These four new hacking groups are targeting critical infrastructure, warns security company

Researchers identify four more cyberattack operations targeting industrial networks, utilities and other critical infrastructure, as malicious hacking operations receive a boost in resources - but simple attacks still work.
Written by Danny Palmer, Senior Writer

More hacking groups than ever before are targeting industrial environments as cyber attackers attempt to infiltrate the networks of companies providing vital services, including electric power, water, oil and gas, and manufacturing.

Threats include cyber-criminal groups looking to steal information or encrypt systems with ransomware, as well as nation-state-backed hacking operations attempting to determine the potential disruption they could cause with cyberattacks against operational technology (OT).

According to cybersecurity researchers at Dragos, four new hacking groups targeting industrial systems have been detected over the past year – and there's an increased amount of investment from cyber attackers targeting industry and industrial control systems.

SEE: Security Awareness and Training policy (TechRepublic Premium)

The four new groups identified over the course of the past year – named by researchers as Stibnite, Talonite, Kamacite, and Vanadinite – come in addition to 11 previously identified hacking groups targeting industrial control systems.

Some of these new groups have very specific targets – for example, Stibnite focuses on wind turbine companies that generate electric power in Azerbaijan, while Talonite almost exclusively focuses on attempting to gain access to electricity providers in the US.

The remainder of the new hacking groups are more generalised in their targeting; Kamacite – which Dragos links to the Sandworm group – has targeted industrial operations of energy companies across North America and Europe.

Meanwhile, Vanadinite conducts operations against energy, manufacturing and transport across North America, Europe, Australia and Asia, with a focus on information gathering and ICS compromise.

The discovery of four additional hacking operations targeting industrial systems does represent a cause for concern – but their discovery also indicates that there's increasing visibility of threats to industrial systems. These threats might have been missed in previous years.

"The more visibility we build in the OT space, the greater understanding of its threat landscape and the adversaries active there we can identify," Sergio Caltagirone, vice president of threat intelligence at Dragos, told ZDNet.

"OT network attacks requires a different approach than traditional IT security. IT incidents see high frequency, relatively low-impact incidents and effects when compared to OT attacks that are lower frequency, but have potentially very high impacts and effects".

However, according to the research paper, visibility remains an issue for industrial networks, with 90% of organisations examined by Dragos not having a full grasp of their own OT network, something that could help cyber attackers remain undetected.

In many cases, hackers are able to combine this lack of visibility with the ability to hide in plain sight by abusing legitimate login credentials to help move around the network.

Often, campaigns targeting industrial systems involve phishing attacks or the exploitation of remote services, allowing the attackers to use real accounts to perform malicious activity while helping to avoid being detected as suspicious.

"The lack of visibility raises risks significantly because it allows adversaries freedom to conduct operations unimpeded, time to understand the victim environment to locate their objectives, achieve their desired effects and satisfy the intent for conducting a compromise," said Caltagirone.

This activity could have physical effects away from a network environment, as recently demonstrated when a malicious hacker was able to modify the chemical properties of drinking water after compromising the network of the water treatment facility for the city of Oldsmar, Florida.

There's also examples where cyber attackers have gained access to electrical power grids to the extent that they were able to shut down power.

SEE: Phishing: These are the most common techniques used to attack your PC

However, there are cybersecurity procedures that industrial organisations can undertake in order to boost visibility of their own networks and help protect systems from cyber intrusions.

These include identifying which assets exercise control over critical operations and prioritizing security in order to help make them more difficult for attackers to gain access to – and setting up procedures that make attacks easier to identify.

Organisations should also attempt to apply network segmentation, separating operational technology from information technology, so that in the event of attackers compromising the IT network, it's not simple for them to move laterally to OT controls on the same network.

Login credentials should also be properly secured via the use of multi-factor authentication, while organisations should attempt to avoid the use of default login credentials to help provide additional barriers to remote attackers.


Editorial standards