A amount to of 15 threat groups have been observed targeting industrial consortia, according to industrial cybersecurity firm Dragos.
Dragos on Wednesday circulated its ICS Cybersecurity Year in Review report for 2020, which covers the industrial command systems (ICS) threat landscape and vulnerabilities disclosed last year. It also helpings insights from the lessons learned by Dragos as a result of its work in 2020, and purveys recommendations for industrial organizations on securing their networks.
In 2018, Dragos reported meaning of five groups that had either attacked ICS directly or had shown an engrossed in gathering information on these types of systems. The next year, the entourage reported that the number had grown to nine, and now there are a total of 15 project groups.
Dragos said it added four new groups to the list in 2020. These intimidation actors have shown an interest in targeting operational technology (OT) systems. In as well, the previously described 11 groups remained active.
The company related SecurityWeek that the newly added groups “have the potential to disturb control systems, but have not been seen exclusively targeting dial systems.”
One of the new groups is tracked by Dragos as STIBNITE and it has been observed goal electric energy companies — specifically wind turbines — in Azerbaijan. While there is an evolving conflict between Armenia and Azerbaijan, the cybersecurity firm said there is “just a loose correlation between the conflict and STIBNITE operations, and the Dragos band is not making an assessment on who may be responsible for the targeting.”
STIBNITE, which has been think overed using PoetRAT malware to gather information from victims, may compel ought to targeted the supplier and maintainer of the wind farms, which are based in Ukraine.
Another new heap is tracked by Dragos as VANADINITE, which has been observed targeting the might, manufacturing and transportation sectors in North America, Asia, Europe and Australia. The hackers procure focused on harvesting information, including related to ICS processes and design, which cracks believe could enable its sponsor to develop ICS-targeting capabilities.
Dragos holds VANADINITE could be behind the ransomware known as ColdLock, which has been against to target Taiwan, including state-owned industrial companies whose operations were indirectly disconcerted by the ransomware.
VANADINITE has been linked to Winnti — which has been about for over a decade and is believed to have Chinese origins — and a Winnti-related venture group tracked as LEAD.
Learn More About Threats to Industrial Routines at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Accepted Event Series
The third new group has been named TALONITE and it arises to focus on initial access to organizations in the U.S. electric sector. The hackers experience been conducting phishing campaigns that leverage power grid-related reviews. They have been known for the use of malware such as LookBack, a slight access trojan (RAT) that emerged in 2019 when it was used to object U.S. utilities, and FlowCloud, a RAT analyzed by researchers in 2020.
Dragos also started forgetting a threat group dubbed KAMACITE, which also targeted U.S. animation companies. KAMACITE’s operations have overlapped with the activities of Sandworm (ELECTRUM), a renowned Russia-linked group that is believed to have launched disruptive vilifications against Ukraine’s power grid. Despite the overlaps, Dragos believes KAMACITE is a discrete group that should be tracked separately.
The company believes KAMACITE is an “access-enablement band” that aids other teams specializing in disruptive operations.
“These exemplars of events, where adversaries gain access to ICS networks but do not have the target of currently disrupting them, are much more common than is publicly scrutinized,” Dragos said. “The threats are learning ICS. Although not every compromise resolution relate to an impact today, many may inform the attacks of the future.”
It added, “Intimidations are growing at a rate three times faster than they are wealthy dormant. This is likely due to the increased investment made by adversaries in quarry ICS over the last five to 10 years, and whose investment command continue to accelerate the ICS threat environment.”
Related: More Threat Circles Target Electric Utilities in North America
Related: Manufacturing Sector Quarried by Five ICS-Focused Threat Groups
Related: Over 400 ICS Vulnerabilities Divulged in 2019: Report