Editor’s NoteThe Russia-Ukraine war has accelerated the innovation of tactics and techniques for cyber attacks on industrial control systems. The bombing incident involving pagers and walkie-talkies in the Lebanon conflict has reshaped the understanding of traditional cyber warfare. Artificial intelligence and large models have reduced the spatiotemporal costs for attackers. Targeted ICS malware, weaponized PLCs, C2 capabilities, RTU ransomware, deep lateral movement in OT networks, LOTL attacks, and more are emerging; information warfare, cyber warfare, intelligence warfare, and hybrid warfare are increasingly common, making “critical infrastructure” security more urgent than ever.After the pandemic, the cybersecurity industry did not experience the expected boom; competition and attrition have become the norm. Competition is not necessarily a bad thing; it can lead to new ideas and provide time for reflection… How can OT network security return to its industrial essence? How can we confront the blind spots in foundational defenses? How can we prevent cyber attacks from transforming into kinetic attacks? How can we secure the last mile of critical infrastructure security? Some emphasize focusing on “business, personnel, and supply chain,” while others stress the importance of “design security and default security” as a precondition for security capabilities. There are also those advocating for a return to systems engineering with “resilient engineering and informed engineering,” and those emphasizing the importance of “industrial risk and security operations,” as well as promoting endogenous “built-in security, embedded security, and factory security.” In early October, the “Five Eyes” alliance, along with its allies from Japan, South Korea, Germany, and the Netherlands, introduced six principles for OT network security, reiterating and emphasizing functional safety, business understanding, OT data, segmentation isolation, supply chain security, and personnel awareness to ensure the functional safety, cybersecurity, and business continuity of OT environments.What are the deep-seated issues in OT network security? How is the tactical and technical development of ICS attacks evolving? Where are future products, services, and solutions headed? Andisec Technology attempts to systematically think through these questions and explore its own solutions and development paths. We hope to discuss, explore, and grow together with industry peers.Fuxnet: The Latest Cyber Weapon Targeting SensorsAbstractWith the deep integration of Industrial Control Systems(ICS) and Internet of Things(IoT), sensor devices in Operational Technology(OT) networks are becoming the new front line for cyber attacks.In 2024, the Ukrainian hacker group Blackjack launched the Fuxnet attack against the Russian company Moscollector, showcasing the capability for large-scale, systematic cyber attacks targeting industrial sensors for the first time, marking a new phase in OT network security threats. This article will analyze the current state of cybersecurity issues related to sensors in OT networks, delve into the technical characteristics and tactics, techniques, and procedures (TTPs) of the Fuxnet attack, and propose targeted defense recommendations based on the latest advancements in attack technology.IntroductionIn April 2024, the Ukrainian hacker group Blackjack publicly claimed to have successfully attacked the Russian company Moscollector, which is responsible for monitoring underground water and sewage treatment and communication infrastructure in Moscow and its surrounding areas. The group published details of the attack on its website ruexfil.com, claiming that the malware named “Fuxnet” had compromised 87,000 industrial sensors and IoT controllers, causing chaos in Moscow’s sewage systems, airports, and critical services. This incident quickly became a focal point of research in the field of OT network security due to its scale and far-reaching impact.
Incident verification and impact assessment show that although Blackjack claimed to have attacked 87,000 sensors, analysis by the security research team Team82 indicated that approximately 500-1,700 sensor gateway devices were actually directly compromised. However, these gateways, as the central nodes of the sensor network, caused tens of thousands of connected sensors to lose monitoring and control capabilities when incapacitated. The attackers employed unprecedented physical destruction methods, not only erasing device firmware through software but also directly damaging NAND flash memory chips through techniques such as bit flipping, rendering the devices irrecoverable through conventional means and necessitating physical replacement.
