Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Manufacturing Sector Targeted by Five ICS-Focused Threat Groups: Report

A report published on Thursday by industrial cybersecurity firm Dragos reveals that the manufacturing sector has been attacked by five threat groups that have been known to target industrial environments.

A report published on Thursday by industrial cybersecurity firm Dragos reveals that the manufacturing sector has been attacked by five threat groups that have been known to target industrial environments.

According to Dragos, the manufacturing sector faces increasing risk of cyberattacks, including attacks whose goal may be to cause disruption to industrial processes and ones aimed at collecting valuable information. However, the firm says it has not observed any major or sophisticated incidents involving ICS-specific malware aimed at manufacturing operations.

The list of ICS-focused groups that Dragos spotted targeting organizations in this industry includes CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE and XENOTIME.

MAGNALLIUM is an Iran-linked group that has been active since at least 2013. It’s known to have targeted companies in Europe, North America, South Korea and Saudi Arabia. MAGNALLIUM is not known to have any ICS-specific capability, but Dragos warns that the destructive wiper malware used by the hackers in IT environments could be used in control system networks as well. PARISITE is a separate group that helps MAGNALLIUM gain initial access to targeted systems.

WASSONITE is a group linked to North Korea that has targeted organizations in India, South Korea and Japan. It has been active since at least 2018, but it does not appear to have the capabilities needed to cause disruption or destruction in industrial environments.

The Iran-linked group CHRYSENE has been known to target industrial networks in the Middle East and the UK. It has been tied to OilRig and Greenbug, the threat actors believed to have been involved in the notorious Shamoon attacks. CHRYSENE has focused on penetrating networks and conducting ICS-specific reconnaissance.

XENOTIME, on the other hand, is the only group known to target the manufacturing industry which does have the capability to launch destructive ICS attacks, as demonstrated by its 2017 attack involving the Trisis/Triton malware. The malware has been linked to a Russian research institute.

If threat actors want to target ICS in manufacturing organizations, they have plenty of vulnerabilities that they can exploit to achieve their goals. According to Dragos, there are more than 260 vulnerabilities affecting equipment typically used in manufacturing environments, and many of them could have an impact on safety.

Dragos also reported seeing an increasing number of ransomware attacks aimed at ICS, and the company believes ransomware is “the most common threat to manufacturing.” There are several ransomware families capable of targeting processes associated with OT software.

Other major threats faced by the manufacturing sector are industrial espionage and theft of intellectual property, Dragos said.

“IP and theft of trade secrets related to process and automation functions can enable industrial organizations and interested states and governments to fast-track development of critical infrastructure, including manufacturing. It can also support state-sponsored espionage activities for political or national security efforts,” the company explained.

The complete report from Dragos, which also includes recommendations for manufacturing entities, is available for download in PDF format.

Related: IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack

Related: Researchers Analyze Entry Points, Vectors for Manufacturing System Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.