Connect with us

Hi, what are you looking for?



Nine Distinct Threat Groups Targeting Industrial Systems: Dragos

The number of tracked threat groups targeting industrial control systems (ICS) environments has risen to nine, industrial cybersecurity firm Dragos reveals in a new report. 

The number of tracked threat groups targeting industrial control systems (ICS) environments has risen to nine, industrial cybersecurity firm Dragos reveals in a new report. 

Of these, five groups directly target oil and gas firms, while the remaining four target the energy sector. The number of such adversaries that Dragos tracks at the moment has nearly doubled since March 2018. 

One of the five activity groups that Dragos observed targeting oil and gas has been detailed only recently, although it might have been active since at least mid-2018. Dubbed HEXANE, the group was observed targeting oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia.

The group shows similarities with the actors tracked as MAGNALLIUM and CHRYSENE, but has been also associated with the Iran-linked OilRig group, Dragos reveals in a new report (PDF).

Active since at least 2013, MAGNALLIUM has been targeting petrochemical and aerospace manufacturers, initially in Saudi Arabia, but then expanding to Europe and North America. Only focused on initial IT intrusions, the group appears to lack an ICS-specific capability.

CHRYSENE, on the other hand, evolved from an espionage campaign that gained attention following the destructive Shamoon cyber-attack in 2012. The group targets petrochemical, oil and gas, and electric generation sectors in the Gulf Region and beyond, and has been associated with actors such as GREENBUG, and OilRig. 

Another group focused on the oil and gas sector is XENOTIME, the group behind the destructive TRISIS framework, which specifically targets Triconex safety controllers. Last year, the group expanded activity to Europe, the US, Australia, and the Middle East. 

It also started targeting electric utilities in North America and the APAC region and moved to devices beyond the Triconex controllers. The activity of this actor has been linked to the threat group tracked as Temp.Veles. 

Advertisement. Scroll to continue reading.

The fifth actor on Dragos’ list is DYMALLOY, a highly aggressive and capable activity group targeting electric utilities, oil and gas, and advanced industry entities in Turkey, Europe, and North America. The adversary has been linked to Dragonfly 2.0 and Berserk Bear. 

Groups targeting electric

The remaining activity groups that Dragos tracks focus on electric utility and do not appear interested in targeting oil and gas verticals. Even so, oil and gas and related energy firms should be aware of these threat actors, the security firm says. 

The first of the groups is ELECTRUM, which is best known for the disruptive CRASHOVERRIDE event in 2016. The actor is an offshoot of SANDWORM (aka TeleBots and BlackEnergy), the hacking group believed to be responsible for the 2017 NotPetya supply chain compromise.

First detailed last year and believed to be operating out of Iran, the group tracked as RASPITE targets electric utilities in the United States, as well as government entities in the Middle East. While additional victims have been identified in Saudi Arabia, Japan, and Western Europe, they were not part of the actor’s activity since mid-2018. 

The ALLANITE group was observed targeting business and ICS networks in the US and UK electric utility sectors, but Dragos believes that the actor does not possess disruptive or damaging capability or intent. The actor has been associated with PALMETTO FUSION, Dragonfly 2.0, and Berserk Bear.

The ninth group in Dragos’ report is COVELLITE, which has been linked to North Korea’s Lazarus Group, and which has been observed targeting networks associated with electric energy, primarily in Europe, East Asia, and North America. At the moment, the group does not appear to be active from an ICS-targeting perspective, Dragos says.

“The diverse global oil and gas threat landscape represents a significant concern for asset owners and operators at upstream, midstream, and downstream operations. Oil and gas remains at risk for a destructive cyberattack due to its political and economic impact and highly volatile processes,” the report reads.

“Dragos assesses with moderate confidence that the first major cyber-related ICS event causing major process and equipment destruction or loss of life will occur in the oil and gas sector,” the security firm concludes. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...