Industrial organizations that own operational technology (OT) assets were targeted by three new advanced threat groups last year. In total, industrial cybersecurity firm Dragos tracked 10 OT-focused threat groups that had active operations in 2023, but attacks from hacktivists and ransomware gangs that can also cause disruption to industrial activities have also increased.
“Motivated by mounting geopolitical tensions, sophisticated threat groups and hacktivists demonstrated the capacity to breach the networks of critical infrastructure and, in some cases, disrupt OT systems,” Dragos said in its annual OT cybersecurity report. “With each passing year, the number of ransomware incidents globally climbs even higher, leading to cascading impacts for virtually every industrial sector, particularly manufacturing.”
The quality of vulnerability information for OT assets continues to be lacking. The company found that a third of advisories released last year for vulnerabilities relevant to OT systems contained incorrect data, including the wrong severity score. They also found that around one in three advisories provided no patch when they were published and that 73% had no alternative mitigation, which is critical in sectors where fast patching is not an option because disrupting important industrial processes to deploy firmware updates requires careful planning.
Three new APT groups have OT in its sights
Dragos tracks a total of 21 threat groups that either intentionally collect information about industrial networks and assets in their operations or have developed the capabilities to attack and disrupt industrial control systems (ICS), as they correlate to stages 1 and 2 of the ICS Cyber Kill Chain.
The company saw 11 of the known groups being dormant in 2023 and two being retired. Seven groups from previous years continued their activities and three new ones were identified for the first time. Of these 10 groups, nine have demonstrated ICS Cyber Kill Chain stage 1. One group, ELECTRUM, also demonstrated stage 2. Associated with Sandworm, a unit inside Russiaâs military intelligence agency, the GRU, ELECTRUM has launched destructive attacks against Ukrainian energy and critical infrastructure organizations on several occasions over the past several years. ELECTRUM works hand in hand with another Russia-linked threat group that Dragos tracks as KAMACITE, which is the team responsible for gaining initial access into networks and collecting information.
The three new groups discovered last year are tracked as GANANITE, LAURIONITE, and VOLTZITE. The latter is a China-linked group also known in the security industry as Volt Typhoon and has broken into the IT networks of multiple critical infrastructure organizations. CISA, the NSA, and the FBI issued an alert earlier this month that this group does not engage in traditional cyberespionage, but is rather focused on lateral movement and gaining access to OT assets to potentially cause disruptions in response to geopolitical tensions or military conflicts in the future.
VOLTZITE relies heavily on living-off-the-land techniques and hands-on post-compromise actions with the goal of expanding their access from the IT network perimeter to the OT network. The group is believed to be in operation since at least 2021 and has targeted critical infrastructure entities in Guam, the United States, and other countries with a focus on electric companies. The group has also targeted organizations from the fields of cybersecurity research, technology, defense industrial bases, banking, satellite services, telecommunications, and education.
“Dragosâs analysis of VOLTZITE operations underscores the need for ongoing vigilance among organizations operating in the global electric sector, as the observed activity suggests continued and specific interest in these networks,” Dragos said in its report. “Further, VOLTZITEâs actions involving prolonged surveillance and data gathering align with Volt Typhoonâs assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia-Pacific region.”
Another new group, GANANITE, is focused on cyberespionage and data theft. The group’s targets have primarily been critical infrastructure and government organizations from Central Asia and countries from the Commonwealth of Independent States (CIS). GANANITE is known for using publicly available proof-of-concept exploits to compromise internet-exposed endpoints and for its use of several remote access trojans, including Stink Rat, LodaRAT, WarzoneRAT, and JLORAT. The latter has previously been associated with activity by a known APT group tracked as Turla, which is believed to be associated with the Russian internal security service, the FSB.
“GANANITE has been observed conducting multiple attacks against key personnel related to ICS operations management in a prominent European oil and gas company, rail organizations in Turkey and Azerbaijan, multiple transportation and logistics companies, an automotive machinery company, and at least one European government entity overseeing public water utilities,” Dragos said.
The third new group, LAURIONITE, has been observed exploiting vulnerabilities in Oracle E-Business Suite iSupplier web services belonging to organizations from the aviation, automotive, manufacturing, and government sectors. Oracle E-Business Suite is a popular enterprise solution for integrated business processes used across many industries. LAURIONITE has not been observed attempting to pivot to OT networks yet, but the potential is there given its targets and the type of information about suppliers and vendor relationships that Oracle E-Business Suite iSupplier instances might contain.
Ransomware and hacktivism also pose a threat to operational technology
While ransomware groups don’t typically target OT assets directly, industrial organizations who have ransomware incidents on their IT networks might shut down their OT assets as a preventive measure leading to disruptions. According to Dragos’s tracking, the number of ransomware incidents that impacted industrial organizations increased by 50% last year and over 70% impacted manufacturers.
Separately, hacktivist groups have also taken an interest in targeting critical infrastructure organizations to make a statement and while their attacks are generally limited to launching distributed denial-of-service (DDoS) against internet-exposed assets some have taken it further. Last year, an anti-Israel group calling itself CyberAv3ngers attacked programmable logic controllers (PLCs) belonging to water utilities in North America and Europe.
“These events represented the first time a hacktivist group was able to achieve Stage 2 of the ICS Cyber Kill Chain and demonstrated that it is possible to disrupt ICS/OT using unsophisticated methods with weak or non-existent security controls,” Dragos said.
Operational technology continues to receive poor vulnerability guidance
Dragos tracks vulnerability information released by OT vendors in advisories and regularly corrects it for its customers. The company determined that 31% had incorrect information that could potentially make asset owners waste time and resources or not treat a vulnerability seriously enough. The CVSS severity score had to be raised for 9% of flaws and lowered for 4% of them.
The company also provided practical advice for 49% of advisories that offered a patch but offered no alternative mitigation. Moreover, the company classifies vulnerabilities in three prioritization categories: Now, Next, or Never. Of the 2010 vulnerabilities analyzed last year, only 3% fell into the address now category, with 68% being mitigated with network monitoring, network segmentation, and multi-factor authentication.
“Many factors set OT apart from IT,” Dragos said. “Consider the type of devices, systems, and protocols used within these environments; the network architecture of typical OT networks; and the impact vulnerabilities can have on normal operations and the physical world. This is why OT vulnerabilities need to be mitigated and addressed according to strict operational requirements, where uptime is paramount, and considering the specific configuration and implementation of an asset.”