In an effort to study threats commonly faced by industrial organizations researchers from Trend Micro have built an elaborate honeypot that mimicked a factory. To make the ruse as realistic as possible, the industrial environment included ICS hardware (PLCs from Siemens, Allen-Bradley and Omron), physical hosts, and virtual machines. The team has even created a fake company that claimed to be “a rapid prototyping consultancy firm” working for special customers.
In order to make the mock network more inviting for cybercriminals, the researchers intentionally left some vulnerabilities and made their system seem like it had been hacked by posting “leaked” information about it.
The MeTech honeypot went live in May 2019, and in the following seven months the researchers observed multiple attempts to infiltrate the network. Unsurprisingly, initially the honeypot was targeted by scanners prompting the researchers to block requests coming from known scanning services like Shadow Server, Shodan, and ZoomEye.
Trend Micro has also observed multiple attempts to use the honeypot’s resources to conduct fraudulent activity, such as buying smartphones by upgrading mobile subscriber accounts and cashing out airline miles for gift cards.
In other cases hackers installed cryptocurrency miners, and the team has also observed two instances of ransomware attacks with a Crysis ransomware and a Phobos ransomware being installed. Soon after these two incidents occured, the honeypot attracted a fake ransomware attack, which researchers at Trend Micro described as "fumbled around our system trying to get a PowerShell command to work". The hacker behind this attack deployed a fake ransomware that simply renamed the files on the system without actually encrypting them.
As for the control system attacks, the researchers said the PLCs were mostly targeted by unknown scanners, and while the traffic appeared to be non-malicious Trend Micro doesn’t exclude the possibility “that this could be part of a reconnaissance activity for further attacks that were never seen”.
In case of one of the Allen-Bradley MicroLogix 1100 PLCs that was exposed on the Internet, the researchers observed a number of unknown commands that appeared to be harmless.
“However, looking further revealed that these unknowns were random information being sent to the port 44818. While in this case the PLC would respond simply by saying that it was an unknown command, sending unknown traffic to known ICS protocol ports still remains a dangerous practice that could cause older devices to crash,” the researchers noted.
The team also observed some interesting activity in December when an attacker started the factory, stopped the conveyor belt, stopped the factory, and then closed the application window. One day later, the same threat actor started the palletizer and opened the log view for its optical system.
“Our findings should serve as cautionary examples for organizations who run similar systems. And we have illustrated the conscious decisions and actions we took to make our system unsecure and consequently inviting for cybercriminals to target. We did all this only to a limited degree to keep our honeypot believable. This means we created openings for attacks that could realistically be found in actual smart factories,” the researchers said.