Full Report
Industrial cybersecurity firm Dragos disclosed that the cybersecurity threat landscape in 2024 was heavily influenced by rising geopolitical... The post Ransomware, state actors, hacktivists exploited geopolitical tensions to target critical infrastructure in 2024 appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Expansion of Industrial Control System (ICS) Targeting in 2024
## Executive Summary
The cybersecurity threat landscape for industrial operations significantly worsened in 2024, driven by rising geopolitical tensions. Adversaries, ranging from state-sponsored groups to hacktivists and ransomware operators, increasingly targeted Operational Technology (OT) and Industrial Control Systems (ICS) environments for disruption. The primary vectors involved exploiting internet-exposed ICS devices, often utilizing basic, easily executed techniques to achieve significant operational impact and broad awareness.
## Incident Details
- **Discovery Date:** Throughout 2024 (Based on Dragos' annual review published Tuesday)
- **Incident Date:** Primarily throughout 2024
- **Affected Organization:** Multiple Industrial Organizations globally (Report scope)
- **Sector:** Critical Infrastructure, Manufacturing, Utilities (Water, Electric Power)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout 2024
- **Vector:** Internet-exposed ICS devices; Manipulating internet-exposed Human-Machine Interface (HMI) settings.
- **Details:** Adversaries exploited the lack of visibility and security awareness around internet-exposed OT/ICS devices. Examples include BAUXITE targeting network gateways (VPN, RDP, SSH) and CARR compromising HMI settings.
### Lateral Movement
- **Details:** Adversaries like VOLTZITE demonstrated subtle movements within OT networks, suggesting techniques to remain hidden after initial compromise. Skilled adversaries remain embedded within critical infrastructure environments.
### Data Exfiltration/Impact
- **Details:** Primary impact goals were disruption and attention amplification. Ransomware targeted manufacturing for immediate payment pressure. Hacktivists sought visible disruption. Malware like Blackjack’s Fuxnet signaled growing interest in disruptive OT attacks.
### Detection & Response
- **How it was discovered:** Dragos identified trends via their analysis of threat groups and incident campaigns throughout the year. Detection relied upon sophisticated OT-aware monitoring for subtle movements.
- **Response actions taken:** Recommendations included enhancing network visibility, updating OT incident response plans, conducting attack surface analyses, and restricting access to protocols like Modbus TCP/502.
## Attack Methodology
- **Initial Access:** Exploitation of internet-exposed ICS/HMI, basic techniques adapted by hacktivists.
- **Persistence:** Skilled adversaries remain hidden within critical infrastructure networks.
- **Privilege Escalation:** Not explicitly detailed, but basic techniques succeeded for less skilled actors.
- **Defense Evasion:** Lower barrier to entry suggests reliance on environments lacking OT-specific security monitoring.
- **Credential Access:** Not explicitly detailed, but necessary for deeper access.
- **Discovery:** Increased awareness among various threat groups regarding the viability of OT targets.
- **Lateral Movement:** Subtle movements observed by advanced groups (e.g., VOLTZITE).
- **Collection:** Focused on data needed for disruption or achieving adversarial objectives.
- **Exfiltration:** Not the primary reported driver globally, disruption was the goal.
- **Impact:** Operational disruption causing pressure for ransomware payment or achieving hacktivist attention.
## Impact Assessment
- **Financial:** Increased pressure for ransomware payments in manufacturing; costs associated with incident response and resilience upgrades globally.
- **Data Breach:** Specifics not detailed, but focus was on operational disruption rather than bulk data theft for many actors.
- **Operational:** Tangible operational disruptions achieved, especially in less regulated sectors. Goal is system downtime.
- **Reputational:** Increased global concern among critical infrastructure owners regarding their security posture.
## Indicators of Compromise
*(Note: Indicators provided in the context are associated with specific, mentioned threat groups and are defanged for reporting safety.)*
- **Network indicators:** Modbus TCP/502 exposed to the public internet (Vulnerability/Vector).
- **File indicators:** Blackjack’s Fuxnet malware (April 2024), PIPEDREAM (mentioned as sophisticated contextual malware).
- **Behavioral indicators:** Remote manipulation of HMI settings by actors like CARR; subtle movements within OT networks detected by OT-aware monitoring.
## Response Actions
- **Containment measures:** Restricting access to Modbus TCP/502; increasing scrutiny and logging on Vendor remote access (VPN, RDP, SSH).
- **Eradication steps:** (Implied) Removal of compromised threat groups (e.g., VOLTZITE, CARR operations).
- **Recovery actions:** Bolstering OT/ICS network resilience; focusing vulnerability mitigation on threats leading to loss of view or control.
## Lessons Learned
- OT is no longer a niche target; it is recognized by state actors, ransomware gangs, and hacktivists as an effective attack vector.
- High sophistication is not always required to achieve significant business disruption in OT environments.
- Maturity in OT security is inconsistent, with regulated sectors (e.g., North American electric power) generally being more advanced than others (e.g., water/manufacturing).
- Connections between state and non-state actors targeting critical infrastructure are becoming evident.
## Recommendations
- Proactively conduct annual attack surface analysis focused on network gateways (VPN, RDP, SSH) and internet-exposed HMI devices.
- Enhance network visibility and implement OT-aware monitoring solutions to detect subtle lateral movements (e.g., VOLTZITE techniques).
- Restrict access to key ICS protocols like Modbus TCP/502 and ensure these protocols are never accessible from the public internet.
- Apply rigorous scrutiny (MFA, increased logging/alerting) to all remote access pathways, including vendor access points.
- Update and regularly test OT incident response plans specific to process disruption scenarios.
- Prioritize vulnerability mitigation based on real-world threats that directly impact process view or control.