The Fuxnet attack revealed the systemic vulnerabilities of industrial sensor networks: on one hand, sensor devices generally lack basic security protection mechanisms; on the other hand, attackers have developed capabilities to damage sensor hardware. This incident marks a shift in OT network security threats from traditional IT system infiltration and PLC control logic tampering to extending further into the physical sensor layer, forming a complete attack chain from “cloud to sensor.”
Sensors, as the “nerve endings” of OT networks, have security issues that directly impact the safety of the physical world. In industrial environments, data from sensors measuring temperature, pressure, flow, etc., serve as the basis for decision-making in process control systems (PCS) and safety instrumented systems (SIS). Once sensor data is tampered with or sensor functionality is compromised, it may lead to incorrect judgments by control systems, potentially affecting production or even causing safety incidents. Although the Fuxnet incident did not result in publicly reported major safety accidents, the attack capabilities demonstrated have sounded alarm bells for global critical infrastructure operators.
1.Cybersecurity Issues of Sensors in OT Networks
The cybersecurity issues of industrial sensor networks are unique; these devices are typically designed with functional safety as a priority, with insufficient consideration for cybersecurity, and are constrained by computational resources, making it difficult to deploy traditional IT security measures. An analysis of the industry status reveals five core challenges faced by sensor network security.
1.Inherent Flaws at the Protocol Level
Industrial sensors widely use traditional industrial protocols such as HART, Modbus, and Profibus, which were designed in an era when cybersecurity threats were not prominent and generally lack authentication, encryption, and integrity protection mechanisms. For example, the HART protocol’s “passthrough” mode allows commands to reach devices directly without verification, providing a convenient channel for attackers. A report from the LOGIIC project funded by the U.S. Department of Homeland Security indicates that current HART and HART-IP protocols do not have any built-in security mechanisms, and devices do not verify the source of received HART commands, making man-in-the-middle attacks easy to implement.
Moreover, different manufacturers have varying implementations of protocol standards, particularly in the use of vendor-specific commands, which lack standardization. Team82 found that the sensors from AO SBK used a non-standard implementation of Meter-Bus, and this fragmented state makes it difficult to formulate a unified security protection strategy, while attackers can exploit the ambiguities in protocol implementations to launch attacks.
2.Weak Device-Level Security Protections
Industrial sensors generally lack hardware-level security protections. The LOGIIC project survey showed that only 33% of sampled devices were equipped with hardware write protection switches, with most relying on software protection mechanisms that are often easy to bypass. In the Fuxnet attack, the Blackjack organization easily bypassed the software write protection of AO SBK sensor gateways, and some devices even displayed default credentials (sbk/temppwd) directly in the SSH login banner, exposing serious security management vulnerabilities.
The insecurity of device firmware update mechanisms is also a common issue. Many sensor devices download firmware through unencrypted channels and lack digital signature verification, allowing attackers to implant malicious firmware. The Fuxnet malware spread through the proprietary protocol used by AO SBK’s sensor management software SBKManager over TCP/4321, which also lacked basic security verification.
3.Expanded Attack Surface of Network Architecture
Modern industrial sensor network architectures are becoming increasingly complex, with remote monitoring needs leading to previously isolated OT devices connecting to corporate networks and even the internet. In the Moscollector case, sensor gateways achieved remote access through 3G routers such as iRZ RL22w, which were directly exposed to the internet (Shodan shows approximately 4,100 iRZ routers exposed on the internet, with 500 of them having Telnet services open), making them ideal launch pads for initial intrusions by attackers.
Under the trend of IT-OT convergence, traditional tools used to manage IT systems, such as IMS/AMS (Instrument Management System/Asset Management System), are being used to manage sensor devices, but these systems often lack the security features required in OT environments. The LOGIIC project research confirmed that attackers could manipulate connected sensor devices by compromising IMS/AMS platforms, while existing network monitoring methods struggle to detect such attacks.
