Case Study 2: Shodan ICS/SCADA Exposure and LinkedIn-Based OSINT Phishing Campaigns

Part A: Industrial Control Systems Exposed on Shodan

Background

In 2023 and 2024, multiple security research teams published reports documenting the alarming number of industrial control systems (ICS) and SCADA (Supervisory Control and Data Acquisition) systems directly accessible from the internet. Using Shodan — the search engine for internet-connected devices — researchers discovered hundreds of thousands of critical infrastructure systems that were visible to anyone with a web browser, often without requiring any authentication.

These findings demonstrated that passive reconnaissance using specialized search engines can reveal not just corporate IT systems, but critical infrastructure that controls water treatment plants, power grids, manufacturing facilities, and healthcare systems.

The Scope of Exposure

Researchers from Censys, Shodan, and independent security firms documented the following categories of exposed systems:

Healthcare Systems: Over 14,000 medical devices were discovered on Shodan, including: - DICOM (Digital Imaging and Communications in Medicine) servers exposing patient medical images - HL7 FHIR (Fast Healthcare Interoperability Resources) endpoints exposing patient health records - Infusion pump management consoles accessible without authentication - Building management systems controlling HVAC in hospital server rooms and operating theaters - PACS (Picture Archiving and Communication System) servers with patient imaging data

Water and Utilities: Thousands of water treatment and utility SCADA systems were discoverable: - Programmable Logic Controllers (PLCs) accessible via Modbus and EtherNet/IP protocols - Human Machine Interfaces (HMIs) with web-based dashboards viewable without credentials - SCADA master stations exposing real-time operational data - Remote Terminal Units (RTUs) at pump stations and substations

Manufacturing: Industrial systems across multiple sectors: - CNC machine controllers accessible over the internet - Robotic arm controllers with web interfaces - Industrial IoT sensors streaming production data - Building automation systems controlling factory environments

How Shodan Reveals These Systems

The Shodan search queries that reveal these systems are remarkably simple:

# Find SCADA/ICS systems
port:502 "Modbus"                    # Modbus protocol (ICS)
port:47808 "BACnet"                  # Building automation
port:20000 "DNP3"                    # Distributed Network Protocol
port:44818 "EtherNet/IP"            # Industrial Ethernet

# Find healthcare systems
port:11112 "DICOM"                   # Medical imaging
"HL7" port:2575                      # Health Level 7 protocol

# Find exposed HMIs
"Siemens" "HMI"                      # Siemens HMI panels
"Allen-Bradley" "Rockwell"           # Rockwell Automation
"Schneider Electric"                 # Schneider systems

The critical insight is that these searches require no special access, no hacking tools, and no interaction with the target systems. They query Shodan's pre-existing database of internet scans. This is entirely passive reconnaissance.

The Oldsmar Water Treatment Plant Incident

In February 2021, an attacker accessed the water treatment system of Oldsmar, Florida, through a remotely accessible TeamViewer installation. The attacker attempted to increase sodium hydroxide (lye) levels to potentially dangerous concentrations. While the attack was detected and reversed by an alert operator, it demonstrated the real-world consequences of exposed industrial control systems.

Investigation revealed that the facility had: - TeamViewer installed on SCADA workstations for remote access - All computers sharing the same password for TeamViewer - The systems directly accessible from the internet without VPN or additional authentication - No network segmentation between IT and OT (Operational Technology) networks

A Shodan search before the attack would have likely revealed the exposed TeamViewer instance, providing an attacker with the same entry point that was ultimately exploited.

Implications for Penetration Testing

This case study illustrates several key points for ethical hackers:

  1. Shodan reveals more than web servers: Industrial control systems, medical devices, building automation systems, and IoT devices all appear in Shodan's database. A comprehensive passive reconnaissance should include Shodan queries for these systems.

  2. Critical infrastructure context: When testing healthcare or industrial organizations, the stakes of discovered vulnerabilities are dramatically higher. An exposed DICOM server is not just a data breach risk — it is a patient safety issue.

  3. Default credentials are rampant: Many discovered ICS/SCADA systems were accessible with default credentials or no authentication at all. This is a direct finding from passive reconnaissance.

  4. The attacker's advantage: An attacker can use Shodan to identify thousands of vulnerable systems in minutes. Defenders must secure every system. This asymmetry makes passive reconnaissance critically important for both sides.

Defensive Recommendations

Organizations can reduce their Shodan exposure by: - Never connecting ICS/SCADA systems directly to the internet - Implementing VPN-only access for remote management - Changing default credentials on all devices - Implementing network segmentation between IT and OT networks - Regularly scanning their own infrastructure from the internet to identify exposure - Monitoring Shodan alerts for their organization's IP ranges

Part B: LinkedIn-Based OSINT for Phishing Campaigns

Background

In 2023, multiple cybersecurity firms reported a significant increase in highly targeted phishing campaigns that used LinkedIn as the primary OSINT source. These campaigns — attributed to various threat actors including North Korean state-sponsored groups (Lazarus Group) and financially motivated criminal organizations — demonstrated how LinkedIn's wealth of professional data enables sophisticated social engineering at scale.

