Industrial hacking threatens industry

Continental

Hackers threaten industrial companies and permanently endanger production.

(Photo: Continental)

Cologne It is presumed to be highly sensitive information that is publicly available for sale. The hacker group “Lockbit” demanded $50 million when they threatened to post data from the Hanover-based Dax group Continental on the dark web and offer it for sale. As reported by the Handelsblatt, this could also include data related to important Conti customers such as Volkswagen, Mercedes or BMW – a total of 40 terabytes.

The data is the prey of a cyber attack. The attackers wandered unnoticed through the Conti network for four weeks before Conti noticed their intrusion. Such an APT attack (Advanced Persistent Threat) is something like the pinnacle of attacks, an “advanced persistent threat”. It is characterized by the fact that hackers often go unnoticed in the foreign network for months and only report – usually extortionately – when they have captured particularly valuable data.

>> Read here: Inside Continental – This is how the data disaster at the automotive supplier happened

Experts see an increasing number of APT attacks on companies in the coming year. This is the result of the latest forecast of the cyber threat situation by the IT security service provider Kaspersky. The software provider justifies its assumption, among other things, with the distribution of the program DTrack, which is often used in the course of APT attacks. The heightened threat situation is also the subject of the Handelsblatt annual conference “Cybersecurity 2022”, which begins today.

Top jobs of the day

Find the best jobs now and
be notified by email.

“Today, companies have to protect themselves better than ever,” says Mirko Ross, Managing Director of Asvin in Stuttgart. The company assesses cyber risks on behalf of industry. When defending against APT attacks, large industrial companies are particularly challenged. There, networked machines, alongside the e-mail servers that are otherwise often used as a gateway, form an attack surface that is very vulnerable.

The problem: The more extensive the machine park, the greater the ignorance about possible weak points. “A lot of companies don’t really know what systems they use,” says Ross. It is particularly difficult for large companies threatened by APT attacks. “Sometimes, for example, an IT employee installs small networked end devices, such as prototype platforms, on the network,” explains Ross. “They are often literally forgotten because the IT manager knows nothing about them.

graphic

If the employee leaves the company at some point, no one is responsible for these devices anymore. They become obsolete and become a security risk,” explains Ross. Because such vulnerabilities are unmanaged, attackers can sustain their attacks for longer periods of time—and go unnoticed.

An attack usually consists of three steps. The first: penetrate the network and move around there unnoticed. This approach is often successful using what is known as spear phishing. A specific employee is specifically targeted.

For example, an attacker can forge an email from a caterer and send the event manager in the attacked company a link for the supposed menu of an upcoming company event. If the event manager reveals his password to read the menu, the attacker reads along.

Hackers divide the jobs

In the second step, APT attackers spread through the network via the access they obtained in this way. They are now trying to gain administrator rights and additional passwords from inside the network in order to spy on it bit by bit. They also gain additional access to the network. They definitely take a few weeks to do this. They want to remain undetected until they know exactly where worthwhile targets lie. Only then, in the third step, do the attackers decide where to collect, copy or encrypt data.

The gangs share the tasks. “The hacker is not at the same time the blackmailer,” says Steffen Zimmermann, head of the Competence Center Industrial Security at the Association of German Machine and Plant Construction (VDMA). “Access is traded among cybercriminals,” says Mirko Ross.

graphic

In fact, APT gangs resemble medium-sized companies. The head of Lockbit, for example, states in an anonymous interview on the “vx-underground” website that he cooperates with around 100 partners. Lockbit wants to grow and would like to have 300 partners, according to the interview.

The VDMA is also assuming an increasing number of APT attacks. The many ransomware attacks, in which encryption trojans are smuggled into the network and the blackmail attempt occurs soon after entering the network, are only part of the plan. “For the first time, we see that encrypting data with a subsequent ransom demand is only used as a diversionary tactic to copy data unnoticed elsewhere in the network, for example for espionage purposes,” says Zimmermann.

Security officers are absent

Not all manufacturing medium-sized companies have recognized such professionalism on the other side. “There are still companies with several hundred employees but without IT security officers,” says Zimmermann. “Where IT is not part of the business model, too little is done for it.”

Of course, the risk of becoming the victim of an attack increases with the inactivity and innocence of the companies. One thing is clear: the more digitization progresses in production companies, the more networked devices there will be – and thus the number of potential gateways will increase. At the same time, there is no end in sight to the shortage of skilled workers in IT. So new ways are needed to secure your own network. IT security expert Ross therefore recommends automating updates and security patches in order to get a better grip on the risks.

The mechanical engineering company Kracht in Werdohl, Sauerland, only reorganized parts of its IT this year. The reason is, among other things, a cyber attack in February, which brought the production process at the family-run company to a standstill. Although the company was able to access a data backup and did not pay a ransom, the damage caused millions.

Back then, the blackmailers were able to gain access to the network via a fake email. Kracht disconnected machines from the network immediately after the attack became known, so that the attackers could not spread further in the network. An IT service provider provided support. The Federal Office for Information Security (BSI) maintains a list of 32 IT consultancies for identifying and defending against APT attacks. “We were able to work again after seven days,” says Kracht’s managing partner Heiko Zahn.

graphic

Today the company has separated the production and measuring machine network from the other networks. There are specially secured paths for data exchange. Hackers should also be recognized more quickly. “We can now better identify unusual data movements and, in some cases, automatically prevent them. We also use artificial intelligence for this,” says Zahn.

Typically, APT attackers bundle data within the network before attempting to eject it. They use formats that the attacked company may not use. Kracht has now also hired an external service provider to maintain the network.

Up to 10,000 vulnerabilities

Even completely new machines are not always secure in the network. On the contrary, they can be a weak point. “If the maintenance routine has not yet started and there are no patches for possible vulnerabilities, attackers have an easier time,” says Ross.

To increase their level of protection, companies should first get an overview of their system, advises Ross. In large companies, up to 10,000 weak points can quickly come to light, according to his experience. The second step is therefore to prioritize the risks. Two key questions help here: Which targets can a hacker attack via the vulnerability? And how likely is it that an attacker will spy on this gap?

Another problem is long software supply chains. The more international they are, the more risky they are. For example, does every car manufacturer really know exactly what software the purchased navigation system contains? If defective software is used in it, this can become a gateway for hackers. Asvin boss Ross therefore advocates certified software along the supply chain. This would also include and secure networked devices in production.

More: Global hacker gangs are threatening Germany – affected companies are unpacking

source site-14