2022 was a record-smashing year for cyberattacks, and not in a good way. Critical infrastructure (notably: oil and gas and water treatment facilities), industrial manufacturing, transportation, and much more – all were hit and hit hard.
This year’s attacks ranged from privately-initiated ransomware attacks to full-blown nation-state influenced or sponsored attacks. In 2022, it became clear that OT/IT/IIoT networks are being heavily targeted and that supply chains of all types – from energy to computer components and everything in between - are paying the price as a result.
2022 also demonstrated how geopolitical events like Russia’s war against Ukraine can dramatically exacerbate cyber risk. The cyber shadow of the Ukraine war falls much farther than anyone could have imagined. Volatile energy markets – partly driven by the end of Europe’s on Russian energy supplies - mean that oil, gas, energy, and power players around the world are ever more intensely targeted and vulnerable.
What are some of the most disturbing and prominent attacks in 2022, and what are their implications for 2023 and beyond? Read on…
In the two weeks leading up to the invasion of Ukraine, Russian hackers were reportedly focused on cyberattacks against LNG (liquified natural gas) companies. According to Bloomberg and Resecurity, more than 21 LNG refineries, suppliers, and distributors were attacked during a two-week ‘pre-positioning’ blitz before the war began in February. US-based LNG-related companies that were allegedly targeted included Chevron, Kinder Morgan, Cheniere Energy, and EQT Corp.
Also just prior to Russia’s invasion, a massive ransomware attack disrupted operations at oil terminals in the Netherlands, Germany, and Belgium. The attack affected dozens of terminals - among them Evos in the Netherlands, Oiltanking in Germany, and SEA-Invest in Belgium - and hampered the loading of refined products at oil storage terminals in the Amsterdam-Rotterdam-Antwerp refining hub.
While the May 2021 Colonial Pipeline cyberattack shut down oil and gas transmission and sales for five days in significant portions of the Eastern and Southern U.S., the 2022 attacks on LNG facilities remain a wake-up call to proactively manage security risks for cyber-physical systems.
Alongside the physical targeting of Ukraine’s nuclear power infrastructure, state-sponsored threat actors have cyber-targeted nuclear plant digital infrastructure. In August, Russian hackers launched an ambitious yet ultimately unsuccessful attack against Energoatom, the Ukrainian agency that oversees and operates the country’s 15 reactors.
Renewable energy (notably wind energy) has been intensely targeted since Russia’s invasion since it is a potential replacement energy source for Russian oil and gas. In April of 2022, a cyberattack against Deutsche Windtechnik, a leading German wind energy company, caused that company to shut down the remote systems controlling some 2000 wind turbines for nearly 24 hours. Nordex SE, a turbine producer, announced a ransomware attack in March that caused an IT shutdown, and a pro-Russian hacking group later claimed responsibility. Another turbine maker, Enercon GmbH, was also impacted by an attack that took nearly 6000 turbines offline.
Tata Power, India’s largest integrated power company serving some 12 million customers, was hit with ransomware in October of 2022. The hackers released employee PII, national ID numbers, tax account numbers, salary information and more, along with engineering drawings, financial and banking records, and client information.
In Africa, customers of the Electricity Company of Ghana were unable to buy or access power for nearly a week following an apparent ransomware attack. More worryingly, a source claimed that an ECG project was taken over, with hackers changing source code and taking control of servers.
Another critical infrastructure sector, water treatment, was targeted globally in 2022 by cyberattacks. In July, hackers found that the sewage system in the Israeli town of Or Akiva was completely unprotected, lacking even the most basic cybersecurity. They successfully accessed the municipality’s water pump interface and published a screenshot of the system as proof. Thankfully, they chose not to act on this vulnerability.
In August in the UK, South Staffordshire Water fell victim to a cyberattack in which hackers gained access to the SCADA systems controlling industrial processes at treatment plants – enabling them to change the chemical composition of water supplied to the organization’s 500,000 household customers.
In September, the GhostSec hacktivist group announced that it had successfully taken control of an Israeli hotel swimming pool’s water system, which controlled the pool’s pH and chlorine levels. This time, too, no damage was inflicted by the hackers.
In February, an attack on Toyota Motor parts and components supplier Kojima Industries forced the automaker to suspend operations in 28 production lines across 14 plants in Japan for at least a day. The fallout from the attack – which also affected Hino and Daihatsu Motors - was massive, with Toyota announcing that it had to temporarily reduce production by 5% or 13,000 units - a third of its global output.
A ransomware attack on Bridgestone Tire in February 2022 resulted in the company halting operations at dozens of industrial manufacturing plants in the U.S., Canada, Central America, Latin America, and the Caribbean, impacting approximately 50,000 workers. The cyberattack was reportedly carried out by the LockBit ransomware gang.
In March 2022, Toyota’s main supplier Denso also fell victim to a ransomware cyberattack on its German business unit, Denso Automotive Deutschland GmbH, but the company said that the attack did not affect its production.
A cyberattack on a third-party IT service provider shut down train traffic in Denmark in November. Trains operated by DSB, Denmark’s largest train company, stopped literally in their tracks and could not resume for several hours. The attack against a software provider for DSB train drivers led the company to disconnect servers to keep the threat from leaking into the OT environment, thus causing the shutdown.
In late May, smartphone manufacturer Foxconn confirmed the disruption of operations at one of its Mexico-based production plants, owing to a cyberattack. The hacking group that created the LockBit ransomware-as-a-service (RaaS) claimed responsibility for the attack and was threatening to leak data stolen from Foxconn unless the ransom was paid.
In January 2022, the Swiss-based CPH group experienced a cyberattack on its IT systems that caused it to temporarily suspend pulp and paper manufacturing operations at plants in Perlen, Switzerland and Mülheim, Germany. Approximately two weeks after the attack, the company announced that “all IT systems of the CPH Group worldwide were checked and restored from the backup systems together with external cyber specialists.”
In October, a ransomware attack halted the circulation of several German newspapers - disabling the printing system for Heilbronn Stimme, with a daily circulation of 75,000 printed copies in addition to several other publications the group distributes. Beyond printing problems, the company’s telephone and email systems were also shut down, and the editorial team was forced to use a third-party service to release a limited e-newspaper.
A prominent US lactose-free milk brand, Lactaid, went missing from the shelves of supermarket chains like Costco and Publix owing to a cyberattack. The company that owns the Lactaid brand, HP Hood Dairy, did not disclose specifics of the attack, but cyber experts claimed it was most likely a ransomware attack that forced the company to take all of its plants offline.
Nation-states and private hacking organizations have critical infrastructure and industry firmly in their crosshairs. While 2022 will be remembered for high-profile critical energy infrastructure attacks connected to the war in Ukraine - the year also clearly demonstrated the need for OT security practitioners to better manage cyber risks across all industries. Cybersecurity leaders need to maintain resilient operations and would be wise to use a risk-based approach to mitigate security gaps and vulnerabilities to help prevent attacks in 2023 and beyond.
Securing industrial and critical infrastructure network environments demands a different type of approach to digital and cyber security. Critical infrastructure operators and government agencies are becoming more aware of the need for industrial-native risk management tools (like OTORIO’s RAM2) that were designed for IT and OT security practitioners.
Wherever you are in your operational security journey, we’re here to help you take the next step. Contact us to learn more.