Energy firms up the ante on cyber threats

Sinister image of hand poised at keyboard for cyber-attack (cybercrime index)
Image: Shutterstock

Nozomi Networks has revealed data from a series of honeypots—traps laid to lure cyber attackers and study their methods—it set in the first half of 2022, with its new report showing energy remained the most vulnerable sector, alongside manufacturing.

It also showed top attacker IP addresses were linked to China and the US, malicious IoT botnet activity rose sharply, and March—following Russia’s invasion in Ukraine—was the most active month.

Related article: Aussie firms face fines for failing to report cyber incidents

Nozomi’s Roya Gordon says 2022’s threat landscape is complex, with factors like ‘increasing numbers of connected devices, sophistication of malicious actors, and shifts in attach motivations’ upping risk. But she says ‘defences are evolving too’ as energy organisations up the ante on ‘network visibility, dynamic threat detection, and actionable intelligence’.

Since Russia began its invasion of Ukraine in February 2022, Nozomi Networks Labs researchers saw activity from several types of threat actors, including hacktivists, nation-state advanced persistent threats (APTs), and cyber criminals. They also observed the robust usage of wiper malware, and witnessed the emergence of an Industroyer malware variant (used in the cyberattack on Ukraine’s power grid), dubbed Industroyer2, developed to misuse the IEC-104 protocol, which is commonly used in industrial environments. 

Additionally, in the first half of 2022, malicious IoT botnet activity was on the rise and growing in sophistication. Nozomi Networks Labs set up a series of honeypots to attract these malicious botnets and capture their activity in order to provide additional insights into how threat actors target IoT. In this research, Nozomi Networks Labs analysts uncovered growing security concerns for both hard-coded passwords and internet interfaces for end-user credentials. From January to June 2022, Nozomi Networks honeypots found:

  • March was the most active month with close to 5,000 unique attacker IP addresses collected.
  • The top attacker IP addresses were associated with China and the United States.
  • ‘root’ and ‘admin’ credentials were most often targeted and used in multiple variations as a way for threat actors to access all system commands and user accounts. 

On the vulnerability front, manufacturing and energy continue to be the most vulnerable industries followed by healthcare and commercial facilities. In the first six months of 2022:

  • CISA released 560 Common Vulnerabilities and Exposures (CVEs)—down 14 per cent from the second half of 2021
  • The number of impacted vendors went up 27 per cent
  • Affected products were also up 19 per cent from the second half of 202.

Related article: Ensuring a secure state for critical energy infrastructure

“This year’s cyber threat landscape is complex,” Roya Gordon said.

“Many factors including increasing numbers of connected devices, the sophistication of malicious actors, and shifts in attack motivations are increasing the risk for a breach or cyber physical attack. Fortunately, security defences are evolving too. Solutions are available now to give critical infrastructure organisations the network visibility, dynamic threat detection, and actionable intelligence they need to minimise risk and maximise resilience.”

Previous articleViva Energy pushes for LNG import terminal approval
Next articleAGL, Fortescue expand green hydrogen studies in Hunter