cyber trends
There is also a growing investment by threat groups in OT tooling , which includes reconnaissance and penetration testing tools . While some are benign , tools like COSMICENERGY and PIPEDREAM could be used in a malicious context .
For example , the information that was revealed through the Vulkan Files leaks further demonstrated that nations show interest in the OT space , to learn about diverse OT network operations and configurations may vary widely due to the historical evolution of OT networks , making it crucial to learn about these environments before conducting an offensive operation . Tools like PIPEDREAM can influence devices , the type of capability we assess many threat groups now possess or are developing . This demonstrates a shift from past OT-focused operations , when Stuxnet was probably the malware that springs to mind , a targeted , highly precise operation , versus a ‘ Swiss Army knife ’ toolset that is adaptable to many environments comprising multiple vendors ’ equipment .
What are some activities by threat adversaries and how can organisations identify a threat landscape ?
In terms of the current activities of adversaries targeting industrial organisations , particularly of note are the attacks against power networks in support of the Russia-Ukraine conflict , a number of disruptions attributed to the threat group we track as ELECTRUM . We saw disruptive operations from it in 2015 and 2016 against Ukraine with refined and more targeted attacks in 2022 .
Similarly , a group called KAMACITE has represented a long-running set of related behaviours targeting critical infrastructure and industrial verticals since at least 2014 . KAMACITE facilitated ICS-specific operations including the BLACKENERGY2 campaign and the 2015 and 2016 Ukraine power events , paving the way for ELECTRUM to take action . Energy and manufacturing are their primary focus in Europe , while maritime , liquid natural gas and oil are their main focus globally . We categorise threat groups as ‘ Stage 1 ’, when they display intent to operate with OT environments , but lack the full capability to do so . This activity typically involves tactics like password spraying and remote access exploitation , posing concerns for IP security . The actor ’ s intent here is to acquire knowledge or access to the OT environment . Those threat groups with the capability to operate within the OT environment , be that for monitoring or disruptive or destructive attacks , are categorised as ‘ Stage 2 ’.
Staying with the Russia-Ukraine conflict , we have seen several wipers that were deployed , particularly during the early days of the invasion , but the destructive ‘ wiper ’ malware called AcidRain , used on Viasat modems and routers , recorded the greatest impact on industrial environments . The attack quickly erased all the data on the systems . The machines then rebooted and were permanently disabled . Thousands of terminals were effectively destroyed in this way and those organisations relying on satellite communications and without a working backup method of communication suffered loss of visibility and control , impacting various sectors including cases like wind power generation in Germany . Understanding these additional attack vectors beyond your control is crucial in threat modelling .
Back to ransomware and extortion , these tactics have had a significant impact on industrial organisations . Adversaries have adapted their strategies , even observed exploiting trust relationships between parent and subsidiary organisations across different geographies .
Virtualisation also plays an increasing role in the hosting of OT HMI systems , and in an Incident Response engagement Dragos undertook recently , the threat group gained direct access to the OT environment via a remote access system , but instead of encrypting all hosts they found , they only focused on virtual machines running the HMI systems , leaving the underlying host operational . This specificity demonstrates that criminal actors know where the actual value lies in extortion attempts , but also suggests an attempt to avoid unforeseen consequences given the dangers posed by entirely crippling an industrial environment . Perhaps this stems from lessons learned , following the backlash and requests for action from heads of state , when healthcare facilities have been severely impacted in the past . Other industry sectors such as mining and telecommunications have also been targeted . While not classified as ‘ critical infrastructure ’ from an industrial perspective , telecommunications are of the utmost importance to operations and thus necessitate consideration in any threat modelling or Business Continuity planning . Just like the Viasat incident demonstrated , crippling any critical service can be damaging even if the specific network has not been compromised .
In navigating this complex threat landscape and to aid transition into protecting your attack surface , different levels of reporting are essential . C-level executives and board members should have a broad understanding of common threats and the level of sophistication that could target their organisation ’ s assets . Introducing industry-specific reporting will provide awareness of threats specific to your sector . In-depth reporting , ideal for SOC employees and incident responders , delves into threat groups , tools , vulnerabilities and tradecraft . Understanding attack surfaces , vulnerabilities , architecture and IT-OT network interactions becomes critical in this phase .
Architecture reviews and proactive incident response like Red Teaming are also valuable tools . Conclusively , the key foundation is monitoring of OT networks which often incorporate output from firewalls , antivirus or EDR / XD , providing a holistic view to security teams .
Based upon the work of Dragos services , in 2021 , 80 % of customers had no visibility into their OT environments . Even with a profound understanding of the threat landscape and potential threat groups , lacking visibility hampers response efforts . It ’ s estimated that 95 % of OT networks globally are unmonitored . The key takeaway here is www . intelligentciso . com
19