How Trend Micro created a realistic looking fake smart factory to lure cybercriminals

To determine threat actors’ degree of knowledge in compromising a smart factory, researchers from Trend Micro deployed its most elaborate honeypot to date. The incidents observed show the kinds of attacks that can easily affect poorly secured manufacturing environments

In a fully functioning smart factory, every process must begin and end with precision and uninterrupted operation so that it can weave seamlessly into the facility’s production line. However, behind the normal hum of a smart factory’s day-to-day business lurks the possibility of attacks from threat actors.

To determine how knowledgeable and ingenious threat actors could be in compromising a manufacturing facility, Trend Micro conducted a research in 2019 that essentially had it simulating a factory of its own. Using its most realistic honeypot to date, the company created an environment that could lure cybercriminals into carrying out attacks and at the same time give it an all but unimpeded look at their actions.

Trend Micro first designed its pure-production honeypot to mimic a real system, including programmable logic controllers, a human-machine interface (HMI), and other components of an industrial control system (ICS). The firm then created a cover company for this faux factory: a rapid prototyping consultancy firm with ostensibly real human employees, working contact channels, and a client base composed of large anonymous organizations from critical industries. This ruse proved effective, as shown by the different types of attacks the honeypot attracted. These attacks included a malicious cryptocurrency mining campaign, two ransomware attacks, another that posed as a ransomware attack, and several scanners.

Anatomy of an attack

Trend Micro describes the highlights of the honeypot exercise in an elaborate write-up on its website:

Our honeypot went live on May 6. We exposed its HMI machine online through Virtual Network Computing (VNC) without control access and used the same password for several workstations. To further attract attacks, we made our system seem like it had been hacked by posting “leaked” information about it.

More than two months after going live, on July 24, our efforts began to show some success. An attacker came into the system and downloaded a cryptocurrency miner. Over the next few months, the threat actor behind this attack would keep returning to our system to relaunch their miner.

After a few months online, our honeypot had already seen different threat actors entering the system, including ones who performed reconnaissance activities and a few who caused system shutdowns.

More hackers appeared on our system. One of the most notable was behind a Crysis ransomware infection on Sept. 22. We watched as this threat actor downloaded the ransomware through TeamViewer and continued with their routine, up to the point they left the ransom note. We even interacted and haggled with the threat actor through an exchange of emails.

By now, intruders had been entering our system on a regular basis. On Oct. 16, one even made our robotics workstation send out a beacon, possibly as part of their lateral movement. This was interrupted, however, by a second ransomware attack on Oct. 21, which used a Phobos variant.

On Nov. 1, a hacker came into our system with good intentions: They left a note advising us to put a password on our VNC. On Nov. 12, we saw an interesting attack that disguised itself as a ransomware campaign, when in fact the threat actor behind it had simply renamed our files. Two days later, on Nov. 14, this threat actor came back to the system to delete files and leave open tabs of a porn site on our desktop.

Between attacks, we had to restart our virtual machine, specifically after each ransomware attack. The last activities we saw were by a few intruders who simply looked around the factory before logging off and exiting the system.

As the research progressed, more and more threat actors found their way into our system, the weak security inviting them into what was potentially a lucrative opportunity. Their attacks were largely possible because our factory did many things wrong in terms of security. However, these conscious “oversights” were all within the limits of what is believable for a working company to have so as not to blow our cover.


Trend Micro’s findings from this honeypot experiment should serve as cautionary examples for organizations, particularly those that run ICSs and smart factories, to ensure that adequate security measures are in place on their systems.

CybercriminalsTrend Micro
Comments (0)
Add Comment