Ethical Hacking News
Ransomware has traditionally targeted IT systems or operational tech (OT) directly, but a new threat landscape is emerging as attackers increasingly target the middle ground between these two sectors. This "no man's land" of critical infrastructure poses significant risks to industries and organizations that rely on them.
As ransomware gangs move closer to OT assets, the stakes are rising for companies and governments alike. With the potential to disrupt critical services like water stations and energy grids, the consequences of a successful attack can be devastating. It's time to reassess our approach to cybersecurity and take action to protect these vulnerable systems before it's too late.
The shift in ransomware tactics highlights the need for more effective defenses against this growing threat. By understanding the new landscape of OT and ICS attacks, organizations can develop targeted strategies to prevent and respond to these types of incidents. The future of critical infrastructure protection depends on it.
Ransomware attackers are increasingly targeting systems that sit between IT and operational tech (OT), known as the "no man's land", due to its critical infrastructure potential. This area is crucial for the integrity of products, and attacking these systems can disrupt entire supply chains and cause devastating consequences. Ransomware groups are more likely to pay extortion demands due to the operational impacts of attacks on in-between tech, rather than just causing an outage. Remotely controlling critical systems poses a significant threat, allowing attackers to cause damage over longer periods of time. To defend against these threats, the approach should shift from restoration speed to detection speed for identifying potential manipulation of systems. Ransomware and destructive cyber-attacks are among the top five most dangerous attack techniques this year, according to SANS Institute experts. Critical infrastructure such as water stations and energy grids are attractive targets for ransomware operators due to their ease of access via the IT side of the house. Destructive ICS attacks from sophisticated nation-state actors are a growing threat, often linked to geopolitical events and supply chain concerns.
The world of cybersecurity is witnessing a significant shift as ransomware attackers increasingly target the systems that sit between IT and operational tech. This "no man's land" has become a lucrative target for malicious actors, with the potential to disrupt critical infrastructure and cause devastating consequences.
According to Tim Conway, technical director of SANS Institute industrial control systems (ICS) programs, these in-between systems are not classic IT systems that run core business applications or operational tech (OT) that drives heavy industrial infrastructure. Instead, they reside in facilities that store and distribute fuel, separate home heating oil from gasoline, diesel, and jet fuel, among other critical services.
"These middle systems are crucial to the integrity of the product," Conway explained. "If the wrong product comes down the line, the system isn't sound." He used an example of a pharmaceutical company where attackers targeted in-between systems that print product labels to illustrate how these attacks change decision-making processes.
The IT side is how we manage our business, the OT side is why we're a business, and as ransomware groups start to move closer and closer to those OT assets, it becomes a completely different discussion in boardrooms on do we pay, and how quickly do we pay," Conway said. The victims are more likely to pay the extortion demands due to the operational impacts of attacks on in-between tech.
In a grim scenario, Russian malware called FrostyGoop targeted temperature controllers that supplied central heating to over 600 apartment buildings in Lviv, Ukraine, and shut off the heat to thousands of civilians during a period of sub-zero temperatures in January 2024. Another example is the CyberAv3ngers group, which broke into water systems in late 2023 and was later spotted using custom malware called IOCONTROL to attack and remotely control US and Israel-based water and fuel management systems.
The ability to remotely control and manipulate critical system is especially dangerous, as it signals a shift in what attackers are doing with this illicit access. They're no longer just trying to cause an outage. Instead, government-backed goons want to keep the systems up and running so they can cause damage across longer periods of time.
"If you just cause an outage, you've taken the bullet out of the gun, and that can be recovered in hours," Conway explained. "On the other hand, if the ICS system remains 'up and operational, you can manipulate it in ways where you cause equipment damage in that substation that take[s] anywhere from four to 18 weeks to replace," he noted.
This requires a different approach to defending critical networks. "Instead of thinking: How quickly can we restore? We need to pivot to [asking]: how quickly can we detect if an adversary is manipulating the system to cause destruction?" Conway said.
The SANS Institute experts research the most dangerous new attack techniques, then decide on the five they believe pose the greatest risk every year. This year, two of the top five are specific OT and ICS in critical infrastructure: Ransomware and destructive cyber-attacks. Ransomware gangs have shown a "definite movement toward critical infrastructure" according to Conway, who said there's a simple reason for their changed behavior.
When it comes to critical services like water stations and energy grids, it's easier for ransomware operators to infect the IT side of the house. This is what they did with the Colonial Pipeline attack. While that attack hurt the organization’s billing systems and led to panic buying and shortages at gas stations along the US East Coast, it’s OT such as pumping systems remained operational.
Prior to 2024, just seven known malware variants targeted ICS systems. Last year, criminals created and deployed two more specifically designed to disrupt critical industrial processes. "This is the sector to go after," Conway said. "It's faster to pay, and get back online quickly, so this is certainly shaping the behaviors of criminal financial groups to go after in big ways."
Destructive ICS attacks from sophisticated nation-state actors are also a growing threat. When we're talking nation-state [attacks], you have a series of geopolitical events that have to occur before you start seeing activity in this area," Conway noted. He added that during his nearly three decades in security, he can't remember a time with so many simultaneous geopolitical conflicts.
"You look at the geopolitical situation with China and Taiwan, and you have that as a backstory of supply chain concerns," he added. "You look at what's happening in Eastern Europe, with Ukraine and Russia, and we're seeing more and more and more critical infrastructure focused attacks since 2022 than we had ever seen before."
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomwares-New-Frontier-The-Perilous-Middle-Ground-Between-IT-and-Operational-Tech-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/14/ransomware_targets_middle_systems_sans/
Published: Wed May 14 02:23:29 2025 by llama3.2 3B Q4_K_M
