You are here

OT/ICS Cybersecurity – A Tale of Social Engineering, a Senior Engineer, and an Engineering Workstation

OT/ICS Cybersecurity – A Tale of Social Engineering, a Senior Engineer, and an Engineering Workstation

Created: Tuesday, July 19, 2022 - 14:01
Categories:
OT-ICS Security

If you think social engineering is predominately for email phishing, you may wish to reconsider. Cyber actors use social engineering with a variety of tactics, including to target industrial operations and engineers for fun and (cryptomining) profit. In a recent instance, software being advertised for “PLC password cracking” wasn’t what it was cracked up to be and was discovered to be malware that is actually part of a larger ecosystem targeting industrial operators. In other words, there appears to be a threat actor out there purporting to solve a need for PLC password cracking, and while the software does “recover” the password, it delivers more than expected (and not in a good way).

Dragos accounts a routine vulnerability assessment where it reverse engineered what was thought to be PLC password cracking software. Essentially, as the story goes, a newly promoted senior engineer had a legitimate need to recover a password to update some ladder logic on a PLC that his recently retired (and incommunicado) colleague wrote. The engineer bought and installed the software on an engineering workstation and shortly afterward the EWS began acting strange. Even though the software was able to recover the PLC password, Dragos determined that it did so by exploiting a firmware vulnerability in the PLC and not some fancy “cracking.” This software that masqueraded as a PLC password cracker was trojanized and was actually a common malware dropper that infected the EWS with Sality malware, subsequently turning the EWS into a peer in Sality’s peer-to-peer botnet. What’s more concerning is that Dragos is aware that this specific threat actor advertises “cracking” software for several PLCs, HMIs, and project files across at least 15 different vendors (see the table in the post for the current list).

Despite legitimate reasons to do so, if an engineer needs to recover a lost password, it is recommended they contact the respective vendor or credible OT cybersecurity firm for instructions and guidance. Additionally, consider diligently documenting the institutional knowledge as processes and procedures before the current generation of OT engineers retires and you’re left with an enterprising engineer getting social engineered. For more details on this particular fake PLC password cracker, visit Dragos.