Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats


Different critical infrastructures have been hit with attacks such as those that involved the infamous Stuxnet malware1 and the more recent Triton malware.2 These incidents — attacks on manufacturing and other sectors that use industrial control systems (ICSs) — continue to be heard of through the years. In 2017, for instance, the notorious WannaCry ransomware shut down a car manufacturing factory in Japan,3 and another ransomware attack took down a factory in North Carolina, U.S.4Smart factories attract the interest of threat actors for the critical and sensitive infrastructures they usually handle. A successful attack, no matter how difficult the execution, can yield high-impact results that can corner an organization into giving in to cybercriminals’ demands or, at the very least, cost it considerable losses.Prompted by our desire to determine how knowledgeable and imaginative attackers could be in compromising a manufacturing facility, we built the most realistic factory honeypot we had ever created. And in doing so, we also created an ideal environment where we could monitor and learn about the attacks that the honeypot came to attract. From conceptualization to actual execution, our factory honeypot was designed to be an attractive target for potential cybercriminals.Our factory honeypot took on the ruse of a small fictitious company that apparently handled clients from critical industries yet possessed inadequate security defenses. Our ruse proved successful as our honeypot saw several attacks, which we had the freedom and resources to monitor. These attacks included a malicious cryptocurrency mining campaign, two ransomware attacks, another that posed as a ransomware attack, and several scanners.In this research paper, we detail the conceptualization and creation of our most elaborate honeypot to date, and discuss the result of our monitoring and tracking of the incidents that occurred on the honeypot.

Trend Micro Research