2023
OT Cybersecurity
Year in Review

Dragos reported activity by RASPITE threat group (TG) performing server message block (SMB) scanning operations for internet-exposed SMB services during at least the month of September 2022. Identifiable target organizations appeared to exist within the Electric, Energy, Food and Beverage, Government, Finance, and Education/University sectors.

Dragos has designated a new threat group – GANANITE. This adversary targets critical infrastructure and government targets in Europe, predominately in the Eastern, South-Eastern, and Central European regions. Targets observed in this cluster include rail, transport, and oil & gas, amongst government and strategic policy centers for European nations. GANANITE used fake login pages for email services hosted from masqueraded domains to capture domain credentials and employed a suspected phishing campaign to drop Remote Access Trojan (RAT) that steals sensitive information, sending it to a Telegram chatbot.

A new wiper cyber attack attributed to Sandworm, which overlaps with the threat group ELECTRUM, was deployed against Ukraine on 25 January 2023, according to the Slovakian firm ESET. Dubbed SwiftSlicer, the attack used Active Directory Group Policy to delete shadow copies and recursively overwrites files located in system drivers and other non-system drives before rebooting the computer. Wiper malware variants have played a consistent role in attacks targeting Ukraine since January 2022.

Dole experienced a ransomware attack in February 2023. As a result of the incident Dole temporarily shuts down four fresh vegetable production facilities in North America while systems are restored. Retailers and shoppers complain of delays and shortages of Dole salad kits for more than a week. Dole incurred over $10 million in direct costs from the ransomware attack, with $5.7 million in lost revenue from the vegetable business.

Dragos observed a new Threat Group LAURIONITE targeting and exploiting Oracle e-Business Suite iSupplier web services and assets. This activity was identified as affecting organizations in several sectors, including aviation, automotive, ferroalloy manufacturing, computer manufacturing, medical manufacturing, professional services supporting industrials, and state, local, tribal, and territorial (SLTT) government sectors.

During a U.S. Senate Committee on Energy and Natural Resources hearing, Dragos CEO and Co-Founder Robert M. testified to three points. First, that PIPEDREAM malware has shown that the threat landscape has irreversibly changed and urgency is required. Second, the government should seek to understand what is and not working, and take advantage of existing collaborative efforts that are underutilized. Third, it is essential to identify what sites are critical, and what risks they need to be protected against, and properly resource these efforts. In his Senate Testimony, Lee also stated that the industry has moved towards a more homogenous infrastructure with common software packages, common network protocols, common facility designs, and more. “This has brought a lot of advantages to the industry and those that depend on it, but reduced the complexity that the adversaries have to operate in while increasing the complexity of what defenders have to defend.”

A cyberattack damaged water controllers and control systems for irrigating fields in the Jordan Valley and wastewater treatment control systems belonging to the Galil Sewage Corporation. Several water monitors that monitor irrigation systems and wastewater treatment systems were left dysfunctional. The source of the cyberattack, however, is unknown. Israel’s attacks on water systems appear to be part of OpIsrael, an anti-Israel hacktivist campaign that has intensified every year in early April in the past decade.

VOLTZITE has been observed performing reconnaissance and enumeration of multiple U.S.-based companies. This threat group shares overlaps with the adversary described by CISA in May 2023, and Volt Typhoon (Microsoft). VOLTZITE employs living off the land (LOTL) techniques; they use native tools available in compromised assets. This strategy, paired with slow and steady reconnaissance, enables VOLTZITE to avoid detection for lengthy periods of time.

The Australian Cyber and Infrastructure Security Centre (CISC) announced its Critical Infrastructure Risk Management Program (CIRMP) requirement. The CIRMP Rules assist owners and operators to conceptualize risk and are designed to empower them to take action that will lower risk to the ongoing operation of their systems, assets, and businesses.

The marine technology manufacturer Brunswick Corporation (BC) experienced a ransomware incident that disrupted manufacturing operations, primarily within BC’s Propulsion and Engine Parts & Accessories business units. Additionally, some users reported outages of the BC Simrad application. BC estimated the incident would cost them as much as $85 million in lost production and distribution activities across their business. Recovering from this incident was publicly reported to take nine days.

VOLTZITE exploited public internet-facing Sierra Wireless Airlink devices of a US emergency management and traffic monitoring entity in a June 2023 campaign.

The US government identified adversary developed exploits against unknown vulnerabilities. Dragos Intelligence worked with worked with government agencies, Rockwell Automation, and other security vendors to implement a collaborative and collective response. Neighborhood Keeper and OT Watch monitored for potential use of the exploit in the wild, and detections were deployed to Dragos Platform before an attack could occur.

MAGNALLIUM re-emerged after a long hiatus with high-volume password spraying activity during at least the month of July 2023. Targeted sectors appear to include defense and mining organizations face significant risk if accounts are compromised, due to MAGNALLIUM’s previous use of wiper malware. The group’s demonstrated abilities and focused targeting suggest that they possess the capacity to carry out IT-based wipers within industrial settings, potentially leading to substantial operational disruptions.

Possible exploitation attempts in July 2023 against an African electric transmission, distribution, and retailer entity.

Singapore’s Cyber Security Agency (CSA), in a three-year arrangement, engaged Dragos to share threat intelligence and expertise in threat detection and hunting and conduct architecture reviews and cyber risk assessments of OT systems in CII sectors. Dragos will also tribute to Singapore’s national and sectoral OT security incident response framework by augmenting CSA and CII sector leads’ efforts to deal with sophisticated OT cyber attacks requiring niche or deep capabilities.

Cybersecurity and law enforcement officials confirmed LockBit 3.0 affiliates exploiting CVE-2023-4966, commonly known as “Citrix Bleed,” to breach Boeing’s parts and distribution business. Exploitation began shortly after the patch release in October 2023, but it had been exploited as a zero-day since August 2023.

Dragos signed a memorandum of understanding (MOU) with Aramco, one of the world’s leading integrated energy and chemicals companies, to review potential opportunities to help protect critical industrial assets and infrastructure for Aramco and its affiliates, and the Kingdom of Saudi Arabia. The MOU includes initiatives aimed at localizing Dragos services and solutions, and development initiatives for a Dragos local hardware assembly facility. Additionally, Dragos will explore strategies with Aramco to establish a training academy in the country, aimed at enhancing OT cybersecurity capabilities in technology applications.

VOLTZITE conducted extensive reconnaissance of U.S. energy organizations in November 2023. Dragos OT Watch assisted in a threat hunt using the Dragos Platform in proximity of OT network.

The self-styled CyberAv3ngers hacktivist collective executed a series of attacks targeting Unitronics programmable logic controllers (PLCs) across multiple sectors. The attack initially reported by the Municipal Water Authority of Aliquippa was part of a broader effort affecting critical public service sectors, including water and wastewater systems in the U.S. and Ireland. The campaign’s impact was notable, causing operational disruptions such as the shutdown of a water scheme in North Mayo, Ireland and affecting wastewater treatment facilities in the U.S..

Cybersecurity company Volexity reported the results of a December 2023 incident response engagement that involved the active exploitation of two zero-day vulnerabilities in the Ivanti Connect Secure (ICS) virtual private network (VPN) by a threat group they designate as UTA0178. Dragos assessed that this group shares overlaps with VOLTZITE, or a subgroup that supports VOLTZITE in gaining initial access to targeted environments.