Mandiant has collected and analyzed datasets stolen from ransomware extortion attacks and published on the dark web.
The experts found out that about every seventh leak of data from an industrial company discloses potentially sensitive OT (operational technology = industrial IT) information. The analysis examined about 70 leaks and terabytes of data over several months. Mandiant summarized the results in a report.
The following finds stand out
- Administrator credentials for an OEM; Backups of Siemens TIA Portal PLC project files etc. from a freight and passenger train manufacturer
- A list of names, emails, user rights and some passwords of IT, maintenance and operations staff at a hydroelectric power plant operator
- A detailed network and process documentation including diagrams, the hazardous material identification system, spreadsheets etc. from two oil and gas companies
Since attacker groups typically announce new leaks and post them on hacker forums or social media, anyone with access to a Tor browser can go to these sites and download the available datasets. As a result, the leaks potentially have a damaging effect on the affected companies for years to come and are difficult to trace.
Old data with a long lifetime
Mandiant's experts note that “even if the disclosed OT data is relatively old, the typical lifetime of industrial IT systems is twenty to thirty years. As a result, leaks have been relevant to espionage efforts for decades—much longer than disclosed information about IT infrastructures.”
More at mandiant.com
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.