Cyberattacks on industrial facilities have far-reaching consequences. Threat actors often target the Industrial Control Systems (ICS) to carry out these attacks resulting in complete or partial operation shutdown of critical facilities, financial loss, data theft, and health risks.
To give a sense of the size of these attacks, here are some of the biggest cyberattacks on industrial facilities in recent times that caused trouble for government and non-government facilities.
1. Colonial Pipeline—Ransomware Attack
In May 2021, a ransomware attack targeted Colonial Pipeline Inc. in the US—bringing the facility to a complete halt for a few days. This caused an acute fuel shortage, and the prices soared through the roof.
Hackers gained entry into the company's network through a dormant virtual private network (VPN) account that had remote access to the company's computer network. The company had to pay a ransom of $4.4 million to the hacker group DarkSide in exchange for the decryption tool to restore its computer network.
2. CPC Corp. Taiwan—Ransomware
In May 2020, Taiwan's state-owned petroleum and natural gas company, CPC Corp, saw its payment system crippled by a ransomware attack.
Threat actors used a USB flash drive to infect the company's computer network. Although it did not affect oil production, it pushed CPC Corp's payment card system into chaos. Winnti Umbrella, a China-linked group known for targeting software companies and political organizations, is credited for the attack.
While the official statement by the company did not mention ransomware initially, later, an investigation report by the Ministry of Justice Investigation Bureau confirmed the same in an explanation release.
3. Triton (2017)—Malware
FireEye, a cybersecurity company, disclosed a highly sophisticated malware attack intended to target Industrial Control Systems and cause physical damage to critical infrastructure. The malicious code was delivered through a spear-phishing attack.
According to the cybersecurity firm, the attack was supported by a Moscow-based technical research institute Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM).
While the location or the targets of the attack has not been disclosed, it seems to have affected a critical industrial facility in the Middle East. Due to the nature of the attack that takes control of the facility's safety instrument system, it could have caused an explosion or release of toxic gas resulting in loss of life.
4. Ukraine Power Grid Hack—Trojan
On the evening of December 23, 2015, the cursor on the grid operator's computer screen started to move on its own. Hackers had struck the power distributor company Prykarpattyaoblenergo in Ukraine, disabling one circuit breaker after another.
It was one of a kind cyberattack on a power grid executed successfully. Soon after, half of the population of Ukraine's Ivano-Frankivsk region were in the dark without power for up to six hours. While the power was restored in a few hours, it took months for all the control centers to become fully operational again.
This was a highly sophisticated cyberattack involving multiple steps executed to its perfection after months of planning. First, threat actors used the spear-phishing method to target the company's IT staff via email to deliver the BlackEnergy malware disguised as a Microsoft Word document.
Once in, the trojan opened a backdoor to the hackers giving remote access. What followed was the seizure of control system architecture, disabling of backup power supply, DDoS attack to delay status updates to consumers, and destruction of files stored on the servers.
The attack is attributed to a Russian hacking group, Sandworm, reportedly part of the country's cyber-military group.
5. San Francisco's MUNI Hack—Ransomware
In November 2016, San Francisco's MUNI light-rail system had started giving free rides. No, it was not a goodwill gesture. Instead, a ransomware attack forced the ticketing system to go offline as a preventative measure to protect user data.
Threat actors demanded 100 Bitcoins ($73,000 at the time) as a ransom to restore the system. Fortunately, the rail agency had a system backup system in place. It used backup data to restore most of the affected system in the next few days, minimizing the attack's impact.
While the railway agency refused to pay the ransom, it reportedly lost up to $50,000 in uncollected fees by the time systems recovered from the attack.
In 2012, in one of the biggest cyberattacks on industrial facilities, the oil giant Saudi Aramco became the target of a malware attack. The attack was carried out by a group called Sword of Justice with an aim to cripple the oil giant's internal computer network.
Shamoon, a modular computer malware, was transmitted through a scam email to a company's employee. This modular computer virus targeted the 32-bit NT kernel version of Microsoft Windows, wiping out nearly 35,000 computers in a matter of hours.
Although it took two weeks to contain the spread, the malware failed to shut down the complete flow of oil, failing to achieve its target completely.
Touted as the world's first digital weapon, Stuxnet was a computer worm reportedly developed by the US NSA (National Security Agency) and the Israeli Intelligence to target Iran's nuclear facility. Unlike anything before, it was able to cripple the hardware by burning itself out.
The hack was detected when the inspectors with the International Atomic Energy Agency, on a visit to a uranium enrichment plant in Iran, noticed an unusual failure rate of centrifuges devices essential for enriching uranium gas.
While the Stuxnet worm was reportedly designed to expire in June 2012, other malware based on its characteristics continues to wreak havoc in other industrial setups worldwide.
In May 2012, the Center of Iranian National Computer Emergency Response Team (CERT) discovered a modular computer malware dubbed Viper. Later, a Russia-based cybersecurity research company Kaspersky named it Flame after a module inside the malicious code.
Similar to Stuxnet, Flame is also said to be a foreign state-backed cyber warfare tool targeted at Iran and other Middle Eastern countries' industrial infrastructure. Unlike the former that was designed to attack industrial controls systems, Flame is a cyber-espionage worm that deletes sensitive information from infected computers.
Other characteristics of the worm include the ability to turn on the infected system's internal microphone and record Skype conversations, convert a Bluetooth-enabled device into a Bluetooth beacon to scrap contact information from the nearby devices, and the ability to grab screenshots of activities on a computer.
Despite the efforts, researchers failed to identify the origin of the malware. And the fact that threat actors were clever enough to mess up the compilation date for each module meant the task became even difficult.
9. Bowman Avenue Dam Attack
In 2013, the Bowman Avenue Dam in Rye Brook was targeted by Iranian hackers. Some officials believe this attack was a retaliation for the massive Stuxnet attack.
The hacker broke into the SCADA (Supervisory Control and Data Acquisition) system of the New York dam by exploiting a susceptible modem connection.
While there are multiple theories behind the intention of the attack, the hackers wouldn't have been able to do any damage at that time because the sluice gate had been manually disconnected for maintenance.
After the investigation, the FBI had released the names of the seven Iran-based hackers accused of conspiracy to commit computer intrusion.
Industry Sectors Are at High Risk of Destructive Cyberattacks
Threat actors are increasingly shifting their focus from Information Technology to Operational Technology. This puts the critical industrial infrastructure owned by the state and private entities at high risk of destructive cyberattacks that can cause loss of life and severe economic damage.
Predictably, governments across the world are urging private entities to harden critical infrastructure defenses—while taking steps to improve national cyberspace security.