A ransomware incident earlier this year temporarily shut down production for two days at a pair of manufacturing facilities in Italy, incident responders at security firm Kaspersky said Wednesday.
Kaspersky did not publicly identify the victim organization. But Vyacheslav Kopeytsev, a researcher with the firm’s ICS-CERT unit, said in an email that the victim was a multinational firm headquartered in Germany that has factories in Italy. “The servers with the databases required for production were encrypted,” he added.
The hackers disguised a nascent strain of ransomware called Cring as the victim organization’s anti-virus product before encrypting the computer servers that would cause the organization the greatest damage, Kopeytsev and his colleagues said in a report. The attackers catered their hacking tools to the victim’s infrastructure, the researchers said.
It is only the latest example of how ransomware incidents are increasingly affecting the operations of industrial suppliers. Of 500 manufacturing sector employees in the U.S., Germany and Japan surveyed by security firm Trend Micro, 61% said they had experienced cybersecurity incidents, with many of those cases causing system outages.
Kaspersky ICS-CERT said the disruption at the Italian factories was one of multiple hacking incidents involving Cring ransomware and aimed at European industrial firms in the first quarter of 2021. Details on other victims were not immediately available. Swisscom, a big Swiss telecoms firm, alluded to the ransomware infections in a tweet in January.
The incident comes as the Biden administration is trying to do more to combat both ransomware and threats to industrial controls systems (ICS) — the hardware and software used at power plants and other critical facilities. The Department of Homeland Security has allocated an additional $25 million in funding to state and local governments to defend against threats such as ransomware. And the White House aims to bolster the security of control systems that serve more than 50,000 Americans, according to an Associated Press report.
Tim Maurer, senior counselor for cybersecurity to the DHS secretary, said U.S. officials are also being vigilant for any potential impact that ransomware gangs could have on organizations producing and distributing the coronavirus vaccine.
“It’s not just about people making money, but where a temporary disruption of certain services could also have an impact,” Maurer said Wednesday at an event hosted by the Center for Strategic and International Studies.
In the incident detailed by Kaspersky, the hackers exploited old vulnerabilities in virtual private networking software made by California-based security vendor Fortinet. Such unpatched software is a recurring headache in the manufacturing sector, according to Marty Edwards, the former head of DHS’s industrial control system security unit.
The ICS and operational technology used at factories are “often based on outdated hardware and software which makes them an easy target for the criminal operators of the ransomware networks,” said Edwards, who is now vice president of operational technology at security firm Tenable. “Due to the value to the business that these operational technology systems bring, they are also a very lucrative target for these criminals and can fetch a higher ransom than the average target.”
Many ransomware victims in the manufacturing sector are reluctant to talk publicly about breaches for fear of losing clients or admitting they have paid off criminals to recover their data. That reticence, CyberScoop found, risks contributing to a lack of public understanding about the severity of the threats.