The number of tracked threat groups targeting industrial control systems (ICS) environments has risen to nine, industrial cybersecurity firm Dragos reveals in a new report.
Of these, five groups directly target oil and gas firms, while the remaining four target the energy sector. The number of such adversaries that Dragos tracks at the moment has nearly doubled since March 2018.
One of the five activity groups that Dragos observed targeting oil and gas has been detailed only recently, although it might have been active since at least mid-2018. Dubbed HEXANE, the group was observed targeting oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia.
Active since at least 2013, MAGNALLIUM has been targeting petrochemical and aerospace manufacturers, initially in Saudi Arabia, but then expanding to Europe and North America. Only focused on initial IT intrusions, the group appears to lack an ICS-specific capability.
CHRYSENE, on the other hand, evolved from an espionage campaign that gained attention following the destructive Shamoon cyber-attack in 2012. The group targets petrochemical, oil and gas, and electric generation sectors in the Gulf Region and beyond, and has been associated with actors such as GREENBUG, and OilRig.
Another group focused on the oil and gas sector is XENOTIME, the group behind the destructive TRISIS framework, which specifically targets Triconex safety controllers. Last year, the group expanded activity to Europe, the US, Australia, and the Middle East.
It also started targeting electric utilities in North America and the APAC region and moved to devices beyond the Triconex controllers. The activity of this actor has been linked to the threat group tracked as Temp.Veles.
The fifth actor on Dragos’ list is DYMALLOY, a highly aggressive and capable activity group targeting electric utilities, oil and gas, and advanced industry entities in Turkey, Europe, and North America. The adversary has been linked to Dragonfly 2.0 and Berserk Bear.
Groups targeting electric
The remaining activity groups that Dragos tracks focus on electric utility and do not appear interested in targeting oil and gas verticals. Even so, oil and gas and related energy firms should be aware of these threat actors, the security firm says.
The first of the groups is ELECTRUM, which is best known for the disruptive CRASHOVERRIDE event in 2016. The actor is an offshoot of SANDWORM (aka TeleBots and BlackEnergy), the hacking group believed to be responsible for the 2017 NotPetya supply chain compromise.
First detailed last year and believed to be operating out of Iran, the group tracked as RASPITE targets electric utilities in the United States, as well as government entities in the Middle East. While additional victims have been identified in Saudi Arabia, Japan, and Western Europe, they were not part of the actor’s activity since mid-2018.
The ALLANITE group was observed targeting business and ICS networks in the US and UK electric utility sectors, but Dragos believes that the actor does not possess disruptive or damaging capability or intent. The actor has been associated with PALMETTO FUSION, Dragonfly 2.0, and Berserk Bear.
The ninth group in Dragos’ report is COVELLITE, which has been linked to North Korea’s Lazarus Group, and which has been observed targeting networks associated with electric energy, primarily in Europe, East Asia, and North America. At the moment, the group does not appear to be active from an ICS-targeting perspective, Dragos says.
“The diverse global oil and gas threat landscape represents a significant concern for asset owners and operators at upstream, midstream, and downstream operations. Oil and gas remains at risk for a destructive cyberattack due to its political and economic impact and highly volatile processes,” the report reads.
“Dragos assesses with moderate confidence that the first major cyber-related ICS event causing major process and equipment destruction or loss of life will occur in the oil and gas sector,” the security firm concludes.