4.Increased Supply Chain Security Risks
The software supply chain security issues of sensor devices are becoming increasingly prominent. Many sensors rely on third-party components such as Device Type Managers (DTM) or Device Description (DD) files, which are often downloaded from the internet and lack integrity verification. LOGIIC research found that the actual distribution and installation methods of DTM software opened the door to supply chain attacks, allowing malicious components to enter IMS/AMS platforms.
Hardware supply chains also pose risks. In the Fuxnet incident, attackers clearly had in-depth knowledge of AO SBK and iRZ’s Russian-made devices, indicating that geopolitical factors may exacerbate supply chain risks. When device manufacturers and attackers are from opposing national camps, manufacturers may inadvertently or deliberately overlook security vulnerabilities or even leave backdoors.
5.Insufficient Lifecycle Management
Industrial sensors are typically designed with long lifecycles (10-15 years), far exceeding those of traditional IT devices, making early-deployed devices ill-equipped to handle new threats. Additionally, the complexity of certification in industrial environments leads to delays in patch updates, and many sensor devices have never undergone security updates.
Device retirement management is also inadequate, with sensitive information such as default credentials and network configurations often remaining on decommissioned devices. The Blackjack organization may have obtained key information about the Moscollector network by analyzing discarded devices, facilitating their attack.
2.Technical Characteristics and TTPs of the Fuxnet AttackThe Fuxnet attack represents the latest evolution of OT network attack techniques, with its tactics, techniques, and procedures (TTPs) demonstrating innovation and specificity at every stage of the attack chain. Through analysis of publicly available information from Blackjack and technical reports from Team82, we can gain a deeper understanding of the technical characteristics of this attack weapon and its implications for sensor security.
1.Comprehensive Analysis of the Attack Chain
In terms of initial access and lateral movement, the Fuxnet attack demonstrated a high degree of strategic patience and technical maturity. The attackers claimed to have infiltrated the Moscollector network as early as June 2023, remaining dormant for up to eight months (based on metadata analysis, they had been present in the network at least since October 2023). This long-term infiltration strategy allowed the attackers to thoroughly understand the target network architecture, identify critical assets, and plan their attack path. The initial intrusion vector has not been explicitly disclosed, but given the nature of the target, it is likely that it was achieved through exposed 3G routers (iRZ RL22w) or spear-phishing attacks.
Once foothold was established, the attackers systematically conducted network mapping and credential theft, gradually taking control of Moscollector’s IT infrastructure, including VMware ESXi virtualization platforms, file storage systems, and Active Directory domain controllers. Notably, the attackers paid particular attention to systems related to sensor management, such as SMSD (a service for triggering remote reboots) and the sensor management database (smvu/smvu2), laying the groundwork for subsequent OT network attacks. This gradual infiltration from IT to OT reflects a typical pattern of modern OT attacks, where vulnerabilities in IT are exploited to achieve OT disruption.
2.Innovations in Attack Techniques
The Fuxnet attack achieved multiple breakthroughs at the technical level targeting sensor networks, with its innovations primarily reflected in three aspects: physical destruction mechanisms, protocol layer attack tools, and automated attack frameworks.
In terms of physical destruction mechanisms, Fuxnet transcended the traditional malware scope of merely damaging data or software, achieving physical damage to sensor gateway hardware. Its “reaper” module stops all remote access services (SSH, HTTP, telnet, etc.) through system commands, deletes the entire file system, and blocks network connections via iptables rules, rendering the device irrecoverable remotely. More critically, Fuxnet includes dedicated NAND storage destruction routines that continuously perform bit-flipping operations on NAND flash memory chips until exceeding their maximum write cycles, leading to physical damage. This attack not only renders the device inoperable but also significantly increases recovery costs—physical chips must be replaced rather than simply reflashing firmware.
The UBI (Unsorted Block Images) volume destruction technique is similarly destructive. Fuxnet uses UBI_IOCVOLUP ioctl calls to deceive the kernel into believing it will rewrite the UBI volume and write X bytes, but actually writes X-1 bytes of random data, causing the device to wait indefinitely for the rewrite to complete. Meanwhile, the malware covers the UBI volume with garbage data (0xFF), completely corrupting the file system. This low-level flash attack is extremely rare in previous OT malware, demonstrating the attackers’ deep understanding of embedded systems.
