The sophisticated hacker group known as Volt Typhoon could pose a serious threat to organizations that use industrial control systems (ICS) or other operational technology (OT), according to industrial cybersecurity firm Dragos.
Dragos’ new 2023 ICS/OT Cybersecurity Year in Review report reveals that the company is aware of 21 threat groups whose activities impact or could impact OT, including three that emerged in 2023 and seven others that are still known to be active.
One of the three groups that emerged in 2023 is tracked by Dragos as Voltzite, but it’s better known as Volt Typhoon, a threat actor linked to the Chinese government.
Volt Typhoon has been known to target organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, IT, and education sectors, including in the United States, Australia and the United Kingdom. The hackers are known for their use of a router botnet for communications, which the US government targeted recently in a takedown attempt.
While Volt Typhoon’s main goal appears to be cyberespionage and information gathering, there has been increasing concern that the hackers may use their access and capabilities to cause disruption in the OT environments of critical infrastructure organizations.
In its new report, Dragos reported seeing Voltzite initiate scanning activities against electric sector organizations in North America between November and December 2023. The company is also aware of possible attacks aimed at electric transmission and distribution providers in Africa.
Dragos is aware of Voltzite attacks aimed at various sectors in the US, including emergency services, electric, and telecoms.
“Dragos assesses with moderate confidence that Voltzite has compromised network and video surveillance devices associated with a United States emergency management and traffic monitoring entity in 2023. The adversary exploited public internet-facing Sierra Wireless Airlink devices serving as access points for Iteris Vantage Velocity traffic monitoring devices,” Dragos said.
The most recent attack seen by the security firm targeted a large city’s emergency services GIS network in January.
In some attacks, the group has been observed exfiltrating sensitive operational data related to OT networks and processes.
“Data stolen from operational technology (OT) networks may result in unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks,” Dragos warned.
Another new group spotted by Dragos in 2023 and which could pose a threat to OT organizations is Gananite, which focuses on espionage and initial access operations in CIS and Central Asian countries. Some of the tools used by this group were previously tied to the Russia-linked Turla group.
Gananite has been seen targeting government and industrial organizations in the CIS region. Some of the specific targets named by Dragos include ICS operations management staff at an important European oil and gas company, a European government entity overseeing public water utilities, an automotive machinery firm, and rail organizations in Azerbaijan and Turkey.
The third new group of 2023 is Laurionite, which focuses on targeting Oracle iSupplier instances. The hackers targeted internet-exposed systems in the air transportation, professional services, government, and manufacturing sectors.
Dragos said none of the new groups has used ICS-specific capabilities and there is no indication that they have moved into OT networks, but the industrial cybersecurity firm cautioned that they could start targeting such systems in the future.
Dragos’ report also includes a separate chapter on ransomware attacks, which increased 50% over the past year. According to Dragos, the activities of 50 ransomware groups impacted industrial organizations in 2023.
The report also details vulnerabilities uncovered last year. Dragos is aware of just over 2,000 CVEs impacting OT environments, and an analysis of these flaws shows how many were disclosed through inaccurate advisories, how many of them require urgent patching, and their potential impact.
Related: Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
