Dragos outlines threat perspective of cyber threat activities targeting water and wastewater systems in GCC region

Industrial cybersecurity company Dragos assesses that the impact of cyberattacks against water and wastewater systems (WWS) in Gulf Cooperation Council (GCC) is a significant risk to organizations in the region because of the heavy reliance on water desalination plants. The company said that out of many emerging cyber threats, ransomware is a major IT-focused threat that can disrupt the operation of the ICS/OT environments, mainly if the IT/OT networks are not segmented properly. Additionally, the high dependency of the WWS sector on ONG (oil and natural gas)  as a source of energy will significantly impact the WWS sector’s operation in case of an ONG outage. 

Dragos assesses in a recent report with low confidence that in the next 12 months, cyber threat activities will impact organizations in the WWS sector in the GCC countries due to the risk of destructive cyberattacks in the Middle East targeting industrial organizations. Also, the increase of regional tensions between Iran and GCC countries due to the continuous Iranian support of the Houthi militia, which has overtaken the Yemen government. Furthermore, the GCC countries’ oppositional political stand against the Iranian nuclear program will likely result in threat groups and their supported ransomware operators impacting industrial operations.

Dragos said that the continued growth in the WWS sector, reaching around 6 percent annual growth as of 2009, along with desalination plants under construction promoting future growth, will likely attract cyber criminals and other adversaries to increase their activities, especially against small- to medium-size WWS organizations.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Fiscal Year 2021 (FY21) report, 37.4 percent of 44 WWS scanned entities in the U.S were using potentially risky applications, including RDP and VPN services, and 16.3 percent were using unsupported Windows Operating Systems on some of the internet-facing assets. The agency’s analysis shows that adversaries exploited several vulnerabilities in WWS entities’ systems, including VPN services, web applications, mail servers, and security appliances. 

At the time, the cybersecurity agencies recommended WWS facilities, including DoD water treatment facilities in the United States and abroad, use a risk-informed analysis to determine the applicability of a range of technical and non-technical mitigations to prevent, detect, and respond to cyber threat activities.

Adversaries attacking entities in the GCC region are known to quickly weaponize and exploit vulnerabilities in internet-facing services, including VPN services, RDP, and network infrastructure, Dragos said. “This includes PARISITE, MAGNALLIUM, and XENOTIME. New vulnerabilities revealed throughout 2021 impact critical network infrastructure services, including F5, Palo Alto Networks, Citrix, and Juniper network devices, and are likely targets for adversaries. These vulnerabilities can enable adversaries to gain initial access to enterprise operations or pivot into industrial operational environments,” it added.

The Hanover, Maryland-headquartered company tracks six threat groups and various ransomware groups impacting GCC industrial organizations. Although Dragos is not aware of any cyber threat group targeting ICS/OT environments of WWS in the GCC region, these groups are known to focus on industrial infrastructure in GCC countries.

Dragos has observed during the past three years, espionage activities against the WWS sector, demonstrating the adversary’s interest in gathering intelligence from WWS organizations and other non-WWS targets. Even though Dragos is unaware of any Threat Group impacting the ICS/OT infrastructure of a WWS organization, Dragos assesses with low confidence that multiple threat groups have the technical capabilities and the political motivations to attack the ICS/OT infrastructure of WWS in GCC countries. 

“PARISITE, CHRYSENE, MAGNALLIUM, and HEXANE are examples of Threat Groups that have impacted GCC countries’ organizations for political reasons,” the company said. 

Dragos assesses with low confidence that adversaries with little to no ICS/OT capabilities will likely target organizations within the WWS sector in the GCC countries due to the low maturity of small to medium-sized WWS organizations, unintentional exposure of ICS/OT assets to the internet, poor segmentation of IT/OT networks, and lack of asset visibility by asset owners. 

Due to the increased tensions between Iran and GCC countries based on opposing political views in regard to the Iranian nuclear program and their support for the Houthi militia, Dragos assesses with low confidence that WWS organizations could be at risk by these cyber threat groups as WWS falls under the umbrella of critical industrial infrastructure. 