Regarding protocol layer attack tools, Fuxnet integrated fuzz testing and flooding tools specifically targeting the Meter-Bus (M-Bus) protocol. M-Bus is a serial communication protocol defined by the EN 13757 standard, widely used in metering devices such as water and gas meters. Fuxnet’s M-Bus attack module implements two attack modes: structured fuzz testing and random fuzz testing. Structured fuzz testing generates packets that conform to the M-Bus protocol framework but contain random fields, increasing the likelihood of being processed by the target; random fuzz testing generates completely random packets, ensuring only the CRC check is correct to avoid being simply discarded. This hybrid fuzz testing strategy can trigger deep vulnerabilities in the protocol stack while comprehensively covering possible input spaces.
The attackers also specifically noted that they disabled the smsd service (used for remotely rebooting sensor gateways) to ensure that M-Bus flooding would continue until someone physically shut down the gateway. This persistent destruction mechanism greatly increases recovery difficulty, as each affected site requires physical intervention.
In terms of automated attack frameworks, Fuxnet demonstrated efficient attack capabilities against large-scale sensor networks. The attack scripts receive a list of all target sensor gateway IP addresses and automatically deploy malware through port 4321 (the proprietary protocol port used by SBKManager). According to leaked JSON files, the attack targeted 2,659 sensor gateways (including 424 MPSB gateways and 93 TMSB gateways), with approximately 1,700 successfully compromised. This large-scale automated attack capability is unprecedented in OT environments, marking a tactical shift from “precision point attacks” to “broad coverage attacks.”
3.Tactical Innovations and Impacts
The Fuxnet attack reflects three key tactical innovations, which are likely to set benchmarks for future OT attacks.
Synergy of IT-OT Kill Chains: The Fuxnet attack fully demonstrated the capability to penetrate from IT to disrupt OT. The attackers first completely controlled Moscollector’s IT infrastructure, including virtualization platforms, file storage, and employee credentials, before turning to the OT network, moving laterally to sensor gateways through 3G routers (iRZ RL22w). This cross-domain attack path significantly expanded the attack surface, rendering traditional OT network isolation strategies ineffective.
Persistent Hardware-Level Destruction: Unlike traditional malware, Fuxnet pursued physical destruction rather than covert control. Through NAND storage destruction and UBI volume corruption, it ensured that devices could not be restored through conventional means and required physical replacement. This destructive tactic may reflect a shift in the objectives of cyber attacks in the geopolitical context—from intelligence gathering and covert control to overt destruction and psychological deterrence.
Weaponization of Fuzz Testing: Fuxnet transformed fuzz testing, a traditional security research technique, into an attack weapon, implementing large-scale automated fuzz testing on 87,000 sensors. This capability for protocol reverse engineering and exploitation demonstrates that attackers possess profound expertise in OT protocols, enabling them to quickly analyze proprietary protocols and develop targeted attack tools.
From an impact perspective, although the Fuxnet attack did not result in publicly reported major safety incidents, its technical implications are profound. The attack validated the feasibility of implementing physical destruction against large-scale sensor networks, showcased a complete attack path from IT to OT, and provided a technical blueprint for future attacks.
3. Countermeasures and RecommendationsThe Fuxnet attack exposed the multi-layered vulnerabilities of industrial sensor networks, and defending against such advanced threats requires systematic thinking, combining technical improvements, architectural optimizations, and management enhancements. Based on attack analysis and industry best practices, the following layered defense recommendations are proposed.
