Cyber Criminals Volunteer For War In Ukraine

Russia’s invasion of Ukraine has taken place both on and offline, blending physical devastation with escalating digital warfare and ransomware gangs and other hacking groups of both Russian nd Ukrainian origin have taken to social media to announce where their allegiances lie. 

The infamous cyber criminal group behind Conti ransomware has announced its full support for the Russian government and threatened to strike the critical infrastructure of anyone launching cyber attacks or war actions against Russia. At the same time the Anonymous hacking group has taken sides with Ukraine and is “officially in a cyber war against the Russian government.”

But now other attacking hackers are targeting industrial systems and they are getting more confident in their attack methods. Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Not so long ago, power grids and other critical infrastructure operated in isolation but now they are far more interconnected in terms of geography and across different energy generation sectors, increasing their vulnerability. 

The cyber security company Dragos has released a report detailing how electricity, oil, gas, and other critical infrastructure facilities are being increasingly targeted by cyber attackers who seek to compromise Industrial Control Systems (ICS) and Operational Technology (OT).  

Dragos says that the biggest cyber security weaknesses that European energy producers currently face are a lack of asset visibility into their network and weak network authentication policies. 

Without asset visibility organisations are unable to properly secure their OT environments as defenders cannot protect what they cannot see. Industrial operators should evaluate and implement the principle of least privilege to limit unauthorised access to OT environments. If compromised, ICS and OT can enable attackers to disrupt or tamper with critical services.

The report from Dragos details ten different hacking operations that are known to actively target industrial systems in North America and Europe. Dragos also warned that this malicious activity is likely to grow over the next year.

Among the ten operations includes several state-backed hacking gang such as Electrum/Sandworm, which is linked to the Russian military, and Covellite, which has ties to North Korea’s Lazarus Group. Vanadinite is also on the list and has ties to a hacking group working on behalf of China.

Dragos warns that more and more critical infrastructure is connected to the internet, making it accessible to staff by remote desktop protocols and VPNs. They are increasingly easy and attractive targets for malicious hacking groups interesting in breaching networks.

According to Dragos, the 10 most active threat groups targeting critical infrastructure are: 

  •  Xenotime: a group which targets oil & gas companies in Europe, the United States and Australia. It's easily the most dangerous threat activity publicly known. It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of life and environmental damage.
  • Magnallium: a group which initially targeted oil and gas and aircract companies in Saudi Arabia, which has expanded targeted to Europe and North America. It's thought to be related to APT 33, a state-sponsored Iranian hacking group.   
  • Electrum: this group is capable of developing malware that can modify and control OT procedures and Dragos researchers say this operation was responsible for Crash Override a malware attack on Ukraine's power grid in December 2016. Electrum is associated with Sandworm, an offensive hacking operation that's part of Russia's GRU military intelligence agency. 
  • Allanite: a group which targets enterprise and OT networks in the UK and US electricity sectors, as well as German industrial infrastructure and uses access to conduct reconnaissance on networks to potentially stage future disruptive events. It's believed Allanite is linked to Russia.
  • Chrysene: Active since at least 2017, this group has targeted industrial organisations in Europe and the Middle East, and mainly conducts intelligence gathering operations to potentially facilitate further attacks. Chrysense is suspected to be linked to Iran.
  • Kamacite: a group which has been active since at least 2014 and believed to be responsible for cyber attacks against Ukrainian power facilities in 2015 and 2016. The group is linked to Sandworm.
  • Covellite: a group which has targeted electric utilities in Europe, the US and East Asia using malicious attachments in phishing emails. The group is thought to be linked to the Lazarus Group, a state-backed hacking group working out of North Korea.
  • Vanadinite: A hacking group which targets external-facing, vulnerable software in industrial organisations around the world. It's thought to be linked to APT 41, a state-sponsored Chinese hacking operation.  
  • Parasite: a group which targets utilities, aerospace and oil and gas in Europe, the Middle East and North America. Thee group uses open source tools and known vulnerabilities for initial access. Parasite is suspected to be linked to Iran.
  • Dymalloy: a group which targets electric utilities, oil and gas and other advanced industrial entities across Europe, Turkey and North America. Described as "highly aggressive", Dymalloy looks for long-term persistence in networks and is thought to be linked to Russia.

Although it could take years to conduct a successful attack and understand the intricacies of the OT systems, hackers are most likely working to lay the groundwork for a major attack right now.

Dragos:    Allianz:     Oodaloop:      ZDNet:    The Record:      Ars Technica:     CSO Online:  

You Might Also Read:  

The Importance Of Securing OT Platforms:

 

« Impress Your Cyber Insurance Underwriters With These Essential Tips
EU & US Agree New Data Rules To Replace Privacy Shield »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

Join this webinar to learn how the cloud threat landscape is evolving and organizations are deploying more advanced and capable security controls at scale.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

CyberDefcon

CyberDefcon

CyberDefcon is an independent organization dedicated to the pursuit of making the internet a safer place.

SecurePay

SecurePay

SecurePay is Australia's premier payment gateway, with a range of secure online payment solutions for online retailers, SMEs and enterprise businesses.

BCS Financial

BCS Financial

BCS Financial delivers financial and insurance solutions. Specialty risk products include Cyber and Privacy Liability insurance.

Robert Half Technology

Robert Half Technology

Robert Half Technology offers a full spectrum of technology staffing solutions to meet contract and full-time IT recruitment needs.

Taqnia Cyber

Taqnia Cyber

Taqnia Cyber specializes in the fields of cyber security, intelligence, operations, and training. It offers its services and consultations to both public and private sectors.

Awake Security

Awake Security

Awake Security offer a security solution built on an AI platform that acts like the human brain to sense, detect, and respond to threats you may not even know exist.

SK IT Cyber Security

SK IT Cyber Security

SK IT provide services and solutions for cybersecurity and advanced information system engineering.

Yaana Technologies

Yaana Technologies

Yaana is a leading provider of intelligent compliance solutions including lawful interception, data retention & disclosure, and advanced security analytics.

Salient Law

Salient Law

Salient Law is a virtual law firm that specialises in advising providers and users of technology on contracts involving technology.

CHEQ

CHEQ

CHEQ provides fully autonomous, preemptive technology for brand safety and ad-fraud prevention.

Cyber Security Advisor

Cyber Security Advisor

Notice how sophisticated the cybersecurity market is. Think how would you pick the security provider, assess your company, and be sure of your security decisions? Cyber Security Advisor is the answer!

Safe Systems

Safe Systems

Safe Systems provide compliance centric IT services for community banks and credit unions, ensuring that they are kept up to date on current technologies, security risks, and regulatory changes.

PCS Security (PCSS)

PCS Security (PCSS)

PCS Security provides secure, reliable and state-of-the-art security solutions to help our customers address their security concerns.

Allurity

Allurity

Allurity is a group of tech-enabled cybersecurity service providers, comprised of best-in-class experts with a common mission to enable a safe digital world.

Rhymetec

Rhymetec

Rhymetec are an industry leader in cloud security, providing innovative cybersecurity and data privacy services to the modern-day SaaS business.