Dragos highlights surge in cyber threats amid geopolitical tensions, new OT groups, rise in ransomware attacks

Industrial cybersecurity firm Dragos revealed in its annual OT Cybersecurity Year in Review report a marked rise in cyber threat activities and disruptions across critical global infrastructure, attributing this surge to escalating global tensions. The report notably identified the emergence of new operational technology (OT) threat groups, such as Voltzite, which has ties to the Volt Typhoon. 

Additionally, it observed 50 active ransomware groups impacting industrial organizations in 2023 out of 77 groups that have historically attacked industrial organizations and infrastructure, registering a 28 percent increase over last year. It tracked 905 reported ransomware incidents impacting industrial organizations in 2023, a 49.5 percent increase from 2022. Industrial organizations have much to lose because operational disruptions can carry significant financial and reputational costs. Further, there can be numerous cascading impacts on downstream businesses and outputs. This creates high-level situations for industrial organizations faced with the threat of ransomware attacks.

The analysis further revealed that both state-sponsored entities and comparatively less sophisticated hacktivist groups have achieved substantial progress in their capabilities to target OT systems.

“OT cyber threats reached a tipping point in 2023,” Robert M. Lee, co-founder and CEO of Dragos, said in a Tuesday media statement. “Industrial and critical infrastructure has been moving away from highly customized facilities to ones that—for good economic and productivity reasons—share the same industrial devices, technologies, and facility designs across sites and sectors.” 

Unfortunately, Lee added that adversaries now leverage these homogenous infrastructures to scale attacks. “They also target weaknesses in environments that pushed digital transformation without adequate cybersecurity measures. These factors contributed to an environment in 2023 in which organizations were  challenged with a range of threats, including increasingly sophisticated state actors, hacktivists praying on pervasive security weaknesses, and a growing barrage of ransomware attacks.”

Headquartered in Hanover, Maryland, apart from Voltzite, Dragos also identified two new OT threat groups—Gananite and Laurionite. With these additions, Dragos analysts now track 21 threat groups worldwide that have been observed as being engaged in OT operations in 2023. The company also flagged geopolitical conflicts that drove threat activity with regional and global kinetic events overlapping with OT cybersecurity threats. 

Dragos detailed that the Voltzite group has targeted numerous critical infrastructure entities in Guam, the U.S., and other countries since at least 2021. Voltzite overlaps with Volt Typhoon, a group that the U.S. government has publicly linked to the People’s Republic of China. Voltzite heavily uses living off the land (LOTL) techniques and, in some cases, has been observed conducting ‘hands-on keyboard’ post-compromise actions within a victim’s networks. 

Another interesting finding was that Voltzite overlaps with infrastructure associated with the Mirai botnet and another activity cluster that differs from Voltzite but may be operationally connected.

The Gananite threat group targets critical infrastructure and governmental bodies within the Commonwealth of Independent States and Central Asia. Its primary activities include espionage and data theft, and it may also facilitate access for other threat groups by handing off initial entry points. 

Gananite has been observed conducting multiple attacks against key personnel related to ICS operations management in a prominent European oil and gas company, rail organizations in Turkey and Azerbaijan, multiple transportation and logistics companies, an automotive machinery company, and at least one European government entity overseeing public water utilities. “Although GANANITE has not yet shown evidence of moving into OT networks or an elevated capability resembling Stage 2 actions, their assessed capabilities show efficient use of multiple phases across Stage 1 of the ICS Cyber Kill Chain,” the report detailed.

Laurionite was first discovered actively targeting and exploiting Oracle E-Business Suite iSupplier web services and assets across several industries, including aviation, automotive, manufacturing, and government. This group utilizes a combination of open-source offensive security tooling and public proof of concepts to aid in their exploitation of common vulnerabilities. 

The group has demonstrated the ability to conduct the complete attack cycle of offensive cyber operations that achieve Stage 1 of the ICS Cyber Kill Chain from Reconnaissance to Actions on the Objective. The adversary operators show expertise in various offensive cyber operation skills in navigating target systems, exploiting vulnerabilities, maintaining persistence, conducting lateral movement, internal reconnaissance, defense evasion, and exfiltration.

“While current observations and visibility of LAURIONITE operations do not indicate the adversary seeks to advance to OT networks, Dragos cannot discount this as a possible course of action the adversary may select in the future,” the company identified. “LAURIONITE actively seeks out iSupplier instances with a significant presence across many industry verticals and sectors, including industrial organizations such as manufacturing.” 

Dragos assesses that escalating conflicts, including those between Ukraine and Russia, Israel and Hamas, and countries in the South China Sea, emboldened adversaries and hacktivists to develop new capabilities and reuse old techniques. The Ukraine-Russia conflict prompted more mature threat groups, such as Electrum, to increase activity, while tensions between China and Taiwan contributed to increased targeted cyber espionage attacks against industrial organizations in the Asia-Pacific region and the U.S. ​

Hacktivists for the first time achieved Stage 2 of the ICS Cyber Kill Chain when CyberAv3ngers attacked programmable logic controllers (PLCs) used by water utilities across North America and Europe with an anti-Israel message. While hacktivist groups typically conduct distributed denial of service (DDoS) attacks with minimal impact, this attack demonstrated the ability to disrupt OT systems by using unsophisticated methods with weak security controls. Other active hacktivist groups included CyberArmyofRussia_Reborn, NoName057(16), Anonymous Sudan, and Team Insane Pakistan. 

Additionally, Dragos observed the adversary conducting ‘likely’ brute-force authentication attempts against IoT devices. 

Dragos pointed out that ransomware remains the number one attack in the industrial sector, increasing 50 percent from 2022. Lockbit caused 25 percent of total industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9 percent each. Manufacturing continues to be the primary target of ransomware and accounts for 71 percent of all ransomware attacks. The majority of ransomware attacks impacted organizations in North America with 44 percent of incidents, followed by Europe at 32 percent. 

Additionally, the number of vulnerabilities that require authentication to exploit is rising, pointing to a positive trend for OT defenders. In 2023, 34 percent of CVEs required some authentication compared to 25 percent of CVEs in 2020. On the other hand, of the 2010 vulnerabilities impacting industrial environments disclosed last year, 14 percent contained erroneous information for prioritizing risks in ICS/OT.

Regulatory changes in the U.S., Europe, Australia, Asia, and the Middle East required organizations to develop capabilities to meet reporting obligations. To this end, Dragos conducted more exercises with a wider range of participants and industries in 2023. 

Leveraging insights from its annual customer service engagements across diverse industrial sectors, Dragos pinpointed several critical challenges that industrial organizations need to address. 

Key among these is inadequate security measures, identified in 28 percent of engagements, where the main concerns involved poor network segmentation or incorrectly configured firewalls. Additionally, internal threats stemming from network design were significant, with approximately 70 percent of OT-related incidents originating from the IT environment, underscoring the dangers of improper network segmentation.

The report further highlighted issues with overlapping IT and OT systems, revealing that 17 percent of the organizations had not implemented separate IT and OT user management. Instead, they relied on a shared domain architecture, which simplifies lateral movement and privilege escalation for attackers. Additionally, it underscored vulnerabilities linked to external connections. Dragos observed that four threat groups exploited public-facing devices and external services, with 20 percent of the engagement reports identifying risks associated with networks that were exposed to the internet.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.