Why Adversaries Target VPN Appliances: The Pathway from IT to OT Cyber Attack

Dragos recently identified malicious activity targeting multiple critical North American infrastructure networks, primarily those belonging to electric, oil and gas, water and wastewater, and manufacturing sector organizations. This activity suggests early-stage reconnaissance behavior, focused on initial access to Cisco Secure Socket Layer (SSL) Virtual Private Network (VPN), Fortinet VPN, and Palo Alto Global Protect VPN appliances. The adversary has used a mix of random and genuine employee information, including former employee credentials, in the login attempts. 

What You Need to Know: Brute-Force Tactics Targeting VPNs in Critical Industrial Sectors 

The Key Insight: IT is the entry point, but OT could be the endgame.

In 2023, 70 percent of OT attacks started in IT systems, according to the 2023 OT Cybersecurity Year in Review. Adversaries use IT systems as an entry point to gain visibility and access to OT environments, where they can cause significant operational disruption. Understanding this pathway is crucial for industrial asset owners who must defend their IT and OT environments. 

The Intelligence: Insights from our intelligence brief, Brute-Force Operations Targeting VPNs Across Critical Industrial Sectors, highlight adversary activity targeting IT systems that could serve as a gateway to operational technology (OT) environments: 

• Dragos identified widespread brute-force login attempts using a mix of random and genuine usernames of current and former employees targeting critical infrastructure virtual private network (VPN) appliances. 
• Cisco SSL-VPN, Fortinet VPN, and Palo Alto Global Protect VPN are targeted across electric/energy, oil and gas, water and wastewater, and manufacturing. 
• The adversary has mainly used virtual private server (VPS) infrastructure hosted by Stark Industries Solutions, a bulletproof hosting provider widely used for denial-of-service attacks. 
• The tactics and infrastructure observed in these operations align with broader trends in cyber attacks targeting critical infrastructure sectors, including energy, utilities, and manufacturing. 
• Although the adversary targets IT environments, there is a demonstrable focus on critical infrastructure and the potential for adversaries to pivot to OT networks.

Our OT threat intelligence report is grounded in research developed by our expert cyber threat intelligence team for Dragos WorldView customers. The insights provide actionable and urgent guidance for securing OT environments based on real-world observations, exclusive telemetry, and the latest OT threat intelligence trends. For those interested in more in-depth analysis and regular updates on current and emerging threats targeting critical industrial infrastructure, detailed technical reporting is accessible through a Dragos WorldView subscription. 

Although this threat’s immediate focus is on IT infrastructure, specifically through the exploitation of VPN devices, it poses a significant risk to OT environments. As adversaries target IT networks within critical sectors such as energy and water, they may inadvertently or deliberately gain access to OT systems, disrupting critical industrial processes. This activity drives home the need for enhanced asset visibility, network monitoring across IT and OT networks, and a risk-based approach to vulnerability management.  

Adversarial Threat Tactics: From IT Entry to OT Compromise 

Understanding the specific behaviors and tactics employed by adversaries is key to defending OT systems. Here are the critical stages of an attack as it progresses from IT to OT systems.

Reconnaissance: The Quiet Surveillance of Your Systems 

Reconnaissance is the critical preparatory phase in which adversaries learn about your network and its weaknesses. This often involves: 

• Scanning for exposed devices: Adversaries look for VPNs, firewalls, and other appliances exposed to the Internet. They identify vulnerable firmware versions, misconfigurations, or default settings that can be exploited. 
• Mapping network architecture: Their goal is to understand the structure of both IT and OT networks. Adversaries will identify the devices in use, such as PLCs or SCADA systems, and any unprotected pathways between IT and OT systems.

Implications for OT: By successfully conducting reconnaissance on IT systems, adversaries can map potential entry points into OT networks, identify critical devices to target, and plan how to manipulate OT processes once they gain access. Reconnaissance can reveal industrial protocols, such as if a target is using Modbus or DNP3, and potential weak points that allow attackers to achieve their goals while blending into legitimate traffic. 

