{"id":104335,"date":"2025-02-06T00:01:17","date_gmt":"2025-02-06T08:01:17","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=104335"},"modified":"2025-02-05T13:17:41","modified_gmt":"2025-02-05T21:17:41","slug":"since-stuxnet-a-brief-history-of-critical-infrastructure-attacks","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/since-stuxnet-a-brief-history-of-critical-infrastructure-attacks\/","title":{"rendered":"Since Stuxnet: A Brief History of Critical Infrastructure Attacks"},"content":{"rendered":"

This year will mark the 15th<\/sup> anniversary of Stuxnet \u2014 the single event which made the world pay attention to operational technology and industrial control system security<\/a> (OT\/ICS).<\/p>\n

In our recent annual threat report roundup<\/a> , we show how the number of cyberattacks and threat actors targeting critical infrastructure (CI) has increased, especially since 2022 where there has been a 668% increase in CI incidents over the last three years.<\/p>\n

Here, we discuss the changes in how CI and OT\/ICS have been attacked since Stuxnet.<\/p>\n

The Threat to Critical Infrastructure<\/h2>\n

CI, including OT\/ICS devices used to control its physical processes, has been the target of cyberattacks for at least 15 years. It\u2019s technically even longer if you consider pre-Stuxnet events, namely Maroochy Water<\/a>.<\/p>\n

However, the increasing integration of digital systems within industrial environments has made OT\/ICS more prone to cyberattacks in the past few years by exposing vulnerabilities and providing threat actors with new ways to target their victims.<\/p>\n

Cyber attacks specifically targeting OT\/ICS disruption can cause physical damage to critical infrastructure like manufacturing plants, energy grids, and water treatment facilities. These attacks sometimes rely on malware specifically designed to infiltrate, manipulate, or disable the industrial systems that control the processes in critical infrastructure.<\/p>\n

However, these targeted complex attacks with sophisticated state-sponsored malware, such as Stuxnet and Industroyer, are only part of the story. Today, there are many attacks to CI beyond state-sponsored digital weapons.<\/p>\n

The figure below summarizes a timeline of relevant attacks or events in the past 15 years and how they represent changes in the CI cybersecurity landscape, which we discuss below.<\/p>\n

\"\"<\/p>\n

State-Sponsored Attacks with OT Malware<\/h2>\n

Initially, cyberattacks targeting CI were conducted by state-sponsored actors as part of espionage or sabotage campaigns. Malware was specifically designed to infiltrate a certain facility and tamper with its regular operations. Three events stand out in this period.<\/p>\n

Stuxnet (2010)<\/h3>\n

The first globally publicized malware targeting OT\/ICS was Stuxnet. It highlighted the dangers of a new era where cyberattacks could inflict damage to physical infrastructure and not just data. The development of Stuxnet is thought to have begun in 2005 by Israeli and American intelligence with the aim of slowing down the Iranian nuclear program.<\/p>\n

The specific targets were Siemens PLCs controlling uranium enrichment centrifuges at the Natanz facility in Iran. The initial access method was an infected USB drive, since the target network was air-gapped. The malware was designed to make the centrifuges spin irregularly, while still informing engineers that everything was operating as usual.<\/p>\n

Industroyer (2016)<\/h3>\n

Industroyer was deemed the biggest threat to OT\/ICS since Stuxnet because it was the first malware to target civilian infrastructure. The malware caused a blackout in Ukraine by leveraging the OT protocol IEC-104 to take control of circuit breaker switches and protection relays at a power substation. The attack was attributed to Russia\u2019s Sandworm APT.<\/p>\n

There was a follow-up version called Industroyer2 also attributed to Sandworm in 2022 that was caught before causing the same level of disruption.<\/p>\n

\"\"
\nFigure 1 – Industroyer2 execution workflow (from our analysis done in 2022<\/a>)<\/small><\/em>\n

Triton (2017)<\/h3>\n

Triton was the first malware designed to target safety instrumented systems (SIS), which ensure the safety of industrial processes, potentially risking human lives. Triton specifically targeted Schneider Electric\u2019s Triconex SIS controllers used at a Saudi petrochemical plant. By compromising the SIS, Triton could disable safety features and potentially lead to explosions or toxic releases. The attack was also attributed to Russia, more specifically a group in their Central Scientific Research Institute of Chemistry and Mechanics.<\/p>\n

The Rise of Ransomware and Cybercrime (since 2017)<\/h2>\n

As shown in our latest threat roundup report , cybercriminals are the most common threat actors in most critical infrastructure sectors today.<\/p>\n

Different from most state-sponsored actors, cybercriminals are after money. One of the most lucrative ways to earn money from cyber attacks is via ransomware-enabled extortion.<\/p>\n

Ransomware has been around since 1989. The Critical Infrastructure Ransomware Attacks<\/a> database which is maintained by researchers at Temple University lists close to two thousand ransomware incidents in CI since 2013<\/strong>. However, two moments were very memorable in the rise of ransomware targeting CI.<\/p>\n

WannaCry (2017)<\/h3>\n

WannaCry emerged in 2017 and is thought to have affected over 200,000 devices in more than 150 countries, including victims like Honda, Nissan, FedEx and the UK\u2019s NHS, impacting organizations involved in manufacturing, transportation, healthcare and many other CI sectors. The malware was attributed to the North Korean threat actor Lazarus, which is supposedly run by the North Korean government.<\/p>\n