Dragos is aware of seven ICS malware strains that specifically impact ICS/OT environments – Stuxnet, Havex, BlackEnergy CRASHOVERRIDE, TRISIS, Industroyer2, and PIPEDREAM. “Although Dragos has not observed any of these seven ICS-focused malware strains disrupt WWS sector operations, Dragos assesses with low confidence that malware could be developed specifically targeting WWS systems, much like the various ICS-specific malware strains previously seen.” 

There is no evidence to support current capabilities being developed, however, well-funded, motivated threat groups could develop malware with focus on specific systems or industries, Dragos said. “The high probability of the attacks against GCC’s critical industrial infrastructure, including WWS, is based on the political tension in the region between GCC countries and Iran,” it added.

Considering the expansion in the WWS sector in the GCC region, more small to medium-sized WWS organizations are starting to operate water treatment and seawater desalination plants, Dragos said. These companies typically struggle to afford cybersecurity tooling and appropriate staffing to secure their networks. 

“The significant risk against these organizations is that adversaries are likely to find them more attractive to attack compared to larger organizations where more security controls are in place, and potential attacks are not as successful,” according to Dragos. “The risks against the WWS sector’s small to medium-sized companies include the risk of the adversaries using them as a testing ground to test their tools and capabilities and gain access to the internet-exposed ICS/OT assets,” it added. 

Espionage campaigns have been impacting organizations within GCC countries for several years. RASPITE, PARASITE, HEXANE, and CHRYSENE are the key threat groups observed attempting to compromise the region’s IT infrastructure, including industrial, non-industrial, government, and private entities.  In addition, Dragos has learned from a private source that other active adversaries in the region, such as Muddywater and other allegedly Iranian-linked threat groups, targeted the IT infrastructures of multiple WWS organizations in GCC during the last two years. 

Dragos said that ransomware continues to be one of the most common and significant threats to industrial organizations worldwide. While ransomware variants are generally IT-focused, crippling the IT systems in industrial companies can impact the ICS/OT network’s ability to operate. Dragos’ analysis of 37 ransomware families shows that six ransomware strains, Cl0p, MegaCortex, Nefilim, LockerGoga, Maze, and EKANS, have the capabilities to impact certain functionalities of ICS/OT systems such as process kill functionality. The company’s analysis of ransomware trends and behaviors shows that state actors can use ransomware for political reasons, and that certain ransomware operators focus on specific industries. 

Looking into supply chain and third-party threats, Dragos observed that many small to medium-sized third-party companies and contractors are operating or co-operating WWS facilities, exposing these facilities to the carried-over cyber risks from the third-party companies and contractors. In addition, leveraging third-party connections can enable an adversary to conduct espionage, reconnaissance, and data theft operations to pre-position themselves for a potentially disruptive OT attack. 

Dragos said that every ICS/OT environment requires a defensible architecture that reduces cyber risks from an architectural perspective and enables the human defender. The company provides detailed recommendations on how cybersecurity professionals can defend their ICS/OT networks against cyber threat activities. 

The list of recommendations includes defensible architecture recommendations, monitoring and visibility recommendations, incident response plans, remote access authentication, and key vulnerability management. Monitoring a network can come in many forms, but in the focus of these controls, it is about helping maintain a defensible architecture and enabling a human defender to make it a defended environment. Improving – or, in many cases obtaining – visibility is crucial for identifying and defending against cyber threats.  

Last month, cybersecurity hackers targeted the water sector as the Russian-based Cl0p ransomware hacker group breached water systems at the U.K. water supply company South Staffordshire. Coming in the middle of one of the worst droughts the U.K. has faced, the cyber attack demonstrates that very little has changed since last year’s remote access cyber attack at the Oldsmar, Florida water treatment plant.

In April, Dragos assessed with high confidence that the biggest cybersecurity weaknesses European industrial infrastructure asset owners currently face are lack of asset visibility into their network and weak network authentication policies. In addition, the company gauges with low confidence that Europe is at low risk for localized or small-scale disruption or destruction, as motivated state-executed adversaries may perform low-stakes operations when deemed politically or economically advantageous.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.