Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management.
2023 unfolded as a pivotal chapter in the domain of operational technology (OT) cybersecurity. In our recent threat landscape webinar, spearheaded by Dragos adversary hunters Bryce Livingston and Conor McLaren, and supported by insights from the 2023 OT Cybersecurity Year in Review, we dissected a year’s worth of cyber threats. This blog highlights the key trends covered in our webinar including the intersection of geopolitical conflicts and cyber operations, the appearance of new threat groups dedicated to industrial targets, the rise of hacktivist activity, the surge of ransomware, and the essential pillars of a strong and resilient cybersecurity program in the face of aggressive threats.
Geopolitical Conflicts Breeding Cyber Threats
The convergence of geopolitical instability and cyber operations targeting industrial control systems (ICS) environments has manifested starkly in the Ukraine-Russia war. The threat group ELECTRUM launched aggressive cyber operations targeting critical infrastructure in Ukraine throughout 2022 and 2023. The likely strategic timing of ELECTRUM’s activity alongside conventional warfare sets a concerning precedent for the future of global conflicts. For instance, in October 2022, ELECTRUM conducted another disruptive attack against electric power operations, which was possibly a strategic move timed to coincide with a country-wide kinetic bombing campaign targeting Ukrainian critical infrastructure. A few months later, in January 2022, they shifted to targeting of Ukrainian telecommunications, leveraging hacktivist personas in an impactful destructive attack on Ukraine telecom Kyivstar in January 2023. The deployment of destructive wiper malware, a signature ELECTRUM post compromise behavior, is ongoing.
Watch our webinar on the 2023 OT Threat Landscape with Dragos cyber threat intelligence experts.
Watch On-DemandEmergence of Sophisticated New OT Threat Groups
2023 marked the discovery of new threat groups: GANANITE, VOLTZITE, and LAURIONITE. These groups have been observed employing a range of sophisticated tactics from spearphishing, the exploitation of zero-day vulnerabilities, and living off the land (LOTL) techniques, to target critical infrastructure sectors globally. Among them, VOLTZITE stands out.
Dragos has monitored and reported on VOLTZITE operations since early 2023, developing behavioral threat detections for the Dragos Platform with knowledge of adversary actions and tradecraft from WorldView. This threat group, which overlaps with Volt Typhoon, has been linked to high-profile incidents targeting multiple critical infrastructure organizations across multiple sectors.
To date, Dragos has only observed VOLTZITE operations achieving Stage 1 of the ICS Cyber Kill Chain. They have not yet displayed actions or capabilities designed to disrupt, degrade, or destroy ICS/OT assets or operations. However, their persistent targeting of critical infrastructure entities and observed capabilities could hypothetically set the scene for a direct impact on OT environments.
VOLTZITE has shown continued interest in the electric and telecommunications sectors in the United States. This is evidenced by long-term slow and steady reconnaissance and enumeration of multiple electric entities. If VOLTZITE can establish an initial foothold on the network perimeter of a target, they may then be able to pivot further into a victim’s information technology (IT) network. Upon gaining access, VOLTZITE establishes persistence in the network and begins to exfiltrate data using LOTL techniques while attempting to evade detection. If proper network segmentation between the IT and operational technology (OT) networks of a victim is not present, then VOLTZITE may laterally move into OT networks to perform enumeration and data exfiltration of critical OT operational data such as SCADA data, OT device configurations, historian data, Geographic Information Systems (GIS) data, amongst others.
A recent fact sheet authored by government agencies in the US, UK, Canada, Australia, and New Zealand, came with a warning that these operations “are seeking to pre-position themselves – using living off the land (LOTL) techniques – on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
For more information on VOLTZITE, read our Intelligence Brief on VOLTZITE Espionage Operations Targeting U.S. Critical Systems.
VOLTZITE has steadily employed LOTL techniques, where attackers exploit legitimate administrative tools and processes inherent within the environment for malicious purposes. This approach complicates detection but also significantly muddles response efforts. By using these native tools, attackers leave fewer traces, as their malicious activities blends seamlessly with normal system operations, evading detections that signal the deployment of unauthorized software. The challenge of LOTL techniques is not only their detection, but also differentiating between benign and malicious use of administrative tools.
The Dragos Platform excels at correlating discrete events in ICS/OT environments that may appear benign individually. When individual atomic analytics are synthesized into composite detections, they paint a compelling narrative that could indicate a threat. This approach ensures that even subtle anomalies are escalated into significant alerts, presenting operators with cyber threat intelligence context, and prompting timely investigation of adversary-driven behavior patterns on a host or network.
The New (Disturbing) Face of Hacktivism
Last year also saw a dramatic increase in hacktivist activity, which has traditionally relied on distributed denial-of-service (DDoS) attacks, website defacement, and false claims to draw attention to political and social causes. By spreading fear, uncertainty, and doubt – what we call FUD – hacktivists aim to influence perceptions to create a narrative of instability. While that is consistent with much of the activity that took place in 2023, the CyberAv3ngers hacktivist group, known for generally exaggerating or inventing claims, was associated with attacks on PLCs at water utilities in the US, Europe, and Australia. At least one incident led to material impacts and the disruption of water services for several days. Far from signifying advancements in hacktivist tradecraft, these attacks were facilitated by easy access to internet-facing vulnerable devices, weak authentication controls, and OT defenders’ inability to see malicious actions in their ICS environment until after they had taken place.
Ransomware’s Sustained Targeting of Industrial Sectors
Ransomware attacks have continued their relentless expansion in 2023, with the manufacturing sector alone witnessing an approximate 50 percent increase in incidents compared to the previous year. This is only expected to increase given the lucrative nature of this cybercrime strategy. Ransomware groups do not usually explicitly target OT networks and the impact to industrial operations comes by way of precautionary shutdowns, lateral movement from IT networks, and ransomware variants capable of killing ICS processes. The financial cost of recovery, loss of revenue, and reputational damage inflicted on victims is extended by operational impacts on their customer base and when ransomware groups can move laterally into customer environments.
The Five Pillars of Cyber Defense in Operational Technology
To combat the sophisticated threats outlined in this blog, it is essential to adhere to the SANS 5 Critical Controls for World-Class OT Cybersecurity recommended by industry experts. These include the development of an incident response plan tailored to OT specifics, the establishment of a defensible architecture that limits attackers’ movements, the implementation of secure remote access protocols, the application of risk-based vulnerability management, and the enhancement of ICS visibility and monitoring. These pillars form the bedrock of a robust cybersecurity framework that can withstand the evolving threats of the digital age.
In response to these multifaceted threats, the Dragos Platform offers a holistic solution designed to enhance the resiliency of ICS environments. With detailed OT network visibility and intelligence-driven detections, the Dragos Platform ensures that organizations are not only aware of their security posture but are also prepared to respond effectively to active and emerging adversary behaviors.
The OT cyber threat landscape presents unprecedented challenges that demand innovative defenses. By understanding the tactics of our adversaries and fortifying our defenses with strategic controls and advanced technological solutions, it’s possible to navigate the OT cyber threat landscape.
Watch Our Webinar
Ready to put your insights into action?
Take the next steps and contact our team today.