Researchers say that three new threat groups targeting the industrial sector have appeared, but over half of all attacks are the work of only two known cybercriminal outfits.
Cyberattacks launched against industrial players, providers of critical infrastructure, utilities, and energy companies -- whether oil, gas or renewables -- are often less about making a quick buck and more about data theft or causing real-world disruption.
The ransomware incidents experienced by Colonial Pipeline and JBS called attention to the ramifications of digital attacks on supply chains.
After Colonial Pipeline temporarily halted delivery services to investigate a cyberattack, fuel panic-buying took place across parts of the United States. JBS, a global meatpacker, paid an $11 million ransom, but this was not enough to prevent delays in meat pricing and a drop in cattle slaughter due to market uncertainty.
Industrial cyberattacks, especially those conducted by advanced persistent threat (APT) groups, can also be political in nature.
There is brewing tension between Russia and Ukraine, and the former has been accused of responsibility for ongoing cyberattacks, including a distributed denial-of-service (DDoS) assault on government websites. Financial services in the country have also been impacted.
The Kremlin has denied any involvement. Russia has also been accused of a 2015 cyberattack that took down Ukraine's power grid.
Also: Russian APT Primitive Bear attacks Western government department in Ukraine through job hunt
Ukrainian officials have also pointed the finger at Russia for deliberately attempting to sow panic through the disruption -- and as we've seen with past infrastructure-based attacks on private companies, the general public and its behavior can certainly be affected by such activities.
In Dragos' fifth Year In Review report on Industrial Control System (ICS) & Operational Technology (OT) threats, the cybersecurity firm said that three new groups have been discovered "with the assessed motivation of targeting ICS/OT."
The discovery comes on the heels of last year's research which detailed the exploits of four other activity groups, dubbed Stibnite, Talonite, Kamacite, and Vanadinite.
Dragos' new activity groups are called Kostovite, Petrovite and Erythrite.
Kostovite: In 2021, Kostovite targeted a major renewable energy organization. The threat actors used a zero-day vulnerability in the remote access software solution Ivanti Connect Secure to obtain direct access to the firm's infrastructure, move laterally, and steal data.
Kostovite has targeted facilities in North America and Australia.
This group has overlaps with UNC2630, a Chinese-speaking cyberattack group, and is associated with 12 malware families.
Petrovite: Appearing on the scene in 2019, Petrovite has frequently targeted mining and energy businesses in Kazakhstan. This group makes use of the Zebrocy backdoor and conducts general reconnaissance.
Erythrite: Erythrite, active since at least 2020, is a threat group that generally targets organizations in the US and Canada. The target list is broad and includes oil and gas, manufacturers, electricity firms, and one member of the Fortune 500.
"Erythrite performs highly effective search engine poisoning and deployment of credential-stealing malware," Dragos says. "Their malware is released as part of a rapid development cycle designed to be evasive to endpoint detection. Erythrite has technical overlaps to another group labeled by multiple IT security organizations as Solarmarker."
Kostovite and Erythrite have demonstrated the skills to conduct sophisticated intrusions, "with a focus on access operations and data theft over disruption," according to Dragos.
"[These] adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes," Dragos says.
The new players on the scene join Lockbit 2.0 and Conti, estimated to be responsible for 51% of all ransomware attacks in the manufacturing sector.
Additionally, Dragos researched the general state of industrial security. According to the firm, OT threat triage is "incredibly difficult at scale", as 86% of engagements have an existing lack of network visibility.
Previously undetected external connections, shared credentials, and improper network segmentation were common OT security issues, and over double, the number of industry-related CVE vulnerabilities was published in 2021 in comparison to 2020.
Dragos says that over a third of CVE advisories also contain inaccurate data and errors when it comes to ICS/OT, making the challenge of patching emerging vulnerabilities correctly more difficult. In addition, 65% of advisories for public vulnerabilities had a patch available but no alternative means of mitigation.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0