The last year saw a rise in the sophistication and number of attacks targeting industrial infrastructure, including the discovery of a modular malware toolkit that’s capable of targeting tens of thousands of industrial control systems (ICS) across different industry verticals. At the same time, incident response engagements by industrial cybersecurity firm Dragos showed that 80% of impacted environments lacked visibility into ICS traffic and half had network segmentation issues and uncontrolled external connections into their OT networks.
“A number of the threats that Dragos tracks may evolve their disruptive and destructive capabilities in the future because adversaries often do extensive research and development (R&D) and build their programs and campaigns over time,” the Dragos researchers said in a newly released annual report. “This R&D informs their future campaigns and ultimately increases their disruptive capabilities.”
Active ICS threat groups tracked
Dragos has been tracking a total of 20 separate threat groups that have been targeting industrial infrastructure organizations since 2020. Last year, eight of these groups were active, including two new ones that the company has dubbed Chernovite and Bentonite.
Of these two, Chernovite is the clear stand out and exhibits aspects of both stage 1 and 2 of the ICS Cyber Kill Chain: Stage 1 is the initial intrusion and reconnaissance activity that would allow an attacker to collect information about an OT environment that would help them develop capabilities to target a particular ICS implementation, while stage 2 is the weaponization of the information collected in stage 1 with the development of capabilities to actually impact the ICS.
Chernovite is the group behind a highly sophisticated malware platform capable of attacking industrial control systems that Dragos calls Pipedream, but which cybersecurity firm Mandiant calls Incontroller. This malware was discovered in early 2022 and is believed to have been developed by a state actor. While Dragos does not do attack attribution assessments, Mandiant noted that it’s consistent with Russia’s historical interest in ICS, but that the evidence is circumstantial.
Pipedream or Incontroller was discovered before it was “employed,” meaning the attackers didn’t get to pull the trigger before it was found, but they were getting very close, Robert M. Lee, the CEO and co-founder of Dragos said during a press briefing. In his opinion the malware didn’t get the attention it deserved, probably because it was found before it caused any damage, but it the malware has very effective disruptive and destructive capabilities and it was the closest we ever got to US and European infrastructure going offline.
“I don’t want to hype up anything, but I think a big portion of the community kind of moved past it quickly because there wasn’t some big attack,” he said. “It wasn’t a Colonial Pipeline. It wasn’t Ukraine Electric. So, something didn’t happen, but I don’t think people understand how close it was to happening.”
It’s believed that Chernovite was targeting around a dozen key electric and liquid natural gas sites, but the malware’s capabilities is by no means limited to those industries. In fact, Pipedream is the first ever ICS malware that leverages native functionality in some of the most widespread ICS protocols including those used by Schneider Electric, Omron, CODESYS PLCs as well as any PLCs that support the OPC Unified Architecture (OPC UA) standard.
In other words, anything an operator can do over these protocols, the malware can do. According to Lee, it is in some ways more impressive than any engineering workstation software any particular vendor has, because that software will only work with PLCs from that specific vendor, but Pipedream can work with all of them.
“It’s very impressive,” Lee said. “So, it was designed initially to target 15 specific types of devices, but the way it’s going about it can operate across thousands of different controllers and things deployed in the community, hundreds of different vendors, and in pretty much every sector out there.”
The worst part is that there is no vulnerability to patch since it’s all mostly native functionality. Dragos fully expects to see this malware deployed again and there’s no easy fix. Organizations that only focus on prevention and are not also doing detection and response, have a zero chance against this adversary, Lee said
“We have a lot less visibility than people realize, globally,” Lee said. “I would say maybe 5% of global infrastructure is being monitored. If all of our efforts are going into preventing attacks, but 5% of companies are actually looking inside the house, then you’re not going to see as much of the threats as you’d like. I would say we’re operating kind of on that 5% window, and we’re still finding quite a few rather scary things.”
Bentonite, the second threat actor that’s new and was detected in 2022, has currently only displayed stage 1 capabilities. The group targets primarily the manufacturing and oil and gas industries but seems to be opportunistic about the organizations it chooses taking advantage of any exposed remote access connection they find or by exploiting internet facing assets The group’s malware implant is unremarkable. However, Dragos warns that the group is smart and collects information that would allow it to move into OT networks in the future such as industrial equipment diagrams, or data on physical processes.
Another group still active in 2022 was Kostovite, a group initially detected in 2021 that has demonstrated a capability of performing lateral movement and reaching OT and ICS networks. It commonly exploits enterprise perimeter environments and can use zero-day vulnerabilities. It maintains dedicated infrastructure per target and there is evidence it might have some overlaps with APT5, one of the oldest China-based cyberespionage groups.
