Security Experts:

Increasing Number of Threat Groups Targeting OT Systems in North America

An increasing number of threat groups have been targeting organizations with industrial control system (ICS) or other operational technology (OT) environments, according to a new report from industrial cybersecurity company Dragos.

Dragos last year identified three new groups that appear to be interested in ICS/OT, which brings the total number of such groups tracked by the company to 18. The new groups discovered in 2021 are tracked as KOSTOVITE, ERYTHRITE and PETROVITE, and the first two actually managed to gain direct access into ICS/OT networks.

KOSTOVITE, PETROVITE, ERYTHRITEPETROVITE, which has targeted mining and energy operations in Kazakhstan, has shown an interest in collecting data on ICS/OT systems and networks, but, based on what Dragos has seen, it has yet to actually gain access to these types of systems. The company is aware of PETROVITE attacks conducted since the third quarter of 2019.

There appear to be some overlaps between PETROVITE activity and KAMACITE and Fancy Bear, which have been linked to Russia. KAMACITE has targeted energy companies in the United States.

As for the group tracked as KOSTOVITE, it has been observed targeting the renewable energy sector in North America and Australia. The hackers have used highly customized web shells and zero-day exploits, as well as living-off-the-land techniques in their attacks. Unlike PETROVITE, KOSTOVITE has managed to access their target’s OT networks and devices.

KOSTOVITE was first seen in action in 2021 and Dragos reported seeing significant technical overlaps with a group known as UNC2630, which may be a Chinese state-sponsored threat actor.

The third new group, ERYTHRITE, has been seen targeting many organizations in the United States and Canada, including a Fortune 500 company, a large electrical utility, food and beverage companies, IT firms, oil and gas companies, and vehicle manufacturers. The group has been active since at least May 2020, and it has also managed to breach OT environments.

Links have been found between ERYTHRITE and Solarmarker, a group that has been spotted delivering information-stealer malware to a wide range of organizations.

“​​ERYTHRITE’s wholesale exfiltration of credentials poses a particular risk to victims that use common authentication systems or credentials in their IT and ICS/OT environments,” Dragos warned.

Learn more about OT security at SecurityWeek’s ICS Cyber Security Conference 

Dragos has also analyzed ransomware attacks on industrial sectors, and manufacturing appears to be the most targeted (with 211 attacks), followed by food and beverage (35), transportation (27), energy (13), and oil and gas (10). A majority of these attacks involved LockBit 2.0 and Conti ransomware.

The cybersecurity firm cataloged 1,703 ICS/OT vulnerabilities that have been assigned a CVE identifier in 2021, more than twice as much as the previous year. More than two-thirds of the flaws analyzed by Dragos affected systems located deep within the industrial network.

More details, including recommendations and data collected by Dragos from customer service engagements, are available in the 2021 ICS/OT Cybersecurity Year in Review (YIR) report.

Related: ICS, OT Cybersecurity Incidents Cost Some U.S. Firms Over $100 Million

Related: Ransomware Increasingly Detected on Industrial Systems

Related: Over 600 ICS Vulnerabilities Disclosed in First Half of 2021

Related: Ransomware Often Hits Industrial Systems, With Significant Impact

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.