Moscow OT Infrastructure Breached: the Lessons
Radiflow released an interesting report detailing a recent attack against operational technology (OT) within Moscow city industrial sensor and monitoring infrastructure.
This infrastructure plays a crucial role in managing the safety and security of Moscow's municipal services, including gas, water, and fire alarms. The attackers claim to have disrupted 87,000 sensors and control systems across various facilities, including wiping about 1,700 sensors and routers. In addition to damaging physical equipment, the attackers wiped 30TB of critical data from servers and workstations, including backups, progressing from Active Directory to Vmware infrastructure.
Beyond the geopolitical implications (this was performed by a group possibly affiliated with Ukrainian intelligence), some key lessons emerge:
Device Security Issues
The attack underscores recurring security vulnerabilities in OT devices such as HMIs, PLCs, gas, water, fire alarms, and other sensors.
Default passwords remain a common problem. In this case, a well-known default password was used to access IoT gateway devices, facilitating the attack.
Network Segmentation Gap
Despite industry standards like IEC 62443 recommending network segmentation, it appears lacking in this case.
The attackers made their way in by compromising accounts in the traditional IT infrastructure and progressing into the OT network with few obstacles. This is also a recurring theme: it’s not rare to find OT devices exposed even on the public internet (for ex. searchable with Shodan); see this example from the water supply and wastewater industry.
Multifactor Authentication (MFA) Gap
The lack of multifactor authentication (MFA) in Vmware and Active Directory, perhaps the 2 most prevalent traditional IT infrastructure elements, makes attacks easier. This is unfortunately a frequent ”ingredient” in many successful attacks, as these on-premise systems are often harder to secure with MFA.
Read the full report from Radiflow here.