Theft of intellectual property and attacks on strategic targets characterize the actions of new operational technology (OT) threat groups that emerged in the cybersecurity landscape in 2023.

Dragos: IP Theft, Targeted OT Attacks on the Rise
Robert M. Lee, CEO and co-Founder, Dragos. (Source: Dragos)

In its seventh annual OT Cybersecurity Year In Review 2023, Dragos flagged three new major threats and retired two, for a total of 21 active threat groups targeting OT vulnerabilities.

Older, known threat groups and attack styles like ransomware still pose significant cyber risks, but strategically focusing on shoring up certain vulnerabilities can help keep companies safe, Dragos’ CEO and Co-Founder Robert M. Lee said during a conference call discussing the annual review. 

Ransomware threat

Dragos said ransomware attacks jumped by 50% in 2023. Ransomware is one of the top financial and operational cyber risks, and of the reported 905 attacks in 2023, there were 638 known ransomware attacks on manufacturing firms and 30 known ransomware attacks targeted the oil and gas sector.

Lee said manufacturing tends to be more digitally connected, making it a “richer target set.”

However, he expects attacks on transportation, oil and gas, electric, water and mining to spike in coming years as those sectors become more digitally connected.

New threats

Groups Voltzite, Laurionite and Gananite emerged as major cyber threats in 2023. Erythrite and Covellite were retired and 11 groups were dormant.

The U.S. government said Voltzite, also known as Volt Typhoon, is a Chinese government-backed group.

“The concern is the targets they picked across satellites, telecommunications and electric power across generation, transmission and distribution are very strategic targets,” Lee said. “It’s not a spray and pray type approach of finding just people to compromise. It is specifically looking at those sites that would be of strategic value to an adversary trying to hurt or cripple U.S. infrastructure.”

Dragos: IP Theft, Targeted OT Attacks on the Rise
Of the reported 905 ransomware attacks in 2023, there were 638 attacks on manufacturing in 2023 and 30 directed at the oil and gas sector. (Source: Dragos)

Voltzite evades detection with slow and steady reconnaissance and uses living off the land (LOTL) techniques, which typically involve using pre-existing, legitimate capabilities present on a victim host and network for malicious purposes.

Using such techniques, the group managed to compromise an electric company last year for more than 300 days, he said.

“They were knocking on the door, they were doing everything that you’d expect to explicitly get into the power operations networks,” Lee said. Dragos confirmed Voltzite was stealing OT-specific data: “Things that would be useful and future disruptive of excellences and electric property. Specifically, picking at a key target to take down electric power in the future based on what they were stealing.”

Dragos worked with the electric company to identify the scope of the intrusion, remediate it and use that knowledge to help other clients and share insights with the U.S. government, he said. 

Another group, Gananite, targets electric, oil and gas, transport, manufacturing and defense organizations, primarily through credential phishing, domain masquerades and known exploits for initial access. Gananite also employs remote access trojans.

Lee said Gananite has a strong espionage focus, especially in manufacturing for defense organizations.

“There’s a lot of intellectual property in those organizations that’s not in your IT email servers. They’re in your manufacturing product line, industrial networks, even something as simple as how you create a product with good efficiency” is a valuable intellectual property on the global and international stage, he said.

Laurionite, on the other hand, exploits internet-facing assets using Oracle E-Business with the company’s iSupplier portal to gain access and targets air transportation, professional services, manufacturing and government.

“This is a good example of a group explicitly understanding manufacturing to target those Oracle license supplier instances in such a way that they can not only do intellectual property theft, but they could impact the manufacturing, the quality and quantity of what’s getting produced in those manufacturing instances,” Lee said.

Such attacks exemplify IT-OT connectivity that can affect operations through what may look like a mundane compromise of IT networks, he added. 

Other threats

Even with groups like Voltzite claiming headlines, Lee remains concerned about other existing threat groups, including Kamacite, Electrum, Magnallium and Raspite, among others.

Kamacite, which is an access threat group, and Electrum, a disruption group, work in tandem, targeting Ukrainian infrastructure.

Dragos: IP Theft, Targeted OT Attacks on the Rise
Dragos is keeping tabs on 21 known threat groups. (Source: Dragos)

“They’re pretty busy with what's going on in Ukraine. My concern is they’re developing a lot of expertise of how to do this, and when the Ukraine war ends, whenever that may be, you will likely see these groups pivoting with that expertise, targeting other infrastructure around the world,” he said. “They won't be as busy in Ukraine and they'll be much larger of a threat to others.”

“Where [most companies] get in trouble is they don't think about the threats of yesterday, yesteryear. The only thing about the new emerging threats, and as a result we just don't learn quickly enough as the community to counter them,” he said.

He also noted the PIPEDREAM malware, discussed in the 2022 review, has the ability to affect tens of thousands of industrial devices controlling critical energy infrastructure and remains a threat.

Prevention approach

Lee also said it’s important to guard networks against known threats, even if they are years old.

“That mythical Stuxnet capability back in 2009, 2010, there are still a significant portion of infrastructure asset owners and operators today that could not protect against that capability today, 13 years later,” Lee said.

Stuxnet, thought to be the world’s first known cyberweapon, was a computer worm intended by U.S. and Israeli intelligence to disable part of Iran’s nuclear program.

“I don't want us to focus on what’s coming so much that we stop realizing that we need to actually cover the things that we know about,” Lee said.

He said that defending against known threats provides a lot of value and positions companies against next-gen threats.

Prevention starts with knowing which vulnerabilities to address because not all vulnerabilities are created equal.

“There are a lot of vulnerabilities that are just useless, but there are some that we want to pay attention to,” Lee said.

Dragos follows a now-next-never approach to fixing vulnerabilities.

“What are the vulnerabilities you’ve got to fix now because they’re either actively being exploited by adversaries or they pose real genuine risk to operations, life, safety, health, et cetera?” he asked, noting about 3% of vulnerabilities tend to fall into the “now” category.

About 68% fall into the “next” category as spare resources are available, he said. 

Finally, 29% of the time, these vulnerabilities are trashed in the “never” category. “They’re useless [to hacker objectives]. They should not be focusing on them at all,” Lee said