Assaults in opposition to operational expertise (OT) networks are on the rise, fueled by geopolitical tensions and conflicts, as OT safety quick turns into a mainstream concern.
Two new menace teams emerged in 2024, becoming a member of seven different energetic attackers of OT methods, and two new malware households concentrating on industrial management methods (ICS) have been added to the attackers’ arsenals as effectively, in accordance with researchers from Dragos.
“A putting pattern in 2024 was the continued reducing of the barrier to entry for adversaries concentrating on OT/ICS,” researchers from the commercial safety agency wrote of their annual report. “Adversaries that might have as soon as been unaware of or ignored OT/ICS fully now view it as an efficient assault vector to attain disruption and a focus.”
Along with ICS-specific malware threats, industrial organizations, particularly these within the manufacturing sector, are additionally coping with a pointy rise in ransomware assaults. The variety of ransomware assaults concentrating on OT/ICS asset house owners elevated 87% in 2024 and the variety of teams going after such targets rose by 60%.
New Iranian group beneficial properties ICS-targeting functionality
Dragos tracks 23 menace teams which have focused OT networks with the intention of gathering info or manipulating industrial management methods. Every group’s capabilities are damaged down into the 2 phases of the ICS Cyber Kill Chain.
Dragos noticed exercise from 9 of these 23 teams final 12 months, two of which have been new and certainly one of which had ICS Cyber Kill Chain stage 2 capabilities. Tracked below the alias BAUXITE, the group has overlaps with CyberAv3ngers, a hacktivist persona that the US authorities beforehand attributed to a unit inside Iran’s Islamic Revolutionary Guard Corps (IRGC).
Between November 2023 and January 2024, BAUXITE compromised Israeli-made Unitronics Unistream and Imaginative and prescient collection programmable logic controllers (PLCs) that have been uncovered to the web. These PLCs belonged to greater than 100 organizations, together with water and wastewater administration and power corporations.
“The adversary is able to downloading logic to those controllers, inflicting a denial of service (DoS) equal to execute an ICS assault,” the Dragos researchers wrote.
All through 2024, the group additionally focused Sophos firewalls and carried out port scanning on a number of OT/ICS belongings, together with Siemens S7 gadgets, CIMON Automation gadgets, gadgets operating OPC Unified Structure (OPC/UA) server, Omron Manufacturing unit Interface Community Service (FINS), and gadgets operating CODESYS. These protocols are additionally focused by Pipedream or Incontroller, a chunk of ICS malware found in 2022 and attributed to a gaggle dubbed CHERNOVITE.
In late 2024, BAUXITE additionally managed to compromise greater than 400 world OT/ICS gadgets and firewalls, deploying a custom-embedded Linux backdoor known as IOControl on them.
New Russian group centered on Ukraine
The second new group to launch assault campaigns in opposition to industrial organizations final 12 months, dubbed GRAPHITE, has overlaps with APT28 actions. Also called Fancy Bear or Pawn Storm, APT28 is believed to be a unit inside Russia’s Basic Workers Essential Intelligence Directorate (GRU).
GRAPHITE launched fixed phishing campaigns in opposition to hydroelectric, power, and authorities entities in Jap Europe and the Center East. The group exploits identified vulnerabilities to deploy malware that steals credentials, and whereas it has not but displayed ICS Cyber Kill Stage 2 capabilities, different teams tied to the Russian authorities and GRU have that functionality, for instance ELECTRUM, often known as Sandworm.
New ICS malware used within the Ukraine battle
Russian teams have launched a number of confirmed OT/ICS assaults in opposition to Ukrainian organizations in recent times, even earlier than the struggle began, leading to energy blackouts and downtimes.
One such assault occurred in January 2024 and concerned a chunk of malware known as FrostyGoop. The assault led to heating outages for greater than 600 condo buildings within the Ukrainian metropolis of Lviv in the midst of winter throughout freezing temperatures.
FrostyGoop focused ENCO controllers over the Modbus protocol, however the Dragos researchers stated its capabilities are usually not restricted to ENCO gadgets and will additionally work together with PLCs, DCS, sensors, actuators, and area gadgets.
Ukraine-affiliated teams responded with their very own assaults. In April 2024, a hacktivist group dubbed BlackJack breached Moskollektor, a Moscow municipal group accountable for the communication system for fuel, water, and sewage networks. The group claimed it disrupted communications to hundreds of business sensors.
Researchers established {that a} new piece of malware known as Fuxnet was used, making it the eighth identified ICS-specific malware household ever found. The malware overwhelms sensors by sending a flood of Meter-Bus requests. Meter-Bus is a protocol for studying information from water, fuel, and electrical energy meters. As well as, Fuxnet additionally has a Linux wiper element that wipes the file system of sensor gateways.
“The assault on Moskollektor underscores the normalization of assaults on industrial gadgets by teams pushed by geopolitical conflicts,” the researchers wrote. “Fuxnet was extremely tailor-made to Moskollektor and is unlikely for use in opposition to one other industrial setting with out important adjustments to the codebase.”
1 / 4 of vulnerabilities have been exploitable at community perimeter
Final 12 months Dragos reviewed 606 public vulnerability advisories for ICS gadgets and utilized its personal patch prioritization framework that splits vulnerabilities into the classes: now, subsequent, and by no means. Six p.c of the issues fell into the patch-now class, being distant exploitable with no authentication and have been both actively exploited or had proof-of-concept exploits. One other 63% have been put into the patch-next class as they may very well be mitigated with community hygiene and segmentation.
Total, 22% of vulnerabilities have been each exploitable over the community and situated in community perimeter gadgets, that means they may extra simply be focused by attackers over the web. This was a rise from 16% in 2023.
Patching ICS gadgets just isn’t at all times simple or quick as a result of these gadgets typically deal with vital processes, so that they require scheduled shutdown and upkeep home windows. As such, mitigation is commonly most well-liked to patching in lots of circumstances. Sadly, 57% of advisories that supplied patches supplied no various mitigation and 18% of advisories supplied no patch or mitigation in any respect.
“Adversaries are usually not simply testing OT networks — they’re actively embedding themselves inside vital infrastructure, positioning for long-term entry, operational disruption, and potential large-scale penalties,” the researchers wrote. “The time for reactive safety is over. Defenders should transfer towards steady monitoring, proactive menace searching, and incident response capabilities tailor-made for OT environments.”