The Operation Dream Job Campaign

One of the most well-documented examples is the Lazarus Group's "Operation Dream Job" campaign, which targeted defense, aerospace, and cryptocurrency sector employees. The campaign methodology illustrates a textbook OSINT-to-phishing pipeline:

Phase 1: Target Identification via LinkedIn

The attackers created convincing fake LinkedIn profiles posing as recruiters from prestigious companies. These profiles used: - AI-generated profile photos (from services like thispersondoesnotexist.com) - Detailed work histories matching real recruiting professionals - Connections with legitimate industry professionals to increase credibility - Endorsements and recommendations from other fake profiles

Phase 2: OSINT Collection

After connecting with targets on LinkedIn, the attackers collected: - Current job title and responsibilities - Technical skills and certifications - Educational background - Professional interests and career aspirations - Team members and reporting structure - Projects they had worked on (from posts and articles)

Phase 3: Targeted Phishing

Using the OSINT gathered, the attackers crafted personalized messages:

"Hi [Name], I came across your profile and was impressed by your experience with [specific technology from their skills]. We have an exciting [Senior/Lead] role at [prestigious company] that seems like a perfect fit. The role involves [description matching their exact skill set]. Would you be interested in discussing this opportunity? I've attached the job description — please take a look and let me know."

The "job description" attachment contained malicious payloads designed to establish persistent access.

Success Factors

The campaign was remarkably successful because:

  1. Context was perfect: The attackers knew exactly what technologies the targets worked with, what their career aspirations might be, and how to frame the opportunity as irresistible.

  2. Trust was established: The LinkedIn connection created a sense of legitimacy. The target had accepted a connection request, creating a relationship context.

  3. Urgency was natural: Job opportunities inherently carry urgency ("The position may not be available long") without seeming artificial.

  4. The pretext was welcome: Unlike traditional phishing that creates alarm ("Your account is compromised!"), a job offer is something people want to receive and engage with.

A Broader Pattern: LinkedIn as an Attack Platform

The Operation Dream Job campaign is just one example of a broader trend:

Vendor Impersonation: Attackers research an organization's vendor relationships through LinkedIn (employees listing vendor certifications, vendor employees connected to target employees) and then impersonate those vendors in phishing emails.

New Employee Targeting: Attackers monitor LinkedIn for new employee announcements. New hires are particularly vulnerable because they are unfamiliar with organizational communication norms and security procedures. A phishing email that says "Welcome to [Company]! Please complete your new hire onboarding at this link" is highly convincing to someone who just started.

Executive Impersonation (BEC): Attackers use LinkedIn to identify executive-assistant relationships, then impersonate the executive to the assistant via email. The attack succeeds because the attacker knows the executive's name, title, communication style (from LinkedIn posts), and the assistant's name and role.

Technology Stack Discovery: Job postings on LinkedIn reveal the exact technologies an organization uses. An attacker who knows the target uses Okta for SSO can create a pixel-perfect Okta login page for credential harvesting.

Case Example: The $243,000 BEC Attack

In a well-documented 2019 case, attackers used LinkedIn to identify the CEO and CFO of a UK energy company subsidiary. They then used AI voice cloning technology (discussed further in Chapter 9) to impersonate the CEO in a phone call to the CFO, requesting an urgent wire transfer of $243,000 to a "supplier."

The attack succeeded because the attackers had gathered enough OSINT from LinkedIn to: - Know the CEO's name and voice characteristics (from conference videos) - Understand the reporting relationship between CEO and CFO - Time the attack when the real CEO was traveling (visible from LinkedIn activity) - Reference a real supplier relationship (discovered from company announcements)

Defensive Measures

Organizations can mitigate LinkedIn-based OSINT threats by:

  1. Employee awareness training: Teach employees that LinkedIn is an intelligence-gathering platform for attackers, not just a professional networking site.

  2. Social media policies: Establish guidelines about what information employees should and should not share on LinkedIn (specific technologies, project details, organizational charts).

  3. Verification procedures: Implement multi-channel verification for sensitive requests. A wire transfer request via email should be confirmed via phone call to a known number.

  4. LinkedIn connection policies: Encourage employees to be selective about accepting connection requests from unknown individuals.

  5. Monitoring for fake profiles: Security teams should monitor for fake profiles impersonating the organization's employees or using the organization's brand.

  6. Job posting OpSec: Review job postings to minimize technology stack disclosure. Use generic descriptions where possible ("cloud infrastructure" instead of "AWS EC2 with EKS on us-east-1").

Discussion Questions

  1. How should ethical hackers balance the use of Shodan-discovered ICS/SCADA exposures in penetration test reports? Should they verify the findings by connecting to the systems, or report the Shodan evidence alone?

  2. The Oldsmar water treatment incident used a legitimate remote access tool (TeamViewer) as the attack vector. How does passive reconnaissance help identify these "legitimate but dangerous" configurations?

  3. LinkedIn's business model depends on users sharing professional information publicly. How can organizations protect themselves from LinkedIn-based OSINT without preventing employees from using the platform?

  4. The Operation Dream Job campaign used fake LinkedIn profiles with AI-generated photos. What OSINT techniques can be used to identify fake profiles, and how reliable are these detection methods?

  5. If you were designing a security awareness training program based on this case study, what three key messages would you emphasize to employees about their LinkedIn presence?

Key Takeaways

  • Specialized search engines like Shodan reveal infrastructure that standard web searches miss, including industrial control systems, medical devices, and IoT platforms.
  • Critical infrastructure systems are frequently exposed to the internet with default or no authentication, discoverable through entirely passive techniques.
  • LinkedIn is the primary OSINT source for social engineering campaigns because it provides detailed professional profiles, organizational structures, and technology stack information.
  • Sophisticated attackers build multi-phase campaigns where LinkedIn OSINT directly informs the pretext, timing, and targeting of phishing attacks.
  • Defense requires both technical controls (network segmentation, access controls) and human controls (awareness training, verification procedures, social media policies).