Ransomware Attacks on Middle Systems: A Growing Threat to Critical Infrastructure
Criminals are increasingly targeting the systems that bridge the gap between traditional IT and operational technology (OT), posing a significant threat to critical infrastructure. These 'middle systems,' often overlooked, are becoming prime targets for ransomware attacks.
Understanding the 'No Man's Land' in Cybersecurity
According to Tim Conway, technical director of SANS Institute industrial control systems (ICS) programs, these in-between systems exist in a 'no man's land.' They are distinct from core IT systems that manage business applications and the operational tech (OT) that drives heavy industrial infrastructure.
Consider a petroleum pipeline: the middle systems reside in the facilities responsible for storing and distributing fuel, separating home heating oil from gasoline, diesel, and jet fuel. These systems are crucial for maintaining the integrity of the product.
'It's the system in the middle, and the impact of ransomware [on in-between systems] affects the integrity of the product,' Conway told The Register. If the wrong product flows down the pipeline, the entire system is compromised.
Why Middle Systems Are Attractive Targets
Businesses across all sectors rely on these middle systems. Cybercriminals recognize that encrypting these systems is often easier than developing ransomware specifically designed for OT. However, the operational consequences of attacks on these systems can be more severe than attacks on IT or OT, increasing the likelihood of victims paying ransom demands.
'The IT side is how we manage our business, the OT side is why we're a business, and as ransomware groups start to move closer and closer to those OT assets, it becomes a completely different discussion in boardrooms on do we pay, and how quickly do we pay,' Conway explained.
He illustrated this with the example of a pharmaceutical company where attackers targeted the systems responsible for printing product labels. This highlights how attacks on in-between tech can significantly alter decision-making processes.
'If you were a pharmaceutical [company], and we wanted to cause problems in the batch or the dosage or blend of a particular drug. We might not be able to get deep into the network to those industrial control systems, but we could manipulate the product labeling so the label that gets stamped onto a particular pill is wrong,' Conway said. 'It has the same result. All those things go out in the market. People get poisoned, people die.'
The decision to pay a ransom becomes a matter of life and death. 'If you start from the perspective of: ‘We don't negotiate with terrorists, or we won't pay ransom’ it's one thing if you're talking about data,' he added. 'It's another thing if you're talking about human health and safety, and then it's a completely different equation of: ‘Do we pay to save lives?’ And that's an easy answer.'
The Escalating Threat Landscape: Ransomware and Destructive Cyber-Attacks
The SANS Institute annually identifies the most dangerous new attack techniques, selecting the top five that pose the greatest risk. This year, two of the top five are specific to OT and ICS in critical infrastructure: ransomware and destructive cyber-attacks.
Ransomware gangs have demonstrated a 'definite movement toward critical infrastructure,' according to Conway. The motivation behind this shift is straightforward.
If you're talking about human health and safety, then it's a completely different equation of: ‘Do we pay to save lives?’ And that's an easy answer
Critical services like water stations and energy grids are often easier to infiltrate on the IT side. The Colonial Pipeline attack exemplifies this. While the attack disrupted the organization’s billing systems, leading to panic buying and shortages, the OT systems, such as pumping systems, remained operational.
Similarly, the Change Healthcare attack involved ransomware targeting IT systems, causing significant disruption to the healthcare system. The malware encrypted payment processing and claims systems, preventing pharmacies from filling prescriptions and hindering patients from receiving necessary medical treatment.
The trend is clear: cybercriminals are moving closer to OT assets in the ransomware landscape.
Before 2024, only seven known malware variants targeted ICS systems. In the past year, criminals developed and deployed two more specifically designed to disrupt critical industrial processes.
'This is the sector to go after,' Conway stated. 'It's faster to pay, and get back online quickly, so this is certainly shaping the behaviors of criminal financial groups to go after in big ways.'
The Specter of Destructive ICS Attacks
Ransomware groups are not the only threat actors targeting these sectors. Russia, China, and Iran have all attempted to inflict damage on critical safety systems. This leads to the second ICS-specific threat identified by SANS: destructive ICS attacks from sophisticated nation-state actors.
'When we're talking nation-state [attacks], you have a series of geopolitical events that have to occur before you start seeing activity in this area,' Conway noted. He added that in his nearly three decades in security, he cannot recall a time with so many simultaneous geopolitical conflicts.
'You look at the geopolitical situation with China and Taiwan, and you have that as a backstory of supply chain concerns,' he added.
This has resulted in Chinese government groups infiltrating American energy grids, preparing for future destructive attacks, and attacking government, telecommunications, and IT service providers' networks in the US and abroad.
'You look at what's happening in Eastern Europe, with Ukraine and Russia, and we're seeing more and more and more critical infrastructure focused attacks since 2022 than we had ever seen before,' Conway continued.
If you just cause an outage, you've taken the bullet out of the gun, and that can be recovered in hours
In a particularly alarming incident, Russian malware called FrostyGoop targeted temperature controllers that provided central heating to over 600 apartment buildings in Lviv, Ukraine, shutting off heat to thousands during sub-zero temperatures in January 2024.
'And then you look to the Middle East and the events that occurred in Israel on October 7 with groups coming out of Iran that say: 'We are going to go after any country that's using technology that's made by Israel,' Conway said.
He referred to CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC)-affiliated group that infiltrated water systems in late 2023 and was later found using custom malware called IOCONTROL to attack and remotely control US and Israel-based water and fuel management systems.
- Malware variants that target operational tech systems are very rare – but 2 were found last year
- Ransomware batters critical industries, but takedowns hint at relief
- Hacktivism resurges – but don't be fooled, it's often state-backed goons in masks
- You think ransomware is bad now? Wait until it infects CPUs
The ability to remotely control and manipulate critical systems is particularly concerning, indicating a shift in attackers' objectives, Conway added.
Instead of merely causing outages, government-backed actors aim to maintain system operation to inflict prolonged damage.
'If you just cause an outage, you've taken the bullet out of the gun, and that can be recovered in hours,' he explained.
Conversely, if the ICS system remains 'up and operational, you can manipulate it in ways where you cause equipment damage in that substation that take[s] anywhere from four to 18 weeks to replace,' Conway noted. 'A large water pump or an aquifer could take years to replace.'
This necessitates a different approach to defending critical networks, he said. 'Instead of thinking: How quickly can we restore? We need to pivot to [asking]: how quickly can we detect if an adversary is manipulating the system to cause destruction?'
