After collecting and analysing data posted on the dark web after being stolen during ransomware extortion attacks, experts have found that roughly 1 in 7 leaks from industrial organisations are likely to expose sensitive operational technology (OT) documentation, a report said on Tuesday.
In 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands of victims by disclosing terabytes of stolen information on shaming sites.
“This trend, which we refer to as ‘multifaceted extortion,’ impacted over 1,300 organisations from critical infrastructure and industrial production sectors in just one year,” Mandiant said in a statement.
To validate the extent to which multifaceted extortion leaks represent a risk to OT, Mandiant analysed a semi-random selection of samples from industries that typically leverage OT systems for production.
Using various technical and human resources, it downloaded and parsed through many terabytes of dump data and found a substantial amount of sensitive OT documentation.
This included network and engineering diagrams, images of operator panels, information on third-party services, and more.
“Based on our analysis, one out of every seven leaks from industrial organisations posted in ransomware extortion sites is likely to expose sensitive OT documentation,” the experts said.
Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber-physical attacks.
On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations.