Cyber Criminals Volunteer For War In Ukraine

Russia’s invasion of Ukraine has taken place both on and offline, blending physical devastation with escalating digital warfare and ransomware gangs and other hacking groups of both Russian nd Ukrainian origin have taken to social media to announce where their allegiances lie. 

The infamous cyber criminal group behind Conti ransomware has announced its full support for the Russian government and threatened to strike the critical infrastructure of anyone launching cyber attacks or war actions against Russia. At the same time the Anonymous hacking group has taken sides with Ukraine and is “officially in a cyber war against the Russian government.”

But now other attacking hackers are targeting industrial systems and they are getting more confident in their attack methods. Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Not so long ago, power grids and other critical infrastructure operated in isolation but now they are far more interconnected in terms of geography and across different energy generation sectors, increasing their vulnerability. 

The cyber security company Dragos has released a report detailing how electricity, oil, gas, and other critical infrastructure facilities are being increasingly targeted by cyber attackers who seek to compromise Industrial Control Systems (ICS) and Operational Technology (OT).  

Dragos says that the biggest cyber security weaknesses that European energy producers currently face are a lack of asset visibility into their network and weak network authentication policies. 

Without asset visibility organisations are unable to properly secure their OT environments as defenders cannot protect what they cannot see. Industrial operators should evaluate and implement the principle of least privilege to limit unauthorised access to OT environments. If compromised, ICS and OT can enable attackers to disrupt or tamper with critical services.

The report from Dragos details ten different hacking operations that are known to actively target industrial systems in North America and Europe. Dragos also warned that this malicious activity is likely to grow over the next year.

Among the ten operations includes several state-backed hacking gang such as Electrum/Sandworm, which is linked to the Russian military, and Covellite, which has ties to North Korea’s Lazarus Group. Vanadinite is also on the list and has ties to a hacking group working on behalf of China.

Dragos warns that more and more critical infrastructure is connected to the internet, making it accessible to staff by remote desktop protocols and VPNs. They are increasingly easy and attractive targets for malicious hacking groups interesting in breaching networks.

According to Dragos, the 10 most active threat groups targeting critical infrastructure are: 

  •  Xenotime: a group which targets oil & gas companies in Europe, the United States and Australia. It's easily the most dangerous threat activity publicly known. It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of life and environmental damage.
  • Magnallium: a group which initially targeted oil and gas and aircract companies in Saudi Arabia, which has expanded targeted to Europe and North America. It's thought to be related to APT 33, a state-sponsored Iranian hacking group.   
  • Electrum: this group is capable of developing malware that can modify and control OT procedures and Dragos researchers say this operation was responsible for Crash Override a malware attack on Ukraine's power grid in December 2016. Electrum is associated with Sandworm, an offensive hacking operation that's part of Russia's GRU military intelligence agency. 
  • Allanite: a group which targets enterprise and OT networks in the UK and US electricity sectors, as well as German industrial infrastructure and uses access to conduct reconnaissance on networks to potentially stage future disruptive events. It's believed Allanite is linked to Russia.
  • Chrysene: Active since at least 2017, this group has targeted industrial organisations in Europe and the Middle East, and mainly conducts intelligence gathering operations to potentially facilitate further attacks. Chrysense is suspected to be linked to Iran.
  • Kamacite: a group which has been active since at least 2014 and believed to be responsible for cyber attacks against Ukrainian power facilities in 2015 and 2016. The group is linked to Sandworm.
  • Covellite: a group which has targeted electric utilities in Europe, the US and East Asia using malicious attachments in phishing emails. The group is thought to be linked to the Lazarus Group, a state-backed hacking group working out of North Korea.
  • Vanadinite: A hacking group which targets external-facing, vulnerable software in industrial organisations around the world. It's thought to be linked to APT 41, a state-sponsored Chinese hacking operation.  
  • Parasite: a group which targets utilities, aerospace and oil and gas in Europe, the Middle East and North America. Thee group uses open source tools and known vulnerabilities for initial access. Parasite is suspected to be linked to Iran.
  • Dymalloy: a group which targets electric utilities, oil and gas and other advanced industrial entities across Europe, Turkey and North America. Described as "highly aggressive", Dymalloy looks for long-term persistence in networks and is thought to be linked to Russia.

Although it could take years to conduct a successful attack and understand the intricacies of the OT systems, hackers are most likely working to lay the groundwork for a major attack right now.

Dragos:    Allianz:     Oodaloop:      ZDNet:    The Record:      Ars Technica:     CSO Online:  

You Might Also Read:  

The Importance Of Securing OT Platforms:

 

« Impress Your Cyber Insurance Underwriters With These Essential Tips
EU & US Agree New Data Rules To Replace Privacy Shield »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Acronis

Acronis

Acronis is a leading backup software, disaster recovery, and secure data access provider to consumers, small-medium businesses, and enterprises.

Technology Association of Georgia (TAG)

Technology Association of Georgia (TAG)

TAG's mission is to educate, promote, influence and unite Georgia's technology community to stimulate and enhance Georgia's tech-based economy.

InfoWatch

InfoWatch

InfoWatch solutions allow you to protect data and information assets that are critically important to your business.

Compass Security

Compass Security

Compass Security is a specialist IT Security consultancy firm based in Switzerland. Services include pentesting, security assessments, digital forensics and security training.

SkOUT Secure Intelligence

SkOUT Secure Intelligence

SkOUT Secure Intelligence (formerly Oxford Solutions) provides cyber security monitoring services to organizations around the globe.

DeepCyber

DeepCyber

DeepCyber supports its customers, with an “intelligence-driven” approach, to improve their proactive detection and response "capability" of cyber threats.

Recruit.net

Recruit.net

Recruit.net allows job seekers to instantly find millions of jobs from thousands of web sites with a single search.

Vaadata

Vaadata

Vaadata are experts in ethical hacking. We secure your web, mobile and IoT platforms.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

jobsDB.com

jobsDB.com

jobsDB Singapore is a search engine for jobs throughout Singapore.

Adaptive Shield

Adaptive Shield

Addaptive Shield - Complete Control For Your SaaS Security. Proactively find and fix weaknesses across your SaaS platforms.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

INE

INE

INE is a premier provider of Technical Training for the IT industry.

Ironhack

Ironhack

Ironhack provide intensive training courses & bootcamps in Web Development, UX/UI Design, Data Analytics & Cybersecurity.

Thistle Technologies

Thistle Technologies

Thistle Technologies is building tools that help connected device manufacturers build security resiliency into devices.

VISTA InfoSec

VISTA InfoSec

VISTA InfoSec is a global Information Security Consulting firm with offices based in US, UK, Singapore and India.