Cyber Criminals Volunteer For War In Ukraine

Russia’s invasion of Ukraine has taken place both on and offline, blending physical devastation with escalating digital warfare and ransomware gangs and other hacking groups of both Russian nd Ukrainian origin have taken to social media to announce where their allegiances lie. 

The infamous cyber criminal group behind Conti ransomware has announced its full support for the Russian government and threatened to strike the critical infrastructure of anyone launching cyber attacks or war actions against Russia. At the same time the Anonymous hacking group has taken sides with Ukraine and is “officially in a cyber war against the Russian government.”

But now other attacking hackers are targeting industrial systems and they are getting more confident in their attack methods. Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Not so long ago, power grids and other critical infrastructure operated in isolation but now they are far more interconnected in terms of geography and across different energy generation sectors, increasing their vulnerability. 

The cyber security company Dragos has released a report detailing how electricity, oil, gas, and other critical infrastructure facilities are being increasingly targeted by cyber attackers who seek to compromise Industrial Control Systems (ICS) and Operational Technology (OT).  

Dragos says that the biggest cyber security weaknesses that European energy producers currently face are a lack of asset visibility into their network and weak network authentication policies. 

Without asset visibility organisations are unable to properly secure their OT environments as defenders cannot protect what they cannot see. Industrial operators should evaluate and implement the principle of least privilege to limit unauthorised access to OT environments. If compromised, ICS and OT can enable attackers to disrupt or tamper with critical services.

The report from Dragos details ten different hacking operations that are known to actively target industrial systems in North America and Europe. Dragos also warned that this malicious activity is likely to grow over the next year.

Among the ten operations includes several state-backed hacking gang such as Electrum/Sandworm, which is linked to the Russian military, and Covellite, which has ties to North Korea’s Lazarus Group. Vanadinite is also on the list and has ties to a hacking group working on behalf of China.

Dragos warns that more and more critical infrastructure is connected to the internet, making it accessible to staff by remote desktop protocols and VPNs. They are increasingly easy and attractive targets for malicious hacking groups interesting in breaching networks.

According to Dragos, the 10 most active threat groups targeting critical infrastructure are: 

  •  Xenotime: a group which targets oil & gas companies in Europe, the United States and Australia. It's easily the most dangerous threat activity publicly known. It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of life and environmental damage.
  • Magnallium: a group which initially targeted oil and gas and aircract companies in Saudi Arabia, which has expanded targeted to Europe and North America. It's thought to be related to APT 33, a state-sponsored Iranian hacking group.   
  • Electrum: this group is capable of developing malware that can modify and control OT procedures and Dragos researchers say this operation was responsible for Crash Override a malware attack on Ukraine's power grid in December 2016. Electrum is associated with Sandworm, an offensive hacking operation that's part of Russia's GRU military intelligence agency. 
  • Allanite: a group which targets enterprise and OT networks in the UK and US electricity sectors, as well as German industrial infrastructure and uses access to conduct reconnaissance on networks to potentially stage future disruptive events. It's believed Allanite is linked to Russia.
  • Chrysene: Active since at least 2017, this group has targeted industrial organisations in Europe and the Middle East, and mainly conducts intelligence gathering operations to potentially facilitate further attacks. Chrysense is suspected to be linked to Iran.
  • Kamacite: a group which has been active since at least 2014 and believed to be responsible for cyber attacks against Ukrainian power facilities in 2015 and 2016. The group is linked to Sandworm.
  • Covellite: a group which has targeted electric utilities in Europe, the US and East Asia using malicious attachments in phishing emails. The group is thought to be linked to the Lazarus Group, a state-backed hacking group working out of North Korea.
  • Vanadinite: A hacking group which targets external-facing, vulnerable software in industrial organisations around the world. It's thought to be linked to APT 41, a state-sponsored Chinese hacking operation.  
  • Parasite: a group which targets utilities, aerospace and oil and gas in Europe, the Middle East and North America. Thee group uses open source tools and known vulnerabilities for initial access. Parasite is suspected to be linked to Iran.
  • Dymalloy: a group which targets electric utilities, oil and gas and other advanced industrial entities across Europe, Turkey and North America. Described as "highly aggressive", Dymalloy looks for long-term persistence in networks and is thought to be linked to Russia.

Although it could take years to conduct a successful attack and understand the intricacies of the OT systems, hackers are most likely working to lay the groundwork for a major attack right now.

Dragos:    Allianz:     Oodaloop:      ZDNet:    The Record:      Ars Technica:     CSO Online:  

You Might Also Read:  

The Importance Of Securing OT Platforms:

 

« Impress Your Cyber Insurance Underwriters With These Essential Tips
EU & US Agree New Data Rules To Replace Privacy Shield »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Actiphy

Actiphy

Actiphy provides a tried and proven backup and disaster recovery software solution to ensure business continuity at all times.

Tukan IT

Tukan IT

Tukan IT provides a data classification and protection solution.

Seconize

Seconize

Seconize empowers enterprises to proactively manage their cyber risks, prioritize remediations, optimize security spending and ensure compliance.

Build38

Build38

Build38 provides the highest levels of security for mobile applications.

Liquid Technology

Liquid Technology

Liquid Technology provide DOD- and NIST-compliant data destruction and EPA-compliant e-waste disposal and recycling services throughout North America, Europe and Asia.

H3Secure

H3Secure

H3 Secure focuses on Secure Data Erasure Solutions, Mobile Device Diagnostics and Information Technology Security Consulting.

SOSA

SOSA

SOSA facilitates new growth opportunities by connecting the dots between industry verticals and innovation ecosystems around the world.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

Avertro

Avertro

Avertro helps leaders manage the business of cyber. We help explain cybersecurity to executives, forecasting outcomes, right-sizing your spend, and validating your cyber strategy.

Strata Identity

Strata Identity

Strata is pioneering identity orchestration to unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments.

Araali Networks

Araali Networks

Araali is a proactive risk mitigation solution for cloud workloads. With Araali, you can enforce explicit policies for "who can do what" in your virtual private cloud.

Orro Group

Orro Group

Orro create 'future now' solutions that make it faster, simpler and safer for you to access, store and share information. Wherever, whenever and with whomever you want.

BlockSec

BlockSec

BlockSec is dedicated to building blockchain security infrastructure. The team is founded by top security researchers and experiencedexperts from both academia and industry.

Arctic Group

Arctic Group

Arctic Group is a Swedish service provider focusing on cybersecurity, integration services and deployment of software development tools.

Hexens

Hexens

Hexens introduces a whole new approach to cybersecurity solutions. Indisputable skills and a unique super-focused perspective on every single case are the values we create.

Censinet

Censinet

Censinet provides the first and only third-party risk management platform for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem.