Security Experts:

Connect with us

Hi, what are you looking for?



Increasing Number of Threat Groups Targeting OT Systems in North America

An increasing number of threat groups have been targeting organizations with industrial control system (ICS) or other operational technology (OT) environments, according to a new report from industrial cybersecurity company Dragos.

An increasing number of threat groups have been targeting organizations with industrial control system (ICS) or other operational technology (OT) environments, according to a new report from industrial cybersecurity company Dragos.

Dragos last year identified three new groups that appear to be interested in ICS/OT, which brings the total number of such groups tracked by the company to 18. The new groups discovered in 2021 are tracked as KOSTOVITE, ERYTHRITE and PETROVITE, and the first two actually managed to gain direct access into ICS/OT networks.

KOSTOVITE, PETROVITE, ERYTHRITEPETROVITE, which has targeted mining and energy operations in Kazakhstan, has shown an interest in collecting data on ICS/OT systems and networks, but, based on what Dragos has seen, it has yet to actually gain access to these types of systems. The company is aware of PETROVITE attacks conducted since the third quarter of 2019.

There appear to be some overlaps between PETROVITE activity and KAMACITE and Fancy Bear, which have been linked to Russia. KAMACITE has targeted energy companies in the United States.

As for the group tracked as KOSTOVITE, it has been observed targeting the renewable energy sector in North America and Australia. The hackers have used highly customized web shells and zero-day exploits, as well as living-off-the-land techniques in their attacks. Unlike PETROVITE, KOSTOVITE has managed to access their target’s OT networks and devices.

KOSTOVITE was first seen in action in 2021 and Dragos reported seeing significant technical overlaps with a group known as UNC2630, which may be a Chinese state-sponsored threat actor.

The third new group, ERYTHRITE, has been seen targeting many organizations in the United States and Canada, including a Fortune 500 company, a large electrical utility, food and beverage companies, IT firms, oil and gas companies, and vehicle manufacturers. The group has been active since at least May 2020, and it has also managed to breach OT environments.

Links have been found between ERYTHRITE and Solarmarker, a group that has been spotted delivering information-stealer malware to a wide range of organizations.

“​​ERYTHRITE’s wholesale exfiltration of credentials poses a particular risk to victims that use common authentication systems or credentials in their IT and ICS/OT environments,” Dragos warned.

Learn more about OT security at SecurityWeek’s ICS Cyber Security Conference 

Dragos has also analyzed ransomware attacks on industrial sectors, and manufacturing appears to be the most targeted (with 211 attacks), followed by food and beverage (35), transportation (27), energy (13), and oil and gas (10). A majority of these attacks involved LockBit 2.0 and Conti ransomware.

The cybersecurity firm cataloged 1,703 ICS/OT vulnerabilities that have been assigned a CVE identifier in 2021, more than twice as much as the previous year. More than two-thirds of the flaws analyzed by Dragos affected systems located deep within the industrial network.

More details, including recommendations and data collected by Dragos from customer service engagements, are available in the 2021 ICS/OT Cybersecurity Year in Review (YIR) report.

Related: ICS, OT Cybersecurity Incidents Cost Some U.S. Firms Over $100 Million

Related: Ransomware Increasingly Detected on Industrial Systems

Related: Over 600 ICS Vulnerabilities Disclosed in First Half of 2021

Related: Ransomware Often Hits Industrial Systems, With Significant Impact

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.