Cyber-attacks against industries such as mining and metallurgy

Industrial espionage, intellectual property theft or paralysis of activity are some targets of cyber-attacks against industries

Almost a year ago, the Canadian mining company CMMC suffered a ransomware attack that forced it to isolate the infected operations and paralyze technological equipment, including the mill, to assess the status of its industrial control system (ICS). A few weeks before the incident, a company employee’s login credentials were traded on the Dark Web.

This case, which affected a mining company that produces 100 million pounds of copper equivalent annually, is evidence of the level of impact cyber-attacks can have against industries such as mining and metallurgy.

The extractive and heavy industries are at the forefront of applying the technological breakthroughs of recent decades. Robotization, process automation, the use of artificial intelligence (AI), or the extension of IIoT (Industrial Internet of Things) devices are critical to these industries’ operations and their ability to be competitive.

1. ICS systems are critical assets for industries

How are all these developments being managed in significant industries? We must turn to a concept we mentioned earlier: industrial control systems (ICS). The National Institute of Standards and Technology (NIST) defines ICS as: «information systems used to control industrial processes such as manufacturing, product handling, production, and distribution». Under the ICS denomination, we can find:

• Supervisory control and data acquisition (SCADA) systems are essential for controlling industrial processes and managing data processing.
• Distributed process systems (DCS) are used to control the most complex and large-scale industrial processes in industries such as metallurgy or pharmaceuticals.
• Programmable Logic Controllers (PLCs), which automate processes such as assembly lines.

Given their relevance in the operation of industrial companies, methodologies have increased in recent years to help companies protect these systems. Without going any further, the MITRE ATT&CK framework, a global standard for understanding malicious actors’ tactics, techniques and procedures (TTPs), has a specific matrix for ICSs.

The digitization of sectors such as mining or metallurgy and the implementation of ICS systems to automate and optimize processes brings with it a handicap: their level of cyber exposure is growing, and the possibility of cyber-attacks is increasing. Why? The larger the technological infrastructure of a company and the higher its degree of criticality for the organization’s operation, the more attractive the company will be to cybercriminals (for example, when demanding a ransom) and the more dangerous it will be for its competitors.

2. Advanced persistent threats against the industry

What kind of malicious actors are behind cyber-attacks against industries? These are professionalized criminal groups with the resources and expertise to implement advanced persistent threats (APTs) successfully. In other words, threats that:

• Deploy sophisticated tactics, techniques and procedures to overcome companies’ detection controls.
• Seek to achieve the maximum possible persistence, which means that criminals go undetected for an extended period to maximize the impact of their actions (deployment of ransomware, intellectual property theft, exfiltration of confidential information, etc.).
• They pose a severe threat to companies, which can suffer from the paralysis of ordinary activities to physical harm to individuals, as well as financial losses and reputational damage.
• They are launched against specific targets.

Cyber-attacks against industries have very ambitious objectives (damaging ICS systems, undermining business continuity, stealing industrial property, etc.), which entail greater economic and time investment and intelligence capabilities. This is why APT groups, many of them sponsored by states, are the main actors that carry them out, either on their initiative or because companies have hired them to attack a competitor company.

3. Attack vector: Stealing remote access credentials

As we saw in the case reported at the beginning of this article, the attack vector used by malicious actors is often the theft of credentials to gain remote access to a company’s systems. Why? It focuses on the weakest point in the security of most companies and institutions: people.

How does one go about stealing a professional’s credentials with access to a company’s systems? Often, the social engineering-malware pairing comes into play. Thanks to spear phishing campaigns, it is possible to get an employee to download malware that steals his credentials unintentionally. In addition, the rise of teleworking and the use of personal devices to carry out professional tasks have diluted the security perimeter of companies, making it difficult to protect them and to prevent and detect incidents.

Is the theft of remote access credentials the only attack vector? No, cybercriminals can also resort to other strategies. For example, exploiting zero-day vulnerabilities in a company’s technological infrastructure or deploying malware such as keyloggers.

Remote access credential theft is resorted to because it does not require significant technological and human resources. It is a more straightforward attack vector to exploit than identifying and exploiting zero-day vulnerabilities before corporate security teams mitigate them. Moreover, as we saw in the case of the mining company CMMC, credentials can be purchased directly on the Dark Web.

4. Industrial espionage for competitive advantage

What are the targets of cyber-attacks against industries? The first one to point out is associated with a practice that, in one way or another, has accompanied the advancement of humankind since time immemorial: industrial espionage.

Some cyber-attacks against industries such as metallurgy or mining seek to infiltrate an organization’s systems not to torpedo its operation and undermine business continuity but to gather crucial confidential information, for example, regarding the research they are conducting to develop new technology.

To sell it to competitors who can profit from knowing a rival company’s secrets.

Industrial espionage is a criminal practice with a long history that has become more sophisticated thanks to the technological revolution of recent decades.

This kind of cyber-attack against industries can be very lucrative because companies may be willing to pay very high amounts of money to steal and sell critical information that translates into competitive advantages.

5. Theft of intellectual and industrial property

An essential aspect for any industrial organization is undoubtedly its intellectual and industrial property, protected by law and a vital asset for any business. Even more so nowadays, when the technological infrastructure of companies is essential for them to be able to carry out their activities with maximum efficiency.

