Cybersecurity report details new groups targeting energy and utilities sector

Sinister image of hand poised at keyboard for cyber-attack (cybercrime index)
Image: Shutterstock

Dragos, Inc. has released its fifth annual Dragos ICS/OT Cybersecurity Year in Review (YIR) report—the most comprehensive report on cyber threats facing industrial organisations. 

The report named the emergence of three new threat groups targeting ICS/OT environments, including two that have gained access into the OT systems of industrial organisations. It also shows the number of discovered vulnerabilities in OT systems in 2021 more than doubled over the previous year to 1,703. Ransomware became the number-one attack vector among industrial organisations, with manufacturing as the most targeted sector representing 65 per cent, or 211, of the ransomware cases detected at industrial organisations. 

Related article: Russian Conti hackers claim CS Energy cyberattack

The Dragos YIR report is an annual overview and analysis of ICS/OT-focused global threat activities, vulnerabilities, and industry insights and trends. The report aims to share data-informed observations and lessons learned from within the industrial community to give asset owners and operators actionable information and recommendations to help them more fully understand cybersecurity risks to their ICS/OT environments and strengthen their cyber readiness.

“While the industrial community has discussed the importance of OT cybersecurity for years, 2021 brought high-profile attacks that showed the real-world outcomes on local communities and global economies,” Dragos, Inc CEO Robert M. Lee said. 

“Data from our YIR shows that cybersecurity risk to industrial sectors is accelerating at a time when digital transformation initiatives are driving hyper connectivity, which increases risk and exposure. The real-world observations and data-backed insights in our 2021 YIR report can serve as practical, timely guidance as the industrial community strives to understand where they are exposed, what threat groups are doing, and how to build security and resiliency into their OT systems.”

Dragos identified three new ICS/OT Activity Groups—KOSTOVITE, PETROVITE, and ERYTHRITE, with KOSTOVITE and ERYTHRITE reaching Stage 2 of the ICS Cyber Kill Chain, meaning they gained access directly into ICS/OT networks. With these additions, Dragos analysts now track 18 Activity Groups worldwide that show the intent, opportunity, or capability to impact industrial operations. 

KOSTOVITE targets renewable energy operations in North America and Australia, and in 2021 had a confirmed intrusion into an operations and maintenance (O&M) firm’s OT networks and devices.

PETROVITE targets mining and energy operations in Kazakhstan and Central Asia. The group displays an interest in data collection on ICS/OT systems and networks.

ERYTHRITE targets organisations in the US and Canada. Dragos has observed ERYTHRITE compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil and Natural Gas (ONG) service firms. 

Related article: Cyber regulation will exert greater power over Australia’s critical sectors

Ransomware became the number one attack vector in the industrial sector. Two groups, Conti and Lockbit 2.0, caused 51 per cent of total industrial ransomware attacks, with 70 per cent of their activity targeting manufacturing. Overall, manufacturing was the primary target of ransomware across the board and accounted for 65 per cent of all attacks, nearly twice as much as every other industrial group combined.  

The full 2021 Dragos ICS/OT Cybersecurity Year in Review report, and the accompanying executive summary document, can be downloaded here.

Previous articlePitt’s NT fracking decision a ‘slap in the face’
Next articleTransgrid begins work at Yass for grid upgrade