Since at least 2015, we have tracked a cluster of Russian-sponsored cyber espionage activity targeting the energy sector, known as TEMP.Isotope. The group has leveraged watering holes and spear-phishing campaigns to infiltrate information technology (IT) networks, harvest credentials, and exfiltrate information about industrial networks. The documentation retrieved by TEMP.Isotope is critical for engineering future attacks targeting operational technology (OT) networks that are designed to control and monitor physical processes. The extracted information can be used by threat actors to better understand the network architecture and physical processes taking place in the facility, to visualize what equipment the victim uses, identify associated suppliers and contractors, and figure out what tools they will need to build or acquire in order to conduct further attacks.
Although we have observed an uptick in the number of nation-state sponsored threat actors seeking to obtain information about operational technology environments by directly targeting organizations, we highlight that it is also possible to find this type of information in mainstream open-source sites and repositories. In this paper, we explain some of the main motivations that drive threat actors to perform reconnaissance on industrial networks. We then illustrate some of the tactics that have been used by threat actors to extract OT documentation from IT corporate networks. Finally, we present our findings from browsing popular sites looking for information that can be leveraged to learn about the industrial control systems (ICS) networks. Our paper includes examples from cybersecurity products, popular online retail stores, manual libraries, vendor websites, coding and mobile application repositories.