• Special List
  • Smart Factory Security Part 4: Lessons Learned from the WannaCry Attack

Smart Factory Security Part 4: Lessons Learned from the WannaCry Attack


The ‘WannaCry” and “Petya” (also known as NotPetya or GoldenEye) outbreaks rank as the most damaging global cyber security incidents during the first half of 2017. These massive ransomware attacks impacted the networks of hospitals, factories, and railroads in many different countries with serious consequences. From these events we have learned a number of important lessons:

WannaCry reportedly paralyzed over 200,000 computers, including those running Germany’s national railway and the hospital network of the United Kingdom. What can we learn from this ransomware attack?

Network Worms Cause Large Scale Ransomware Infections

Both the WannaCry and Petya ransomware families encrypt data on infected computers and demand money to unlock what they have hidden, but they also act as worms that autonomously traverse networks in search of additional machines to infect.

These particular worms exploit the MS17-010 vulnerability in SMBv1, a Windows network sharing mechanism. Attackers exploited it to upload malicious programs directly onto the computers of victims through a network. Even diligent network administrators may not patch network environment vulnerabilities or software bugs quickly enough to stop the spread of these infections.

How did these worms infiltrate the victimized networks in the first place? Petya used targeted email messages, watering hole attacks, and compromised the software update function of vulnerable systems. WannaCry reportedly spread across networks in the form of a worm, but exploited the MS17-010 vulnerability in a different way from Petya. WannaCry could infiltrate computers within networks protected by firewalls and routers only if specific settings like port-forwarding had a vulnerable configuration, or if the victims had a separate global IP and a direct connection to the Internet.

A survey by Shodan, a search engine for internet-connected devices, showed more than 900,000 Windows environments worldwide have port 445 exposed to the internet, making them accessible to the WannaCry worm. With Windows servers comprising 60% of this total, WannaCry had the chance to prey on an enormous number of networks.

TAKEAWAY: Endpoints and other devices directly exposed to the internet, whether intentionally or not, pose a high risk of infection that can then quickly spread to connected machines within a network environment.

Repeated Network Worm Infections in Closed Environments

Other network worms before WannaCry have caused enormous damage to closed networks like those in factories. The notorious DOWNAD network worm caused similar damage in 2008. DOWNAD spread via removable USB drives and exploited multiple vulnerabilities to infect entire networks extremely quickly, halting entire factory production lines.

Subsequent analysis showed that the most serious damage resulted from outdated operating systems and insufficient security measures that failed to prevent the infection from spreading. The WannaCry attack used method similar to those of DOWNAD, indicating that the security of closed networks has clearly not improved during the decade that passed between them. Given how WannaCry spread rapidly across multiple sites and exposed endpoints, network security may even have gotten worse in the past ten years.

TAKEAWAY: Network administrators must prepare for threats to general operations that originate from outside even seemingly closed networks.

The Myth of “Closed is Safe”

Recent ransomware incidents demonstrate that keeping an environment closed does not necessarily keep it safe. DOWNAD caused severe damage even in independent and apparently closed environments. Effective security measures must cover all aspects of business operations.

In the future, the “connected” convenience of IoT and smart factories will only become more prevalent. Previously independent factories and installations with closed networks will soon connect to other factories and internal networks. With more connections comes a steadily greater risk of attack, especially to formerly-closed networks that have neglected dealing with vulnerabilities. Factory equipment will inevitably get unintentionally exposed to the Internet. Ultimately, all connected equipment will soon require protection from cyber threats.

Securing connected devices demands constant effort, and having the tools to recognize attacks quickly and minimize the damage will soon become critically important. Simply recognizing the risks of a closed network will not suffice – the time has come to take action.

Katsuyuki Okamoto
Katsuyuki Okamoto

Trend Micro Inc. Security Evangelist

Katsuyuki joined the Trend Lab Japan Virus Team in 1999 and did extensive product technical support work for many years. He now mainly deals with general network threats as a senior anti-threat analyst in Regional TrendLabs, a domestic specialized research institute established in 2007. As a security evangelist, he constantly strives to raise awareness of security issues and technology.