Attacks and Vulnerabilities
Critical infrastructure
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Mining, Oil & Gas
News
Reports
Threat Landscape
Utilities: Energy & Power, Water, Waste

Dragos detects three new threat activity groups with interest in targeting ICS/OT environments in 2021

February 25, 2022
Dragos detects three new threat activity groups with interest in targeting ICS/OT environments in 2021

Industrial cybersecurity company Dragos identified three new threat activity groups with assessed motivation of targeting ICS/OT environments in 2021. The company also said that activity groups identified prior to 2021 continue to remain active against industrial organizations.

“Currently, Dragos tracks 18 worldwide threat groups, with three of the newest groups discovered during 2021,” the Hanover, Maryland-headquartered company in its fifth annual ‘ICS/OT Cybersecurity Year in Review (YIR)’ report.

The new threat groups have been named Kostovite, ​​Petrovite, and Erythrite. Based on data collected and analyzed, covering information on cyber intrusions and attempts to compromise ICS (industrial control systems) networks, Dragos detected that Kostovite and Erythrite reached Stage 2 of the ICS Cyber Kill Chain. This signified that the threat activity groups gained access directly into ICS/OT networks and that those adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes.

The ICS Cyber Kill Chain is divided into groups of those trying to breach ICS systems but not yet able to do so, those able to do so but either not intending or not quite yet prepared to perform a disruptive attack, and the rarer few entirely prepared to do that attack.

The Kostovite threat activity group compromised last March the perimeter of an energy operation and maintenance provider network, and exploited a zero-day vulnerability in the remote access solution, Ivanti Connect Secure, Dragos identified. Kostovite used dedicated operational relay infrastructure against this target to obfuscate the origin of its activities, then stole and used legitimate account credentials for its intrusion. 

The group then used the stolen account information to move laterally and gain access to the operational technology (OT) environments of multiple energy generation facilities in North America and Australia from the one single ingress location, the company said. 

Dragos’ Kostovite data falls in line with Mandiant’s findings in April of multiple security incidents involving compromises of Pulse Secure VPN appliances. These hackers exploited Ivanti Pulse Secure VPN devices targeting government agencies and the defense industrial base.

“The systems that they were embedding themselves into and getting access to, were there for the purpose of control and monitoring those generation assets,” said Robert M Lee, Dragos’ CEO and co-founder. “And there wasn’t anything that they were taking or getting that really would have been valuable for intellectual property,” he added.

Dragos is currently tracking a Stage 1 ICS Cyber Kill Chain adversary identified as Petrovite threat activity group, who targets mining and energy operations in Kazakhstan. One targeted group has 16 business units that focus on mining and power generation throughout Kazakhstan. The overlaps with other threat activity groups and consistent capability development could lead to more targeted ICS incidents beyond general system reconnaissance and collection. 

“While Dragos cannot connect PETROVITE to any known, disruptive event, the group remains active and continues to display an interest in collection on ICS/OT systems and networks,” the company added.

Dragos is aware of targeted operations that Petrovite started during the third quarter of 2019 and have intermittently continued throughout 2021. Intrusions during 2019 used compromised legitimate infrastructure in Kazakhstan, whereas intrusions during 2021 focused on compromising legitimate infrastructure in other parts of the world. 

The company observed that the Erythrite threat activity group targets organizations in the U.S. and Canada, with ongoing, iterative malware campaigns. The hackers have been active since at least May 2020 with technical overlaps to another group labeled by multiple IT security organizations as Solarmarker. The group performs highly effective search engine poisoning and deployment of credential-stealing malware, which is released as part of a rapid development cycle designed to be evasive to endpoint detection.

The Erythrite group has also been observed compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple oil and natural gas (ONG) service firms. The company assesses with moderate confidence that the group will continue to compromise and steal credentials and data from organizations leaving their OT environments vulnerable to further compromise by Erythrite or other groups. 

In February last year, Dragos identified renewed activity from the Stibnite threat activity group targeting Azerbaijani environmental science, technology, and industrial engineering experts, researchers, and practitioners interested in technical conferences. Victims were sent spear-phishing emails about such events as a first attempt at installing a new version of PoetRAT.

Honeywell reported a malware intrusion that disrupted a limited number of its information technology (IT) systems. The OEM produces a range of industrial products used by oil and gas manufacturers in North America, and the breach was a reminder of potential cyber threats to the manufacturing industry and the supply chain.                               

Dragos’ continual discovery of new GREYENERGY files in the wild demonstrates that Kamacite threat activity group continues its development of GREYENERGY to further its operations. Kamacite may be using all GREYENERGY components in conjunction with other actions and tools to facilitate more disruptive ICS/OT attacks.

In October, Dragos identified the Wassonite threat activity group targeting the Kudankulam Nuclear Power Plant (KKNPP) in India. Subsequent intelligence research combined with public announcements from KKNPP confirmed that adversaries had breached its IT network.

Dragos also coordinated a takedown of malicious domains used during the early exploitation attempts of the Log4j vulnerabilities. The company also observed other intelligence organizations reporting cyber criminals launching Log4j attacks to deliver Cobalt Strike beacons, malware, cryptocurrency miners, ransomware, DDoS attacks, and other malicious programs.

Apart from threat activity information, Dragos also disclosed that it has assessed 1,703 ICS/OT common vulnerabilities and exposures (CVE) from various sources, including independent researchers, vendors, and ICS-CERT, recording more than twice as much as last year. In addition, the company found that 38 percent of ICS vulnerability advisories contained errors in the Common Vulnerability Scoring System (CVSS) score associated with the CVE. 

“Asset owners should take this into account when making patching and mitigation decisions for their networks,” the report added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings