Dive Brief:
- Red team researchers from Mandiant were able to successfully breach the operational technology servers of a Europe-based engineering organization by emulating techniques of the cybercrime actor known as FIN11, according to a blog post from Mandiant.
- Mandiant in the past highlighted efforts by financially motivated threat actors to expand their reach into OT. The process kill lists were designed to amplify the effects of known ransomware strains.
- Some financially motivated threat actors are emulating the skill sets of state-sponsored actors through tactics, techniques and procedures, Mandiant said. For example, industrial attack techniques employed by Triton and Industroyer were used by actors ranging from FIN11 to FIN6 during ransomware deployment, extortion and other activities.
Dive Insight:
Mandiant used the red team to conduct proactive security for critical infrastructure providers and OT environments, where systems must be protected from malicious attack in order to protect future production capabilities.
“In other words, to defend from evolving techniques from threat actors, we need to think like them and identify security gaps before the actor does,” Daniel Zafra, senior manager of intelligence analysis at Mandiant said via email.
FireEye Mandiant originally explored the link between financially motivated actors and OT in July 2020, when researchers found process kill lists deployed alongside seven different ransomware families, including DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and Snakehose. The second kill list was deployed alongside Clop ransomware.
The kill list alongside the Clop sample was attributed to FIN11. Researchers said the threat actor monetized the operation using point-of-sale malware, Clop ransomware and extortion.
Mandiant researchers are not aware of financially motivated actors using these techniques in the wild.
The research comes at a heightened period of awareness about the risks to OT environments, as nation-state actors and criminally motivated threat groups have either attacked or developed sophisticated techniques to go after various critical industry providers or industrial sites.
