"During an incident response engagement in the Middle East, the FortiGuard Incident Response team identified what appeared to be an Iranian-linked APT threat actor attempting to laterally move from the customer's IT environment into their OT systems. Each time the customer tried to contain the activity, the threat actor adapted, deploying new malware, standing up fresh infrastructure, and reestablishing access almost immediately. We paused reactive containment of individual issues and our team shifted to a full-scope investigation to understand the attacker's foothold, movement patterns, and objectives."
"As we worked through the environment, we uncovered a persistent mechanism we hadn't expected, an "n-day" vulnerability that hadn't been publicly documented as exploited in the wild. It gave the threat actor a reliable path to re-enter the network, even after apparent clean up. Ultimately, the attacker's goal was clear: establish sustained access to the OT network. We observed repeated attempts to move laterally from the IT network using jump boxes and m"
Industrial control systems and operational technology environments are not uniformly quiet or fully understood. Risks include unexpected configurations and operational complexities that are difficult to uncover with standard penetration testing or conventional risk assessments. Real incident experiences show gaps between written security policies and actual plant-floor behavior. In one case, an Iranian-linked threat actor attempted to move from an IT environment into OT systems, adapting after each containment attempt by deploying new malware and infrastructure. The response team shifted from reactive containment to full-scope investigation and discovered an undocumented n-day vulnerability used as a reliable re-entry path. The attacker’s objective was sustained OT access through repeated lateral movement attempts.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]