WannaCry exploited the EternalBlue Windows vulnerability, which allowed it to spread without user intervention. The ransomware infected computers, encrypted files and demanded a ransom in Bitcoin for files to be decrypted.<\/p>\n

This was the first time that many people had contact with the ransomware threat that would became so widespread in the following decade. The WannaCry ransom note became an easily recognizable sign of this type of extortion.<\/p>\n

\"\"
\nFigure 2 \u2013 WannaCry ransom note (from Wikipedia<\/a>)<\/small><\/em>\n

Data Exfiltration and the RaaS Model (2019-2021)<\/h3>\n

Between 2019 and 2020, ransomware attacks increased by 62% globally and by 158% in North America<\/a>. This explosive growth continued during and after the COVID-19 pandemic fueled by increased remote work. Two major innovations in ransomware operations at the time ensured that these attacks became hugely profitable and were partly responsible for this spike in activity.<\/p>\n

1. Ransomware-as-a-Service (RaaS)<\/h4>\n

The creation of the RaaS model was pivotal. Ransomware developers lease their creations via affiliate programs to operators who breach organizations, deploy the malware, and share the profits with the original developers. This provided massive scale to cybercriminal operations, which was later increased by further division of labor including initial access brokers and other specialized actors.<\/p>\n

2. New Extortion Methods with Public Pressure Points<\/h4>\n

Innovations in extortion methods, such as exfiltrating data before encrypting, publishing it on leak sites, and publicly shaming victims, changed the game. These methods increased the probability that a ransom would be paid and incentivized criminals to go after very large organizations. This was the time when names like Cl0p, Conti, DarkSide, LockBit, Maze and REvil \u2013 some now long gone \u2013 became infamous due to the millions of dollars they extorted from their victims.<\/p>\n

Remember the attacks on Colonial pipeline<\/a>? On May 7, 2021, the company suffered a ransomware attack from the DarkSide group that caused it to halt all operations in an attempt to contain the breach. That halt caused long lines of drivers trying to fuel their cars and stockpile whatever gas was still available at stations. The attack started because of leaked employee\u2019s password that was found on the dark web and was only contained after Colonial chose to pay the ransom of $4.4 million.<\/p>\n

What We See Today: Botnets, Hacktivists, Opportunistic Attacks (Since 2018)<\/h2>\n

Beyond sophisticated state-sponsored APTs and highly organized cyber criminal groups, what we see emerging is a myriad of opportunistic attacks perpetrated by hacktivist groups, launched by automated botnets or blindly moving from IT\/IoT infections to OT devices because of increased interconnection and lack of segmentation<\/a>.<\/p>\n

Botnets and Mixed IT\/IoT\/OT Attacks<\/h3>\n

The precursor of IoT botnets targeting OT was VPNFilter, a Russian botnet and wiper identified in 2018 with modules dedicated to infecting IoT devices and sniffing OT Modbus traffic. VPNFilter showed that attackers were well aware of the growing interconnections in target networks.<\/p>\n

The botnet mainly targeted routers and network-attached storage (NAS) devices exposed on the internet, and is estimated to have affected over 500,000 devices. The malware could exploit these devices, survive reboots, execute commands, steal data and \u201cbrick\u201d infected devices.<\/p>\n

In 2022 and 2023, Forescout Research \u2013 Vedere Labs:<\/p>\n

    \n
  • Reported the emergence of mixed IoT\/IT botnets<\/a>, such as Chaos, which included usual exploits for IoT devices as initial access but also the possibility to move laterally to IT after the initial infection.<\/li>\n
  • Developed a proof-of-concept called R4IoT<\/a> to show how a malware could infect a network via IoT devices, move laterally to IT and then to OT to cause different types of damage.<\/li>\n<\/ul>\n

    In 2024, we continued following this trend and reported on well-known IoT botnets<\/a> including default credentials for OT devices, as well as including the capability to wipe some devices.<\/p>\n

    A threat that is unrelated to botnets, but also facilitated by the increased interconnection of device types, is common Windows malware spreading to engineering workstations. In 2024, we confirmed that this trend continued active<\/a>, while also stumbling upon a new experimental malware that could kill engineering processes.<\/p>\n

    Hacktivist Activity<\/h3>\n

    Hacktivists have been around since the 1990s, but in the past few years \u2013 especially since the Russia-Ukraine war in 2022 \u2013 they have shown a particular interest in targeting critical infrastructure and OT\/ICS<\/a>.<\/p>\n

    Their attacks are nowadays motivated by geopolitics and aim to spread a message or cause physical disruption via data exfiltration, defacements, DDoS, direct interaction with OT protocols and even ransomware deployment on IoT\/OT devices. Often, these groups are supported by nation-state governments or even act as a front for their own civilian or military agencies.<\/p>\n

    In the six months between November 2023 and April 2024, the US suffered at least 36 attacks by hacktivist groups<\/a> affiliated with Iran or Russia targeting OT\/ICS. Most of these targeted water utilities, but other sectors such as healthcare, energy and manufacturing were also hit.<\/p>\n