1.Enhance Device-Level Protective Measures
Enhancing hardware security is the first line of defense against physical destruction attacks. Device manufacturers should integrate hardware write protection switches into sensors and gateways as physical control points for critical configuration changes. The LOGIIC project research indicates that hardware write protection is currently the most effective means to prevent unauthorized configuration changes. Additionally, storage chips with wear-resistant characteristics should be selected, or firmware should implement write operation balancing to mitigate the impact of Fuxnet-like NAND attacks.
Secure boot and firmware verification mechanisms are essential. Devices should implement a secure boot process based on digital signatures to ensure that only authorized firmware can be loaded. Regular integrity verification of firmware during runtime should be conducted, triggering a secure state upon detecting tampering. For resource-constrained sensor devices, lightweight encryption algorithms such as ASCON (IoT encryption standard) can be considered for integrity protection.
Elimination of default credentials is the most basic yet often overlooked security measure. Devices should be mandated to change default passwords upon leaving the factory, prohibiting the use of fixed credentials. It is particularly important to avoid extreme insecure practices, such as AO SBK devices displaying passwords in the SSH banner. A better solution is to adopt certificate-based authentication or hardware-based security elements (such as TPM) for device identity verification.
2.Improve Protocol and Communication Security StandardsModernizing protocols is the fundamental approach to addressing protocol layer attacks. Traditional industrial protocols such as HART and Meter-Bus must incorporate security extensions, at least implementing message authentication codes (MAC) and sequence number protection to prevent command injection and replay attacks. Ideally, migration to modern protocols designed with security in mind, such as OPC UA, which has built-in security models providing end-to-end protection, should be pursued.
Network segmentation and encryption are crucial for protecting sensor communications. Even if the protocols themselves are insecure, additional encryption layers (such as IPsec VPN or MACsec) can provide protection. Sensor networks should be strictly divided into independent security domains, with inter-domain control through firewalls and unidirectional gateways. It is particularly necessary to restrict remote access paths such as 3G/4G, placing them in DMZ areas and implementing multi-factor authentication.
Detection of anomalous protocols can help identify Fuxnet-like fuzz testing attacks. Specialized deep packet inspection (DPI) engines targeting industrial protocols should be deployed at network boundaries to identify abnormal M-Bus protocol packets. For proprietary protocols that cannot be parsed, at least monitoring for traffic baseline anomalies, such as sudden bursts of serial communication, should be implemented.
3.Strengthen Depth Defense in System Architecture
Depth defense architecture is key to addressing advanced threats. Sensor networks should be designed with multi-layered protection: edge devices (sensors) focusing on physical security and simple filtering; gateways implementing protocol conversion and access control; and monitoring systems responsible for behavior analysis and anomaly detection. The principle of least privilege should be implemented between layers to ensure that the compromise of a single node does not lead to the failure of the entire network.
IT-OT convergence security requires special attention. As systems like IMS/AMS become bridges from IT to OT, the protection of these critical nodes must be strengthened: regular patching, disabling unnecessary services, and implementing application whitelisting. The LOGIIC project research recommends avoiding the use of vendor DTMs in security-critical applications whenever possible, opting for safer device description (DD) files, and strictly verifying the integrity and source of all components.
Security monitoring and response capabilities are crucial for timely detection and containment of attacks. Dedicated OT security monitoring solutions should be deployed to collect logs from sensors, gateways, and network devices, detecting anomalous behaviors such as firmware changes, configuration alterations, or communication pattern shifts. Typical indicators for Fuxnet-like attacks include abnormal NAND write activities, UBI volume operations, and M-Bus protocol flooding.
4.Security Management is Indispensable
Supply chain security management must be integrated into the overall defense strategy. When procuring devices, suppliers’ cybersecurity practices should be assessed, requiring the provision of software bill of materials (SBOM) and evidence of secure development lifecycle (SDL). All third-party components (such as DTM) should be sourced from trusted origins and verified for integrity through digital signatures and hash checks. For high-security scenarios, independent security assessments of critical devices should be considered.
