical concerns that come into play here? When you're, you know, grabbing files that have already been stolen by someone else and put out there in public, you know, the things that are in these files aren't – they're not Mandiant's business. You know, the people out there, they don't want anybody to look at this stuff. Do you have to come at this as knowing that you're a, you know, a good faith, good actor, and that your intentions are good and you're going to notify the people whose information you've found?
Nathan Brubaker: Yeah, I mean, it would probably be worse if we didn't do this, right?
Dave Bittner: Yeah.
Nathan Brubaker: If no threat researcher does any research like this, no one knows that they have any problem, or they can kind of just turn a blind eye. The issue here is, especially with OT data, this stuff doesn't change that much. So a typical lifecycle could be for a tech in OT, could be like twenty to thirty years, relative to the couple of years in IT. And so if you have a tremendous amount of documentation that is not going to be changed, or the process it's documenting it's not going to be changed for the next decade or two, then you're in greater trouble than than not knowing that these things are there, because, you know, maybe you forget about this in five or ten years and an actor gets a hold of it, and if eighty percent is still relevant, then that's a big concern.
Nathan Brubaker: So, from our perspective, you know, we are certainly coming at this from a, we're here to help. And like the one reason I love working for Mandiant is we are not ambulance chasers. We don't do any of that. I get to do whatever I think is valuable for our customers. And also, honestly, we do a tremendous amount of work for folks who are not our customers. So, you mentioned kind of victim notification. So yeah, if we find things of value that we have concerns about, we will notify whoever it is. And we have an organization internally that helps set up these calls and talk to these organizations and offer support, much of it free. And then obviously like if people want to buy support, they can. But we have done a lot of good doing this. And I'll be honest, there's probably no one that would do this type of work unless you paid them a lot of money or they're a threat actor trying to do some bad things. So yeah, the organizations are essentially getting free work out of us. So, for the most part, people we've talked to have been appreciative.
Dave Bittner: So what are your recommendations here? I mean, based on this information that you've gathered, how can organizations protect this data knowing that, you know, this is one of the ways that it's being gathered up and shared?
Nathan Brubaker: Let's start if you haven't had an incident or that you don't know of one, then that's great, and it's time to prepare for one, because most organizations are going to have some sort of security incident. Hopefully it's not bad, but you want to be ready. And so you can do things like strengthen data handling policies, ensure information and access isn't available to people who should not have it. Really, really limit the amount of OT information that is passed into IT wherever possible, and obviously protect OT as best as possible. And there's a whole range of things you could do there. But if you have had a leak like this, then it's important to understand what's been leaked and mitigate as much as possible.
Nathan Brubaker: And so you can do things like we have a deeper kind of technical list of things that you can go through if you're curious, on kind of what you could do. But you're going to have to go through the information and that's going to be one of the bigger lifts. Once you know kind of what your risk profile is or what the threat is, then you can start to mitigate. But like, for example, if you want to address this before something happens, Mandiant and others have offerings that allow you to kind of simulate this type of of threat activity. So, see if actors can get into your networks and steal information of value. Our red team routinely does this, and customers find a lot of value about kind of the stuff that's exposed that they wouldn't expect, or the ways in which actors can get through their networks to OT really easily.
Dave Bittner: Is this also the kind of thing where having someone keeping an eye on things from a threat intelligence point of view will help you know when these things are out there?
Nathan Brubaker: Yeah, certainly. There's always a need, for one, to have a robust, multilayered defense. But also visibility into the threat landscape is really important, right? So, many organizations we talk to may not have known that their data was stolen. Now, for the most part, you know, if you are ransomed and the actor is trying to make money, they're going to tell you, hey, I have your data and so forth. But I mean, most people don't know what to do then. The nice thing is Mandiant has worked for decades now on this type of activity, negotiating with actors and getting data back. And so we are not only prepared to help remediate and respond, but also we have unparalleled visibility into the threat landscape, both from a kind of dark web perspective, but also based on all of our thousands of hours of incident response that we do every year, not to mention all of our kind of threat research from an intelligence perspective.
Dave Bittner: Our thanks to Nathan Brubaker from Mandiant for joining us. The research is titled, "One in seven Ransomware Extortion Attacks Leak Critical Operational Technology Information." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.