Russian Hackers Exploit Weak Firewalls with AI

The increasing digitalization and connectivity of industrial production have made Operational Technology-Security (OT-Security) a core concern for companies. Production data, SCADA systems, and connected machines are essential in many industries, but also highly vulnerable to cyber attacks. A single incident can lead to production downtime, reputational damage, and even life-threatening situations, particularly in critical infrastructure.

However, the pressure to invest in costly OT-Security solutions is growing, as companies face budget constraints, trade wars, and economic uncertainty. This has led to a search for cost-effective alternatives. Commercial OT-Security solutions, such as those offered by Nozomi Networks, Darktrace, Forescout, and Microsoft Defender for IoT, promise to provide robust protection, but may be out of reach for some organizations.

Meanwhile, a recent report by Amazon Threat Intelligence highlights the dangers of neglecting basic cybersecurity measures. A Russian-speaking threat actor has been using commercial generative AI services to compromise hundreds of Fortinet Fortigate firewalls. Once inside the network, the hackers have successfully compromised Active Directory at hundreds of organizations, extracted complete credential databases, and targeted backup infrastructure, potentially paving the way for ransomware attacks.

According to CJ Moses, CISO of Amazon Integrated Security, the report demonstrates how commercial AI services are lowering the technical barrier to entry for offensive cyber capabilities. A single actor, or a very small group, was able to generate its entire toolkit through AI-assisted development.

The incident serves as a reminder that failure to implement basic cybersecurity measures will inevitably lead to a breach of security controls. The compromised Fortigate firewalls in this campaign are being exploited due to weak passwords and lack of multi-factor authentication, highlighting the need for companies to prioritize basic security hygiene.

This is not the first time that AI has been used in cyber attacks. However, the increasing availability of commercial AI services has made it easier for attackers to develop sophisticated tools without requiring extensive expertise. As the use of AI in cyber attacks becomes more prevalent, companies must adapt their security strategies to stay ahead of the threats.

In the context of OT-Security, this means prioritizing the protection of production data, SCADA systems, and connected machines. Companies must implement robust security measures, including multi-factor authentication, encryption, and regular software updates. They must also ensure that their employees are aware of the risks and take steps to prevent phishing and other social engineering attacks.

Furthermore, companies should consider investing in cost-effective OT-Security solutions that can provide robust protection without breaking the bank. Open-source solutions, for example, can offer a cost-effective alternative to commercial solutions. However, companies must carefully evaluate the risks and benefits of open-source solutions and ensure that they meet their specific security needs.

In conclusion, the incident highlighted by Amazon Threat Intelligence serves as a reminder that basic cybersecurity measures are still essential in the face of increasing digitalization and industrial connectivity. Companies must prioritize security hygiene, invest in robust OT-Security solutions, and adapt their security strategies to stay ahead of the threats. By doing so, they can protect their production data, SCADA systems, and connected machines from cyber attacks and minimize the risk of reputational damage and life-threatening situations.