Enhancing security awareness and training should be targeted and regular. Role-specific training should be conducted: engineers need to understand sensor security configurations; operators should recognize social engineering attacks; and management should comprehend the impact of security decisions. Physical security awareness must be particularly reinforced to prevent attackers from obtaining sensitive information or directly accessing networks through device contact.
Incident response plans should specifically consider sensor network attack scenarios. Traditional IT-centric incident response (IR) plans are often unsuitable for OT environments. Targeted contingency plans need to be developed, clarifying emergency steps when sensor tampering or destruction is detected: how to isolate affected devices, switch to backup sensors, assess process safety impacts, etc. Regular red-blue team exercises should be conducted to test the effectiveness of the defense system.
5.Continuous Improvement in Operational PracticeEnhancement
The evolution of security standards and certifications will drive the overall security level of the industry. Relevant standard organizations should accelerate the development of security standards for industrial sensors, clarifying requirements for hardware protection, security protocols, and lifecycle management. Certification programs such as IEC 62443 can be extended to sensor devices, ensuring that products meet basic security requirements through consistency assessments.
A culture of security design needs to be cultivated among device manufacturers. The Fuxnet attack illustrates that many security issues stem from inadequate consideration during the design phase. Manufacturers should adopt the “Secure by design” principle, considering threat models and security requirements early in product design rather than adding security features afterward. The adoption of open-source security tools and frameworks can lower the barriers to secure development.
Threat intelligence sharing is crucial for proactively preventing similar attacks. Industry organizations should establish information-sharing mechanisms for sensor security, enabling members to stay informed about emerging threats and vulnerabilities. Particularly for geopolitically related threats, such as state-sponsored hacker groups, collaboration between government and industry on intelligence is especially important.
Conclusion
The Fuxnet attack marks a new phase in OT network security threats, expanding the focus of attacks from traditional PLC and SCADA systems to the more fundamental sensor layer. This incident showcases the complete attack capabilities of modern OT attacks: from IT penetration to OT disruption, from software tampering to hardware destruction, and from precision strikes to broad coverage. The capabilities demonstrated by the Blackjack organization in protocol analysis, weapon development, and automated attacks represent the advanced level of current OT attack techniques and are likely to become templates for future attacks.
Defending against such advanced threats requires a fundamental shift in thinking. Traditional OT security assumptions—such as “physical isolation provides sufficient protection,” “attackers cannot access proprietary protocols,” and “devices themselves do not require strong security”—have been thoroughly overturned by Fuxnet. The industrial sector must recognize that sensor security has become a critical component of protecting critical infrastructure, requiring collaborative efforts from device manufacturers, system integrators, and end-users.
References:
1.https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware
2.https://ruexfil.com/mos/
3.https://foresiet.com/blog/unveiling-the-blackjack-groups-fuxnet-malware-a-stealthy-cyber-threat
4.https://www.youtube.com/watch?v=JVWZOMbyLFU
5.https://mp.weixin.qq.com/s/6-H1qf7Zxe6jQMfhHG0H-Q
Selected Past Issues
Andisec Technology丨ANDISEC
Beijing Andisec Technology Co., Ltd. is an emerging supplier of industrial cybersecurity capabilities, focusing on innovative research and practical exploration of industrial cybersecurity technologies, products, and services in the context of networking, digitization, and intelligence. Based on the theory of cyberspace behavior and the security engineering methods of industrial network systems, we build core capabilities for prevention, identification, detection, protection, response, and recovery around industrial network control systems, providing security products, services, and comprehensive solutions for critical information infrastructure industries such as power, water conservancy, oil and petrochemicals, rail transportation, tobacco, steel metallurgy, intelligent manufacturing, and mining. We adhere to the integrated development of IT security and OT security, insisting on the autonomy and controllability of the product system, and fully empower customers to build a security assurance system that combines proactive defense and depth defense with “business applications tightly coupled, user behavior strongly correlated, security risks self-adaptive, and network resilience steadily enhanced.”
Click “View” to encourage us
