The landscape of cyber threats is rapidly evolving, particularly affecting operational technology (OT) networks and industrial control systems (ICS). As geopolitical tensions escalate, these systems are witnessing a significant uptick in malicious cyber activity. "A striking trend in 2024 was the continued lowering of the barrier to entry for adversaries targeting OT/ICS," researchers from Dragos noted in their annual report. This change indicates that entities traditionally uninvolved are viewing OT and ICS as viable targets for disruption and attention.
"A striking trend in 2024 was the continued lowering of the barrier to entry for adversaries targeting OT/ICS,"
In 2024 alone, a staggering 87% increase in ransomware attacks on OT/ICS asset owners was observed, alongside a 60% rise in the number of groups targeting these installations. The manufacturing sector, in particular, feels the brunt of this surge, dealing with not just ransomware threats but also sophisticated malware attacks specific to ICS.
Among the notable newcomers is a group known as BAUXITE, which has purported ties to the Iranian cyber-operations community. This group was recently identified as actively compromising systems designed for industrial automation. "The adversary is capable of downloading logic to these controllers, causing a denial of service (DoS) equivalent to execute an ICS attack," emphasized the researchers from Dragos as they detailed BAUXITE's capabilities.
"The adversary is capable of downloading logic to these controllers, causing a denial of service (DoS) equivalent to execute an ICS attack,"
During a period from November 2023 to January 2024, BAUXITE penetrated Israeli-manufactured programmable logic controllers (PLCs) utilized by over 100 organizations, including critical sectors like water management and energy distribution. Their tactics include probing various OT devices, such as Siemens S7, signaling a sophisticated level of understanding of industrial systems.
While BAUXITE has attracted attention, another group, named GRAPHITE, emerged in 2024 and has connections to Russia’s notorious APT28, known colloquially as Fancy Bear. GRAPHITE focused its efforts on hydroelectric power, energy entities, and government operations across Eastern Europe and the Middle East, conducting persistent phishing campaigns. Unlike some of their more advanced counterparts, GRAPHITE has not yet displayed the capabilities associated with the ICS Cyber Kill Chain stage 2.
Race Results
Dragging into the current conflict in Ukraine, cybersecurity frameworks continue to face unprecedented challenges. A blatant demonstration of this occurred in January 2024 when a malware strain, identified as FrostyGoop, resulted in heating outages affecting 600 apartment buildings in Lviv amidst harsh winter conditions. This malware targeted ENCO controllers, showcasing the dire implications of cyber warfare on civilian infrastructure.
“Russian groups have launched multiple confirmed OT/ICS attacks against Ukrainian organizations in recent years,” noted Dragos. The fallout from these operations has included power blackouts, further underlining the critical need for robust cybersecurity frameworks within OT and ICS environments.
As these developments unfold, the increase in threat actors focused on OT and ICS systems, combined with the sophistication of their tactics, raises alarms among cybersecurity experts. Industrial organizations must adapt to the changing threat landscape, enhancing their defenses against both ransomware and targeted malware threats. These entities are urged to take proactive measures in securing their operational networks, particularly in light of the geopolitical strife influencing newfound interest and investment in disrupting critical infrastructure globally.
Looking Ahead
In summary, as the landscape of cyber threats shifts, particularly fueled by geopolitical strife, industrial organizations must remain vigilant. The rising trend in OT and ICS cyberattacks necessitates a reevaluation of cybersecurity measures to protect critical infrastructure from current and future threats.
