‘Not Cool, Dude’: Trend Micro’s Factory Honeypot Found Real Solutions to Cyber Attacks

Researchers with the Irving cybersecurity firm spoofed a small industrial firm and its staff to uncover and respond to cyber threats, and it worked. They even went so far as to create an exasperated manager, who told the hackers they were "so not cool dude."

As smart machines make work more efficient in just about every industry, hackers are seeking more ways to profit by crippling the technology we rely on to get stuff done. While most of us know about data breaches and ransomware attacks on big businesses and local government agencies, small- to mid-size manufacturers and businesses are increasingly faced with cyber threats.

Trend Micro, the Japanese cybersecurity company with U.S. headquarters in Irving, previously made honeypots for individual industrial control systems (ICS). Now, it’s created its most sophisticated honeypot yet in spoofing a smart factory that makes industrial prototypes.

Honeypots are decoy sites, a tool in deception technology that’s used to gather data to improve cybersecurity.

Company researchers conducted a six-month investigation that showed smaller factories are vulnerable to threats such as ransomware, cryptocurrency mining, and consumer fraud.

“Too often, discussion of cyber threats to industrial control systems has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely,” Greg Young, vice president of cybersecurity for Trend Micro, said in a statement. “Owners of smaller factories and industrial plants should therefore not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line.”

To collect valuable data on hackers, researchers used the same sorts of hardware—human machine interfaces (HMIs), robotic and engineering workstations, and file servers—a factory would have. They also created a website complete with phone numbers and email, which researchers would answer.

Last May, the site went live. Then they baited the hook.

Researchers exposed one of their HMI systems to Virtual Network Computing with insufficient protection, and they “leaked” information that made it look like the system had been hacked.

Starting in July, the honeypot began drawing hackers in. First it was cryptocurrency mining, then system shutdowns, two different ransomware attempts, and someone who changed file names and downloaded a slew of open tabs to a porn site onto one of the fake company’s desktops.

To keep the ruse going, researchers responded to ransomware attempts with a made-up character of an exasperated, overworked start-up manager. “THIS IS NOT COOL,” they wrote, “So not cool dude, give us our files back.” The fictitious manager even haggled for a lower ransom.

By the end of 2019, the team had a lengthy list of lessons learned and shut the site down.

Trend Micro now recommends that small factory owners minimize the number of ports they leave open, tighten access and control of computer systems, and use cybersecurity services to protect their data and equipment.

On Feb. 25, Trend Micro officials announced they’d stopped 61 million ransomware attacks worldwide in 2019. The healthcare sector remained the most targeted industry, followed by state and local governments and agencies.

Small- to mid-size businesses continue to be a popular target for cybercriminals, accounting for more than half of all ransomware attacks.

Get on the list.
Dallas Innovates, every day.

Sign up to keep your eye on what’s new and next in Dallas-Fort Worth, every day.

One quick signup, and you’re done.
View previous emails.

R E A D   N E X T