ICS in the crosshairs: 9 lessons from the Asahi cyber attack

Industrial cybersecurity isn’t just a support act anymore—it’s headlining. Qilin’s recent ransomware attack on one of the world’s leading breweries, Asahi, made that very clear. Production stopped. Supply chains screeched to a halt. Shelves emptied. 

In our latest webinar, HTB’s Head of Product Marketing, Giacomo Bertollo, teams up with Dragos analysts and experts Joseph Lee, Tim Vernick, and Gil Garcia to unpack the anatomy of the attack and what it reveals about today’s ICS/OT threat landscape. Here’s what every defender should take away.

WATCH THE WEBINAR NOW

1. OT is prime real estate for adversaries

Why are industrial systems such attractive targets? Because when things break in OT, people notice.

A halted production line means lost revenue, stalled logistics, and angry shareholders. For attackers—from ransomware groups to nation-state operators—that visibility is power.

There are three main types of actors dominating the ICS/OT space right now:

• Ransomware groups chasing quick profits

• Hacktivists driven by ideology

• Nation-state adversaries using OT disruption for strategic leverage (as seen in the Russia–Ukraine conflict)

Digitization only exacerbates the risk. As physical control systems evolve into connected, data-driven ecosystems, the attack surface explodes.

2. Ransomware-as-a-Service has gone industrial too

The Asahi attack was claimed by Qilin (AKA Agenda, )—a ransomware-as-a-service (RaaS) operation that blurs the line between affiliates, brokers, and payload operators.

Here’s the playbook seen across similar campaigns:

• Initial Access: Compromised VPN or RDP credentials, often bought from initial access brokers after being stolen by infostealers.

• Execution: Automated scripts deploy the encryptor.

• Persistence: Valid accounts and scheduled tasks ensure they survive reboots.

• Lateral Movement: RDP, SMB, or WinRM connections spread the infection across production networks.

• Defensive Evasion: Logs wiped, security tools disabled, systems forced into Safe Mode.

It’s not just sophisticated—it’s efficient, repeatable, and increasingly accessible to less skilled operators.

3. OT defenses start where IT hygiene fails

Most OT breaches don’t start in the plant—they start in your IT department. The same credentials engineers use for things like remote management are often the drawbridge between back office and factory floor.

Flat networks are, in short, a gift to attackers. Segmentation, strict credential policies, and secure remote access are no longer optional, they’re tools for survival. With that in mind, your top defensive priorities should be:

1. Defensible architecture: Segment networks and restrict access paths.

2. Secure remote access: Granular firewall rules, least privilege for engineers.

3. Password discipline: Eliminate default or shared credentials (yes, “admin/admin” still exists).

4. Detection, or ‘catching the quiet stuff early’

Breaking down the high-value detection stages defenders should prioritize looks something like this:

If you can spot the first two, you’re already ahead of most victims.

5. Evasion isn’t invisible (if you know what to watch)

Even when attackers disable defenses, their tampering leaves traces.
Monitor for indirect signals:

• Event log manipulation (Windows 7036, 6008, 1102)

• Unexpected registry or WMI changes

• Hosts that suddenly go silent on passive network monitors

And always forward logs to a remote, tamper-resistant SIEM. If your telemetry dies with the endpoint, your visibility dies too.

6. Containment doesn’t mean shutting everything down

In OT, simply pulling the plug isn’t an option. Halting production can lead to cascading failures, even safety hazards.

Safety comes first, but collaboration between engineering, security, and operations directly impacts what “safe” actually means. Segmentation can permit unaffected zones to keep running while containment takes place elsewhere. Document every action and involve all stakeholders (yes, even PR and legal).

7. Tabletop exercises are no longer optional 

Every expert in the session agreed: practice beats panic. Having an OT-specific incident response plan (IRP)—and rehearsing it—is the single biggest step toward resilience. Regular tabletop exercises (TTXs) help teams:

• Test containment and recovery processes

• Validate warm or hot site readiness

• Understand operational downtime tolerance

• Improve mean time to recover (MTTR)

TL;DR: you can’t improvise your way through an OT crisis.

8. Where to train to move from theory to action

The dream team (HTB and Dragos) created Alchemy, a professional red team lab that replicates a real brewery plant (beers not included). It features 16 machines, 21 flags, and authentic ICS environments—tailor-made to help teams simulate and respond to real-world OT attacks.

For defenders, HTB Threat Range extends the learning with live-fire simulations that pit SOC and DFIR teams against realistic ransomware scenarios—measuring KPIs like MTTD, MTTI, and MTTR.

9. Three quick wins you can bag today

1. Check your internet exposure: Run your IP space through Shodan or Censys. If you find OT assets, lock them down or put them behind a WAF.

2. Benchmark your maturity: Use Dragos’ Five Critical Controls as your guide:

• OT-specific incident response

• Defensible architecture

• Visibility and monitoring

• Secure remote access

• Risk-based vulnerability management

3. Start small, but start now: Even incremental segmentation or better password hygiene moves the needle.

Final thoughts

OT security is moving from important to existential. The Asahi incident wasn’t a one-off hit-and-run situation. It’s a cautionary tale that should inspire action across the board. The question isn’t if another attack will hit; it’s when. 

And the best defense isn’t a new tool or shiny dashboard. It’s knowing your environment, practicing under pressure, and building a culture where IT and OT actually talk to each other.

ACCESS THE RECORDING