Credential Theft: Keys to Moving Stealthily Within Your Network 

A common goal for adversaries during the reconnaissance phase is to obtain valid credentials, which can then be used to access network appliances or OT systems. Tactics include: 

• Brute Force Login Attempts: By targeting VPNs, firewalls, and other devices, adversaries attempt to gain access by systematically guessing passwords, often using slower methods to avoid detection. 
• Credential Reuse and Phishing: Attackers leverage stolen or reused passwords or conduct phishing campaigns to acquire credentials for privileged accounts. They may also use credential-stuffing tactics to test a list of breached passwords across different accounts. 
• Use of Legitimate Usernames: Leveraging valid or former employee usernames enables adversaries to blend in with regular network traffic, significantly delaying detection.

Implications for OT: Credential theft is a key to deeper access. With valid credentials, adversaries can gain unauthorized access to VPNs, establish persistence, and potentially moving laterally across IT systems and infiltrating OT environments. Using legitimate credentials also means adversaries can masquerade as regular users, making their activities difficult to detect in IT and OT systems.

Lateral Movement: Expanding Access from IT to OT 

Once initial access is obtained, adversaries seek to move from IT systems into the OT network laterally. This involves: 

• Jumping Network Segments: Adversaries look for misconfigured or weakly segmented networks, especially those that allow free communications between IT and OT systems.  
• Leveraging Communication Protocols: RDP (Remote Desktop Protocol), SMB (Server Message Block), and other communication protocols are often targeted as they provide direct pathways to OT devices. If adversaries compromise these protocols or the credentials used in the authentication of these protocols, they can gain control over the OT systems they manage.
• Privilege Escalation: Adversaries seek to escalate their privileges within the network to gain access to more sensitive systems and to carry out higher-impact attacks. This may involve exploiting vulnerabilities in OT devices or network appliances to gain admin-level access.

Implications for OT: Lateral movement is critical for adversaries wishing to disrupt or manipulate OT systems. Once they can navigate between IT and OT networks, they may access control systems, manipulate industrial processes, or conduct espionage for future disruptive actions. 

Attack Flow and Stages from Initial Access to Full OT Compromise 

Attacks typically progress through stages, with each phase setting up the next: 

• Initial Access: Gained through brute-force attacks, phishing, or exploitation of network appliance vulnerabilities. 
• Establishing Persistence: Adversaries may establish backdoors, leverage the compromised credentials of system accounts or current organization member, or modify network. 
• Discovery and Network Mapping: Using reconnaissance techniques, adversaries map the internal network to identify OT devices and pathways between IT and OT. 
• Credential Access and Lateral Movement: As described, adversaries use stolen credentials to move laterally and escalate privileges across network segments. 
• Execution of Attack on OT Systems: The final stage could involve a range of attack types: deploying ICS-specific malware to disrupt operations, manipulating industrial control systems to alter physical processes, or stealing intellectual property.

Implications for OT: Understanding the stages of an attack helps asset owners anticipate and detect malicious activity at each phase, preventing full OT compromise. Acknowledging that IT devices are often the starting point in many attacks emphasizes the importance of securing both environments. 

The Need for OT-Native Asset Visibility & Network Monitoring

While securing pathways from IT to OT is a crucial first step, it’s not a sure thing. Proper protection for OT environments requires asset visibility beyond traditional IT tools. The unique nature of OT systems demands an OT-native asset identification and network monitoring tool that understands the protocols, assets, and behaviors specific to industrial control systems. The Dragos Platform can accurately map out all devices connected in your OT environment, including all connections to IT/IoT/IoTT devices that are more likely to be exposed and used as an initial access point. 

Get the Complete Analysis

Download our latest OT cyber threat intelligence and learn how you can mitigate the impending threats to both IT and OT environments.