Photo credit: www.csoonline.com
Cyberattacks targeting operational technology (OT) networks are increasingly prevalent, driven largely by geopolitical strife and ongoing conflicts, transforming OT security into a significant focus for organizations globally.
Research from Dragos indicates that in 2024, two new threat groups emerged alongside seven other active entities targeting these systems. Additionally, two new malware families aimed specifically at industrial control systems (ICS) were introduced to the cyberattack landscape.
According to the annual report from Dragos, “A striking trend in 2024 was the continued lowering of the barrier to entry for adversaries targeting OT/ICS.” The researchers highlighted that actors who previously might have overlooked OT systems are now actively recognizing these as viable opportunities for disruption and visibility.
The manufacturing sector has seen a particularly alarming increase in ransomware attacks, with incidents targeting OT/ICS asset providers surging by 87% in 2024. Furthermore, the number of groups focusing on such targets increased by 60%.
New Iranian Group Gains ICS-Targeting Capability
Dragos monitors 23 threat groups actively seeking to exploit OT networks for intelligence gathering or manipulation purposes. Recent activities have included engagement from nine of these groups, with two being newly identified, one of which possesses advanced capabilities in the ICS Cyber Kill Chain.
Referred to as BAUXITE, this group has shown connections to CyberAv3ngers, a hacktivist movement linked to a faction within Iran’s Islamic Revolutionary Guard Corps (IRGC). Between November 2023 and January 2024, BAUXITE was able to breach Israeli-manufactured Unitronics Unistream and Vision series programmable logic controllers (PLCs), which had vulnerabilities allowing internet exposure. These PLCs were integral to over 100 organizations across various sectors, including water management and energy.
As detailed in the report, “The adversary is capable of downloading logic to these controllers, causing a denial of service (DoS) equivalent to execute an ICS attack.” During 2024, BAUXITE also attempted to exploit Sophos firewalls and conducted a port scan on several OT/ICS devices, including Siemens S7 and CIMON Automation devices, as well as technology running OPC Unified Architecture and Omron Factory Interface Network Service.
The group’s tactics included a significant breach in late 2024, where they compromised more than 400 OT/ICS devices globally, installing a custom-embedded Linux backdoor dubbed IOControl.
New Russian Group Focused on Ukraine
The second newly emerged group, named GRAPHITE, is associated with Russian cybersecurity activities and is linked to APT28, also recognized as Fancy Bear or Pawn Storm. Believed to be affiliated with Russia’s military intelligence agency, GRAPHITE has conducted ongoing phishing campaigns targeting hydroelectric, energy, and governmental entities across Eastern Europe and the Middle East.
This group exploits established vulnerabilities to introduce malware aimed at credential theft, although it currently lacks the same ICS Cyber Kill Chain stage 2 capabilities evident in other related Russian groups such as ELECTRUM, or Sandworm.
New ICS Malware Used in the Ukraine Conflict
Various confirmed attacks against Ukrainian entities have been attributed to Russian operations, even prior to the current conflict, leading to significant disruptions such as power outages. A notable incident occurred in January 2024 when a malware named FrostyGoop was utilized, resulting in reduced heating across over 600 apartment complexes in Lviv during a harsh winter freeze.
FrostyGoop primarily targeted ENCO controllers via the Modbus protocol, but researchers noted its broader capabilities could allow interactions with PLCs, DCS, sensors, actuators, and other field devices.
In retaliation, Ukraine-affiliated entities have executed cyber-operations as well. One such response came in April 2024 from the hacker collective BlackJack, which successfully infiltrated Moskollektor, a municipal organization in Moscow overseeing gas, water, and sewage communication systems. They claimed to disrupt networks serving thousands of industrial sensors.
During this breach, researchers identified a new malware variant named Fuxnet, marking it as the eighth known specific type of ICS-focused malware. Fuxnet effectively overloads sensors with excessive Meter-Bus requests, a communication protocol across utilities. Additionally, it features a Linux wiper component capable of erasing the systems of sensor gateways.
“The attack on Moskollektor highlights the growing normalization of cyber assaults on industrial devices driven by geopolitical dynamics,” the researchers noted, adding that Fuxnet’s design was specifically tailored for Moskollektor, making it impractical for broader application without extensive modifications.
A Quarter of Vulnerabilities Were Exploitable at Network Perimeter
In 2024, Dragos evaluated 606 public vulnerability advisories related to ICS devices while applying a patch prioritization framework that categorized vulnerabilities into “now,” “next,” and “never.” The analysis revealed that 6% of flaws fell under the immediate patch category, being remotely exploitable with no authentication and either actively targeted or accompanied by proof-of-concept exploits. A substantial 63% were classified as next, capable of mitigation through network hygiene and segmentation.
Alarmingly, 22% of vulnerabilities were found to be exploitative at the network perimeter, which enhances their susceptibility to internet-based attacks—a significant increase from 16% in the previous year.
Updating ICS devices often poses challenges, as they are integral to critical operations requiring scheduled downtimes for patching. Therefore, many organizations lean toward mitigation strategies instead. However, it was noted that 57% of advisories with patch solutions provided no alternative mitigation methods, and 18% had neither patches nor mitigation recommendations.
“Adversaries are not merely probing OT networks; they are embedding themselves within critical infrastructure, preparing for prolonged access and operational disruptions which could lead to significant consequences,” researchers emphasized. “Reactive security measures are no longer sufficient; defenders must prioritize continuous monitoring, proactive threat hunting, and responsive protocols designed for the OT landscape.”
Source
www.csoonline.com