Connect with us

Hi, what are you looking for?



Four Additional Threat Groups Seen Targeting Industrial Organizations in 2020

A total of 15 threat groups have been observed targeting industrial organizations, according to industrial cybersecurity firm Dragos.

A total of 15 threat groups have been observed targeting industrial organizations, according to industrial cybersecurity firm Dragos.

Dragos on Wednesday released its ICS Cybersecurity Year in Review report for 2020, which covers the industrial control systems (ICS) threat landscape and vulnerabilities disclosed last year. It also shares insights from the lessons learned by Dragos as a result of its work in 2020, and provides recommendations for industrial organizations on securing their networks.

In 2018, Dragos reported seeing five groups that had either attacked ICS directly or had shown an interest in gathering information on these types of systems. The next year, the company reported that the number had grown to nine, and now there are a total of 15 activity groups.

Dragos said it added four new groups to the list in 2020. These threat actors have shown an interest in targeting operational technology (OT) systems. In addition, the previously described 11 groups remained active.

The company told SecurityWeek that the newly added groups “have the potential to disrupt control systems, but have not been seen exclusively targeting control systems.”

Hacker groups targeting ICSOne of the new groups is tracked by Dragos as STIBNITE and it has been observed targeting electric energy companies — specifically wind turbines — in Azerbaijan. While there is an ongoing conflict between Armenia and Azerbaijan, the cybersecurity firm said there is “only a loose correlation between the conflict and STIBNITE operations, and the Dragos team is not making an assessment on who may be responsible for the targeting.”

STIBNITE, which has been seen using PoetRAT malware to gather information from victims, may have targeted the supplier and maintainer of the wind farms, which are based in Ukraine.

Another new group is tracked by Dragos as VANADINITE, which has been observed targeting the energy, manufacturing and transportation sectors in North America, Asia, Europe and Australia. The hackers have focused on harvesting information, including related to ICS processes and design, which experts believe could enable its sponsor to develop ICS-targeting capabilities.

Dragos believes VANADINITE could be behind the ransomware known as ColdLock, which has been used to target Taiwan, including state-owned industrial companies whose operations were indirectly disrupted by the ransomware.

Advertisement. Scroll to continue reading.

VANADINITE has been linked to Winnti — which has been around for over a decade and is believed to have Chinese origins — and a Winnti-related activity group tracked as LEAD.

Learn More About Threats to Industrial Systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

The third new group has been named TALONITE and it appears to focus on initial access to organizations in the U.S. electric sector. The hackers have been conducting phishing campaigns that leverage power grid-related themes. They have been known for the use of malware such as LookBack, a remote access trojan (RAT) that emerged in 2019 when it was used to target U.S. utilities, and FlowCloud, a RAT analyzed by researchers in 2020.

Dragos also started tracking a threat group dubbed KAMACITE, which also targeted U.S. energy companies. KAMACITE’s operations have overlapped with the activities of Sandworm (ELECTRUM), a notorious Russia-linked group that is believed to have launched disruptive attacks against Ukraine’s power grid. Despite the overlaps, Dragos believes KAMACITE is a distinct group that should be tracked separately.

The company believes KAMACITE is an “access-enablement team” that aids other teams specializing in disruptive operations.

“These types of events, where adversaries gain access to ICS networks but do not have the intention of currently disrupting them, are much more common than is publicly reported,” Dragos said. “The threats are learning ICS. Although not every compromise will relate to an impact today, many may inform the attacks of the future.”

It added, “Threats are growing at a rate three times faster than they are going dormant. This is likely due to the increased investment made by adversaries in targeting ICS over the last five to 10 years, and whose investment will continue to accelerate the ICS threat environment.”

Related: More Threat Groups Target Electric Utilities in North America

Related: Manufacturing Sector Targeted by Five ICS-Focused Threat Groups

Related: Over 400 ICS Vulnerabilities Disclosed in 2019: Report

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.