Industrial organizations that own operational technology (OT) assets were targeted by three new advanced threat groups last year. In total, industrial cybersecurity firm Dragos tracked ten OT-focused threat groups that had active operations in 2023. The company found that 11 known groups were “dormant” in 2023 and two were retired. Seven groups from previous years continued their activities and three new ones were identified for the first time: Gananite, Laurionite and Voltzite.
Of the three new groups discovered last year, Voltzite is a China-linked group, also known in the security industry as Volt Typhoon, which has broken into the IT networks of several critical infrastructure organizations. The Cybersecurity and Infrastructure Security Agency (CISA) and the US National Security Agency (NSA), in addition to the FBI, issued a warning earlier this month that this group does not engage in traditional cyberespionage, but rather focuses on the movement lateral and in gaining access to OT assets to potentially cause disruptions in response to geopolitical tensions or military conflicts in the future.
Voltzite relies heavily on living-off-the-land techniques and practical post-commitment actions aimed at expanding its access from the IT network perimeter to the OT network. The group is believed to have been in operation since at least 2021 and is targeting critical infrastructure entities in Guam in the United States and other countries with a focus on electrical companies. The group also targets organizations in the areas of cybersecurity research, technology, defense industrial bases, banking, satellite services, telecommunications and education.
“Analysis of Voltzite operations underscores the need for continued vigilance among organizations operating in the global electricity sector, as the observed activity suggests an ongoing and specific interest in these networks,” Dragos said in its report. “Additionally, Voltzite’s actions involving prolonged surveillance and data collection align with Volt Typhoon’s assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia-Pacific region.”
Another new group, Gananite, focuses on cyberespionage and data theft. The group’s targets have primarily been critical infrastructure and government organizations in Central Asia and Commonwealth of Independent States (CIS) countries. Gananite is known for using publicly available proof-of-concept (PoC) exploits to compromise internet-exposed endpoints and for using several remote access trojans, including Stink Rat, LodaRAT, WarzoneRAT, and JLORAT.
“Gananite has been observed carrying out several attacks against key personnel related to the management of industrial control systems (ICS) operations at a major European oil and gas company, railway organizations in Turkey and Azerbaijan, several transport and logistics companies, one automotive machinery company and at least one European government entity. supervise public water services,” he told Dragos.
The third new group, Laurionite, was observed exploiting vulnerabilities in Oracle E-Business Suite iSupplier web services belonging to organizations in the aviation, automotive, manufacturing and government sectors. Oracle E-Business Suite is a popular enterprise solution for integrated business processes used across multiple industries. Laurionite has not yet been observed attempting to migrate to OT networks, but the potential is there, given its goals and the type of information about suppliers and supplier relationships that Oracle E-Business Suite iSupplier instances can contain.
While ransomware groups typically do not target OT assets directly, industrial organizations that have ransomware incidents on their IT networks can shut down their OT assets as a preventative measure. According to Dragos tracking, the number of ransomware incidents impacting industrial organizations increased by 50% last year, and more than 70% impacted manufacturers.
These groups have also taken an interest in critical infrastructure organizations, although their operations are generally limited to distributed denial-of-service (DDoS) attacks against internet-exposed assets. But some went further. Last year, an anti-Israel group calling itself CyberAv3ngers attacked programmable logic controllers (PLCs) belonging to water utilities in North America and Europe.
Dragos also highlights that the quality of vulnerability information for OT assets remains poor. It found that a third of advisories released last year about vulnerabilities relevant to OT systems contained incorrect data, including the wrong severity score. They also found that about one in three advisories provided no patch when they were published and that 73% had no alternative mitigation, which is critical in industries where rapid patching is not an option because disrupting important industrial processes to Deploying firmware updates requires careful planning.
Dragos tracks vulnerability information disclosed by OT vendors in advisories and regularly fixes it for its customers. The company found that 31% had incorrect information that could cause asset owners to waste time and resources or not treat a vulnerability as seriously as necessary. The CVSS severity score had to be increased for 9% of failures and reduced for 4% of them.
The company also provided practical advice for 49% of communications that offered a patch but did not offer any mitigation alternatives. Additionally, Dragos classifies vulnerabilities into three prioritization categories: now, next, or never. Of the 2010 vulnerabilities analyzed last year, only 3% fell into the address category now, with 68% being mitigated with network monitoring, network segmentation, and multi-factor authentication.
Source: CisoAdvisor, Dragos