New Russian group focused on Ukraine: The second new group to launch attack campaigns against industrial organizations last year, dubbed GRAPHITE, has overlaps with APT28 activities. Also known as Fancy Bear or Pawn Storm, APT28 is believed to be a unit inside Russia’s General Staff Main Intelligence Directorate (GRU).GRAPHITE launched constant phishing campaigns against hydroelectric, energy, and government entities in Eastern Europe and the Middle East. The group exploits known vulnerabilities to deploy malware that steals credentials, and while it has not yet displayed ICS Cyber Kill Stage 2 capabilities, other groups tied to the Russian government and GRU have that capability, for example ELECTRUM, also known as Sandworm.
New ICS malware used in the Ukraine conflict: Russian groups have launched multiple confirmed OT/ICS attacks against Ukrainian organizations in recent years, even before the war started, resulting in power blackouts and downtimes.One such attack happened in January 2024 and involved a piece of malware called FrostyGoop. The attack led to heating outages for more than 600 apartment buildings in the Ukrainian city of Lviv in the middle of winter during freezing temperatures.FrostyGoop targeted ENCO controllers over the Modbus protocol, but the Dragos researchers said its capabilities are not limited to ENCO devices and could also interact with PLCs, DCS, sensors, actuators, and field devices.Ukraine-affiliated groups responded with their own attacks. In April 2024, a hacktivist group dubbed BlackJack breached Moskollektor, a Moscow municipal organization in charge of the communication system for gas, water, and sewage networks. The group claimed it disrupted communications to thousands of industrial sensors.Researchers established that a new piece of malware called Fuxnet was used, making it the eighth known ICS-specific malware family ever discovered. The malware overwhelms sensors by sending a flood of Meter-Bus requests. Meter-Bus is a protocol for reading data from water, gas, and electricity meters. In addition, Fuxnet also has a Linux wiper component that wipes the file system of sensor gateways.”The attack on Moskollektor underscores the normalization of attacks on industrial devices by groups driven by geopolitical conflicts,” the researchers wrote. “Fuxnet was highly tailored to Moskollektor and is unlikely to be used against another industrial environment without significant changes to the codebase.”
A quarter of vulnerabilities were exploitable at network perimeter: Last year Dragos reviewed 606 public vulnerability advisories for ICS devices and applied its own patch prioritization framework that splits vulnerabilities into the categories: now, next, and never. Six percent of the flaws fell into the patch-now category, being remote exploitable with no authentication and were either actively exploited or had proof-of-concept exploits. Another 63% were put into the patch-next category as they could be mitigated with network hygiene and segmentation.Overall, 22% of vulnerabilities were both exploitable over the network and located in network perimeter devices, meaning they could more easily be targeted by attackers over the internet. This was an increase from 16% in 2023.Patching ICS devices is not always easy or fast because these devices often handle critical processes, so they require scheduled shutdown and maintenance windows. As such, mitigation is often preferred to patching in many cases. Unfortunately, 57% of advisories that provided patches offered no alternative mitigation and 18% of advisories offered no patch or mitigation at all.”Adversaries are not just testing OT networks, they are actively embedding themselves within critical infrastructure, positioning for long-term access, operational disruption, and potential large-scale consequences,” the researchers wrote. “The time for reactive security is over. Defenders must move toward continuous monitoring, proactive threat hunting, and incident response capabilities tailored for OT environments.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3832995/geopolitical-tensions-fuel-surge-in-ot-and-ics-cyberattacks.html
