Critical Infrastructure Attackers

Electricity, oil and gas and other critical infrastructure vital to any country’s day to day lives is increasingly at risk from cyber-attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services. A report from cybersecurity company Dragos[1] details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe and its warned that this activity is likely to grow in the next 12 months.[2]

The list includes several state-backed hacking operations, such as Electrum, also known as Sandworm, which is linked to the Russian military; Covellite, which is linked to North Korea's Lazarus Group; and Vanadinite, which is lined to APT 41, a hacking operation working on behalf of China.

As more critical infrastructure is connected to the Internet or accessible to staff by remote desktop protocols and VPNs, it's increasingly becoming a target for nation-state backed hackers and cyber-criminal gangs interested in breaching and examining OT networks to lay the groundwork for future campaigns. "A lot of this is increasing appetite to be in those places – typically from state-sponsored operations, where they want capability where they could have an impact in future," said the principal adversary hunter and technical director at Dragos.

After hackers enter industrial networks, it is unlikely to have an immediate impact on the systems controlling operational processes because it could take years for attackers to understand everything, but it's about laying the foundations for this for the future.

The campaigns being tracked by Dragos have a variety of aims, some are around stealing information, or there could potentially be plans to cause disruption. For example, cyber criminals constantly are looking to launch ransomware attacks. The nature of operational technology and a reliance on older software and protocols means any evidence of compromise can be missed, proving hackers with ample time to move around, understand and gain control of networks. It is this what researchers describe as "the biggest cybersecurity weakness" facing industrial networks, because without having a full picture of what needs to be protected from cyber-attacks, it is not possible to fully defend networks from hackers.

Cybersecurity weaknesses in industrial networks are not necessarily new, but as more threat groups become interested in infiltrating them, it could lead to significant problems. The report warns that activity related to cyber-attacks targeting industrial infrastructure has been observed since Russia's invasion of Ukraine and western cybersecurity agencies have issued warnings on the need to protect networks from attacks.

In addition to having a good understanding of what is on the network, many standard cybersecurity practices can help secure OT networks. These include applying security updates to patch known vulnerabilities in software, and applying multi-factor authentication whenever possible. It is hoped that by drawing attention to the hacking groups, campaigns and the risk to the industrial sector, that organizations involved will heed the warnings and apply the necessary protections to protect themselves from cyber espionage, disruptive attacks and other potential cybersecurity threats. "It can work in a more positive light, where we have seen these attacks, it can work just a reminder for organizations to protect themselves," said Dragos.

The most active threat groups targeting critical infrastructure are:

Parasite: a group which targets utilities, aerospace and oil and gas in Europe, the Middle East and North America. The group uses open source tools and known vulnerabilities for initial access. Parasite is suspected to be linked to Iran.
Xenotime: a group which targets oil & gas companies in Europe, the United States and Australia. It is believed the group is linked to Russia.
Magnallium: a group which initially targeted oil and gas and aircraft companies in Saudi Arabia, which has expanded targeted to Europe and North America. It's thought to be related to APT 33, a state-sponsored Iranian hacking group.
Dymalloy: a group which targets electric utilities, oil and gas and other advanced industrial entities across Europe, Turkey and North America. Described as "highly aggressive," Dymalloy looks for long-term persistence in networks and is thought to be linked to Russia.
Electrum: this group is capable of developing malware that can modify and control OT procedures and Dragos researchers say this operation was responsible for Crash Override – also known as Industroyer – a malware attack on Ukraine's power grid in December 2016. Electrum is associated with Sandworm, an offensive hacking operation that's part of Russia's GRU military intelligence agency.
Allanite: a group which targets enterprise and OT networks in the UK and US electricity sectors, as well as German industrial infrastructure and uses access to conduct reconnaissance on networks to potentially stage future disruptive events. It's believed Allanite is linked to Russia.
Chrysene: Active since at least 2017, this group has targeted industrial organisations in Europe and the Middle East, and mainly conducts intelligence gathering operations to potentially facilitate further attacks. Chrysense is suspected to be linked to Iran.
Kamacite: a group which has been active since at least 2014 and believed to be responsible for cyber-attacks against Ukrainian power facilities in 2015 and 2016. The group is linked to Sandworm (Russia).
Covellite: a group which has targeted electric utilities in Europe, the US and East Asia using malicious attachments in phishing emails. The group is thought to be linked to the Lazarus Group, a state-backed hacking group working out of North Korea.
Vanadinite: A hacking group which targets external-facing, vulnerable software in industrial organizations around the world. It's thought to be linked to APT 41, a state-sponsored Chinese hacking operation.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: