Attacks targeting operational technology (OT) infrastructure increased by over 2000 percent in 2019 compared to the previous year, and the piece of malware most commonly seen in these attacks was the Mirai variant named Echobot, IBM revealed on Tuesday.
IBM’s 2020 X-Force Threat Intelligence Index summarizes the most prominent threats observed by the company’s researchers last year, including OT threats.
Based on data derived from network event logs, IBM saw an increase of over 2000 percent in attacks targeting industrial control systems (ICS) and other OT assets compared to 2018.
“In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years,” the company said in its report.
According to IBM, most of the OT attacks involved exploitation of known vulnerabilities and password-spraying attempts.
Some of the observed activity was linked to well-known threat actors. One of them was XENOTIME, the group behind the 2017 Triton/Trisis malware attack on a Saudi Arabian petrochemical plant, which last year started targeting electric utilities in the United States and the APAC region. The Iran-linked threat actor tracked as APT33 (aka Hive0016, Elfin, and Holmium) also reportedly started targeting ICS last year.
However, Charles DeBeck, cyber threat intelligence expert at IBM, told SecurityWeek that the “primary offending malware” observed in ICS attacks was Echobot, which is a variant of the notorious Mirai IoT malware. Echobot emerged last year and it has incorporated over two dozen different exploits, including ones targeting enterprise and ICS products.
