A recent Dragos cybersecurity report analyzed two new OT cyber threat groups and ransomware activity. The report found that there was an 87% increase in ransomware activity over last year.
BAUXITE has been implicated in multiple global campaigns targeting industrial entities and specific devices. This group shares substantial technical overlaps, based on capabilities and network infrastructure, with the hacktivist persona CyberAv3ngers, which has explicit affiliations with the Iranian Revolutionary Guard Corps—Cyber and Electronic Command (IRGC-CEC), as reported by the U.S. Government.
Since late 2023, researchers observed four BAUXITE campaigns, including those with Stage 2 ICS Cyber Kill Chain impacts via trivial compromises of exposed devices. Confirmed victims of BAUXITE are in the United States, Europe, Australia, and the Middle East in multiple critical infrastructure sectors, including energy (oil and natural gas, and electric), water and wastewater, food and beverage, and chemical manufacturing.
GRAPHITE targets entities in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East. The group has strong technical overlaps with APT28 and other names. GRAPHITE focuses on organizations with relevance to the military situation in Ukraine. Observable since Russia’s invasion of Ukraine in February 2022, this focus may indicate a specialized subunit or an expansion of mission goals.
GRAPHITE has been identified conducting spear-phishing campaigns targeting hydroelectric generation and natural gas pipeline operators and facilities and near-constant phishing operations using known vulnerabilities and custom script-based malware to target organizations in critical industries across its targeted geography.
Researchers Identified Two New ICS-Focused Malware Threats—Fuxnet and FrostyGoop.
- Fuxnet: This malware, attributed to a pro-Ukraine hacktivist group BlackJack, is designed to target industrial sensor networks for Moskollektor, a municipal organization that maintains Moscow’s communication system for a gas, water, and sewage network. Using the Fuxnet malware, BlackJack claimed to disable thousands of sensors and destroy sensor gateway devices, rendering them unable to transmit information.
- FrostyGoop: First identified in early 2024, FrostyGoop is a more destructive malware designed to manipulate Modbus TCP/502 communications within ICS environments. It can alter or spoof normal industrial process commands, enabling it to evade antivirus software and cause physical damage to infrastructure, as seen in its documented attack on the energy supply for district heating systems in Ukraine. The malware caused heating outages for over 600 apartment buildings in Ukraine in January 2024. Dragos’s investigation of FrostyGoop revealed that there were over 46,000 internet-exposed ICS devices communicating over Modbus worldwide.
Updated Threat Group Activity:
- VOLTZITE is arguably the most crucial threat group to track in critical infrastructure. Due to its dedicated focus on OT data, the group is a capable threat to ICS asset owners and operators. This group shares extensive technical overlaps with the Volt Typhoon threat group tracked by other organizations. It utilizes the same techniques as in previous years, setting up complex chains of network infrastructure to target, compromise, and steal compromising OT-relevant data—GIS data, OT network diagrams, OT operating instructions, etc.—from victim ICS organizations. VOLTZITE is a key reason for monitoring OT networks and hunting for malicious activity. With careful monitoring and investigation of “odd” network communication, VOLTZITE can be identified and defended against.
- KAMACITE shifted from solely targeting Ukraine by introducing new, custom Windows-based malware strains and expanded its focus to European oil and natural gas (ONG) entities. This coincided with the expiration of an agreement allowing Russian state-owned company Gazprom to supply gas to Eastern and Central Europe.
- ELECTRUM continues wiper campaigns with a new capability, AcidPour, a binary compiled for Linux operating systems that can search and wipe Unsorted Block Images (UBI) directories in embedded devices, including devices in OT environments. AcidPour is a variant of AcidRain but with extended capability to Memory Technology Devices (MTDs) often found in embedded systems. Dragos determined ELECTRUM used the resources and reputation of the hacktivist persona Solnetspek to obfuscate its operational activities in the December 2023 cyber attack on Kyivstar, Ukraine’s primary telecommunications provider.
The number of ransomware groups targeting industrial organizations jumped to 80, a 60% increase from the 50 groups observed in 2023. Collectively, these groups attacked an average of 34 industrial organizations per week during the first half of 2024. That number more than doubled during the second half of the year. Manufacturing remains the most affected sector, accounting for more than 50% of observed ransomware victims. Twenty-five percent of the ransomware cases observed involved full shutdown of an OT site, and 75% involved disruption to operations to some degree.
In 2024, researchers found that 70% of the vulnerabilities researched were deep within the ICS network, 39% could cause both a loss of view and a loss of control, and 22% of advisories were network-exploitable and perimeter-facing, rising from 16% in 2023.