Kamacite and Electrum aretwo groups that continued their activities and are associated with Sandworm, which is believed to be a unit of the Russian military intelligence service (GRU). Sandword has been responsible for destructive attacks with the NotPetya malware, for multiple attacks against the Ukrainian power grid using the BlackEngery and Industroyer malware programs. Kamacite is believed to be a team focused on gaining initial access to networks using an implant dubbed Cyclops Blink and then passing that access off to Electrum which is usually tasked with causing a destructive effect. Kamacite has been seen targeting infrastructure in Europe, Ukraine, and the US.
Xenomite is another older group that remains active and seems focused on targeting electric and oil and gas organizations in the Middle East and the US, and its targets seem to be carefully selected and have connections between them. This suggests a nuanced understanding of the oil and gas industry sector from non-public sources that allows the group to identify pressure points.
Xenomite is the group that developed Triton, a malware framework capable of disabling Trisis instrumented safety systems (SIS) used by an organization in Saudi Arabia in 2017. This makes Xenomite one of the groups with a proven motivation and capability of destroying critical infrastructure.
Erythrite is a stage 1 group that uses less sophisticated techniques such as search engine optimization (SEO) poisoning and custom malware. The group is focused on data and credential theft but its large-scale activities, particularly aimed at the manufacturing sector, is concerning. Its targets include around 20% of Fortune 500 companies and are mostly located in the US and Canada. The group is a particularly big threat to organizations with poor network segmentation between IT and OT, Dragos said.
Finally, Wassonite is a stage 1 group that seems to have a focus on nuclear energy, electric, oil and gas, advanced manufacturing, pharmaceutical, and aerospace industries primarily from South and East Asia. The group uses the DTrack and AppleSeed remote access trojans that are distributed through spear phishing lures customized for specific industries and organizations.
Adding to the targeted threats from these groups, Dragos also notes that ransomware attacks against industrial organizations increased by 87% last year, with manufacturing being the most impacted sector. LockBit was responsible for the highest numbers of attacks, followed by the now defunct Conti ransomware group, Black Basta, and Hive.
ICS vulnerabilities and blind spots
The number of vulnerabilities specifically for ICS-related hardware and software increased by 27% from 2021, but this doesn’t paint the whole picture as not all vulnerabilities are equal, especially in the ICS space.
As such, Dragos performed a deeper risk assessment of those vulnerabilities and found that 15% were in devices bordering enterprise networks and 85% were deep inside ICS networks. Furthermore, half didn’t lead to either loss of visibility or control and half did. The bigger issue is that in a sector where patching often involves shutting down operations and critical devices, asset owners rely heavily on mitigation and of the 70% of vendor advisories that provided patches, 51% did not contain any mitigation advice. A further 30% of advisories didn’t have a patch and 16% of those had no practical mitigation.
In 34% of vendor advisories, Dragos found incorrect data such as wrong software numbers, wrong hardware models, wrong versions and so on. The company assesses that the severity score should have been higher than the one assigned by the vendor in 70% of cases and lower in 30% of cases.
The good news is that based on Dragos’ risk assessment that breaks down vulnerabilities into patch now, patch in the next cycle, or shouldn’t care about it, only 2% falls in the patch now category. Another 95% can be delayed until the next maintenance cycle and mitigated with network segmentation, monitoring, and maybe multifactor authentication in the meantime. Three percent are either hyped or plain wrong and fall in the last category.
From security assessments performed by the company the most common issue was lack of visibility inside the ICS environment with 80% of customers having limited OT visibility. However, this is a 6% decrease from the previous year, so there is an improvement. Half of customers had issues with network segmentation, a decrease of 27% and 53% had undisclosed or uncontrolled connections into their OT networks, a decrease of 17% over the previous year. While the situation is still not great across the industry, one area that seems to be getting worse is the lack of user management separation between IT and OT, which is the case of 54% of organizations, a 10% increase from 2021.
“That’s one of the things that we see in a ton of ransomware cases, where the ransomware actors and target the IT network, populate the ransomware out through Active Directory domain controller, and then it just gets into the operations networks, even if it wasn’t their target via that shared credentials,” Lee said.
One of the most concerning findings are that 80% of assessed customers still don’t have visibility into their ICS systems, and that’s 80% of organizations that are relatively mature and engage the services of organizations such as Dragos. In reality, the number is probably higher.
“If you don’t know what you have, you have no idea how many assets you have, how they’re connected, who’s connecting to them, any sort of detection, you’re never going to get root cause analysis or understand what went wrong or be able to detect adversaries,” Lee said. “And when more than 80%, on average, can’t do that at all — when you’re talking about critical infrastructure and pipelines in this country — obviously that’s a concern.”