Manufacturing Sector Targeted by Five ICS-Focused Threat Groups: Report

A report published on Thursday by industrial cybersecurity firm Dragos reveals that the manufacturing sector has been attacked by five threat groups that have been known to target industrial environments.

According to Dragos, the manufacturing sector faces increasing risk of cyberattacks, including attacks whose goal may be to cause disruption to industrial processes and ones aimed at collecting valuable information. However, the firm says it has not observed any major or sophisticated incidents involving ICS-specific malware aimed at manufacturing operations.

The list of ICS-focused groups that Dragos spotted targeting organizations in this industry includes CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE and XENOTIME.

MAGNALLIUM is an Iran-linked group that has been active since at least 2013. It’s known to have targeted companies in Europe, North America, South Korea and Saudi Arabia. MAGNALLIUM is not known to have any ICS-specific capability, but Dragos warns that the destructive wiper malware used by the hackers in IT environments could be used in control system networks as well. PARISITE is a separate group that helps MAGNALLIUM gain initial access to targeted systems.

WASSONITE is a group linked to North Korea that has targeted organizations in India, South Korea and Japan. It has been active since at least 2018, but it does not appear to have the capabilities needed to cause disruption or destruction in industrial environments.

The Iran-linked group CHRYSENE has been known to target industrial networks in the Middle East and the UK. It has been tied to OilRig and Greenbug, the threat actors believed to have been involved in the notorious Shamoon attacks. CHRYSENE has focused on penetrating networks and conducting ICS-specific reconnaissance.

XENOTIME, on the other hand, is the only group known to target the manufacturing industry which does have the capability to launch destructive ICS attacks, as demonstrated by its 2017 attack involving the Trisis/Triton malware. The malware has been linked to a Russian research institute.

If threat actors want to target ICS in manufacturing organizations, they have plenty of vulnerabilities that they can exploit to achieve their goals. According to Dragos, there are more than 260 vulnerabilities affecting equipment typically used in manufacturing environments, and many of them could have an impact on safety.

Dragos also reported seeing an increasing number of ransomware attacks aimed at ICS, and the company believes ransomware is “the most common threat to manufacturing.” There are several ransomware families capable of targeting processes associated with OT software.

Other major threats faced by the manufacturing sector are industrial espionage and theft of intellectual property, Dragos said.

“IP and theft of trade secrets related to process and automation functions can enable industrial organizations and interested states and governments to fast-track development of critical infrastructure, including manufacturing. It can also support state-sponsored espionage activities for political or national security efforts,” the company explained.

The complete report from Dragos, which also includes recommendations for manufacturing entities, is available for download in PDF format.

Related: IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack

Related: Researchers Analyze Entry Points, Vectors for Manufacturing System Attacks