OT threat landscape
Last updated
Last updated
There's been an increasing focus on OT cyber security in the past few years. Take a look at 2023, a pivotal year for OT cyber where global conflicts developed, ransomware surges were observed, geo politics evolved with an intersection of cyber, new threat groups emerging, and more. It's been an exciting, but relentless few years.
One of the reasons why I love OT cyber security is that critical infrastructure is quite often industrial infrastructure such as energy and transport. Threat groups like ELECTRUM have been launching attacks throughout Ukraine, thought to be a Russian state sponsored group as a result of the strategic timing of their activity during warfare, as well as other indicators. Their focus is disruption against electric power operations, which coincided with country-wide bombing. I call these cyber-physical attacks.
Nation-state incidents are increasing β the Chinese were thought to be behind the Volt Typhoon campaign that compromised over 50 power plants and electric utilities in the USA, and the Russians thought to be behind an attack on 22 large and small critical infrastructure providers in Denmark. Volt Typhoon was particularly noteworthy because it used "living off the land" (LOTL) techniques to persist β an attack technique that is extremely difficult for intrusion detection systems to discover and diagnose.
Another example is that we have observed a "virtual layer" to the Israel-Hamas war - from critical intelligence gathering to the targeting of Israeli defence systems. Interestingly, neither state have carried out effective cyber operations that would change the war. Countries like Russia and Israel often turn to physical attacks as a more effective way to attack infrastructure.
Dragos have marked the discovery of new threat groups they call GANANITE, VOLTZITE, and LAURIONITE in the past year. They have been observed employing sophisticated tactics from spear phishing to zero-day vulnerability exploitation, with increasing LOTL techniques to critical infrastructure. The new threat groups displayed behaviour of slow reconnaissance and enumerations of electric facilities / entities, as an effort to gain a foothold into the infrastructure making it possible to pivot into the rest of the organisation. Exfiltration of data from SCADA, OT device configurations, historians, GIS data, and more.
A recent fact sheet authored by government agencies in the US, UK, Canada, Australia, and New Zealand, came with a warning that these operations βare seeking to pre-position themselves β using living off the land (LOTL) techniques β on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.β
Other developing techniques such as exploiting legitimate admin tools and processes commonly / normally used in the environment for malicious use have been observed. This is a way to avoid detection by leaving fewer traces as behaviour seemingly blends in.
DDoS attacks are common in hacktivist attacks such as website defacement, however capabilities of these groups seem to be rising. For example, a threat group named CyberAv3ngers carried out an attack against OT devices in US, Europe, and Australia.
You can't discuss OT threats without mentioning ransomware! These attacks have been relentless in the past few years, with an increasing focus on environments where high availability is critical, such as critical infrastructure and operational environments. Dragos reported a 50% increase from 2022 to 2023. Industrial operations have previously been shut down as a precautionary measure, even if ransomware hasn't explicitly targeted or impacted OT networks.
In the OT cyber landscape, we're seeing a lot of actors with the intent to disrupt the availability (think about CIA triad - IT environments are very concerned about the "C", but OT are concerned about the "A") of a system. These would be groups with less financial motivation, such as nation states with high capabilities.
A lot of what has been documented in OT security are attacks that have succeeded or been observed. But what if most instances of threat actors haven't "executed" their attack? Critical infrastructure organisations are increasingly concerned about pre positioned threat groups for critical data exfiltration. Why would a threat actor interested in complete disruption execute the attack at the first instance? Why not sit, wait, collect intelligence while you're at it, and press the red button when highest impact opportunity arises.
Volt Typhoon was important because it was subtle and the adversary persisted in critical infrastructure organisations for a long time. And the Russian attacks in Denmark were important, again because they provided evidence of nation-state activity targeting critical infrastructures.