Therefore, cyber-attacks against industries that aim to steal industrial property to sell it to the highest bidder:

• A very attractive criminal business that can yield substantial profits.
• Economic and reputational damage for companies that have invested significant resources in acquiring or developing technology and techniques protected by intellectual or industrial property.

6. Ransomware to threaten business continuity and extort money from companies

Another classic objective of cyber-attacks against industries is to deploy ransomware to hijack sensitive data, thereby threatening business continuity.

In exchange for restoring access to the hijacked information, cybercriminals demand a ransom payment, warning that confidential information will be published on the Dark Web if their demands are unmet. Another example of a ransomware attack against a mining company was suffered by Fortescue Metals, the fourth-largest global exporter of iron ore, just before the summer. This security incident, claimed by the Russian APT group Cl0p, resulted in data theft from corporate networks.

If ransomware is widespread, it can bring industries to a standstill and cause economic losses that undermine their business models. Does this mean that companies should give in to blackmail by criminals? No. Because it would mean funding criminal groups to continue developing cyberattacks, coupled with the message of how lucrative it is, there is no certainty that the malicious actors will keep their word and return the hijacked information so that corporate systems can return to normal operations.

7. The importance of the supply chain

The complexity of the technological infrastructure of industries also means that their supply chains are becoming increasingly complex.

As we have pointed out on other occasions, supply chain attacks are nowadays one of the greatest threats to companies in all kinds of sectors, including industry. It is, therefore, essential to increase the level of protection of software and hardware from the design phase and throughout their lifecycle. This includes, of course, the monitoring of software or hardware components from third parties.

Earlier this year, the multinational mining company Rio Tinto suffered a ransomware cyberattack that exploited a vulnerability in the GoAnywhere file transfer software. The APT group Cl0p, to which we have just referred, exploited this zero-day vulnerability to exfiltrate the company’s and its employees’ confidential data.

Therefore, securing the supply chain and conducting security tests that include the analysis of third-party software and hardware is essential to prevent cyber-attacks against industries.

8. Cyber-attacks against industries will be hybrid for the foreseeable future

Beyond the current cyber-attack trends against industries, some of the keys to the coming years can already be glimpsed.

In this regard, the European Union Agency for Cybersecurity (ENISA) has recently published a report on the main threats that European companies, institutions and citizens will face between now and 2030. One of these threats is focused on the industrial sector: advanced hybrid threats.

What are these cyber-attacks against hybrid industries? Competing companies hire criminals and infiltrate corporate systems to gather confidential information on research, technologies and business techniques. ENISA warns that malicious actors can:

• Retrieve metadata.
• View code.
• Set up a machine learning algorithm to pick up code changes.
• Bypass security controls and malicious activity detection mechanisms.

At the same time, they complement the attack by spreading fake news about third-party companies that are competitors and creating false evidence of a physical intrusion to mislead security teams and stay as long as possible to meet their industrial espionage objectives.

9. Consequences of cyber-attacks against industries

In light of the critical aspects of cyber-attacks against industries that we have explored, we can list a series of direct consequences of this type of incident for companies operating in the secondary sector:

1. Economic severe losses as a consequence of the paralysis of industrial processes, but also of the theft of intellectual and industrial property.
2. Weakening of their market position. Industrial espionage serves to know exactly how the competition operates, what they are investigating, and to take measures to cut their market position. Thanks to cyber-attacks against rival industries and companies, it is possible to gain competitive advantages over the attacked companies.
3. Deterioration of the company’s image and loss of trust among customers and partners. Security incidents damage corporate reputation, and if they result in the exfiltration of customer data, the consequences can be even more severe. Likewise, for companies in the industrial sector, the partners they work with are crucial, and a successful cyberattack can affect their credibility and the level of trust they inspire in other organizations.
4. Damage to people’s health. If a cyberattack disrupts the functioning of an ICS, it can not only paralyze its operation but cause material and personal damage. After all, human beings work in factories, mines, or oil rigs, and their physical safety may be compromised. The protection of people is a growing concern in the field of cybersecurity.

10. Improving resilience to cyber-attacks against industries.

Given the level of expertise and resources of the criminal groups that launch cyber-attacks against industries and the technical complexity of their TTPs, companies in sectors such as mining or metallurgy need teams of proactive Threat Hunting and Threat Intelligence experts.

Why? They will help them improve their resilience against advanced persistent threats and update their security strategies continuously to anticipate malicious actors and take the lead on issues such as hybrid cyber-attacks.

In this regard, Tarlogic’s Threat Hunting and Threat Intelligence teams, each from a different approach, continuously monitor the most relevant APT groups to study their TTPs and optimize identification and detection capabilities and, with them, the defensive capabilities of companies in the sector.

In addition, professionals specialized in Red Team services can design specific engagement exercises to study how an organization responds to security incidents such as those described in this article, in which the persistence of malicious actors is essential.

Thanks to these engagement exercises, information can be gathered to improve defensive capabilities, help security teams train in real-world scenarios, and increase their effectiveness in detecting and responding to cyberattacks against industries.

In short, cyber-attacks against industries are a reality that challenges thousands of companies worldwide. The technological commitment of these companies to become more efficient and competitive brings with it an increase in their cyber exposure. It makes them targets for cybercriminals but also for their rivals.