Cyber Criminals Volunteer For War In Ukraine

Russia’s invasion of Ukraine has taken place both on and offline, blending physical devastation with escalating digital warfare and ransomware gangs and other hacking groups of both Russian nd Ukrainian origin have taken to social media to announce where their allegiances lie. 

The infamous cyber criminal group behind Conti ransomware has announced its full support for the Russian government and threatened to strike the critical infrastructure of anyone launching cyber attacks or war actions against Russia. At the same time the Anonymous hacking group has taken sides with Ukraine and is “officially in a cyber war against the Russian government.”

But now other attacking hackers are targeting industrial systems and they are getting more confident in their attack methods. Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Not so long ago, power grids and other critical infrastructure operated in isolation but now they are far more interconnected in terms of geography and across different energy generation sectors, increasing their vulnerability. 

The cyber security company Dragos has released a report detailing how electricity, oil, gas, and other critical infrastructure facilities are being increasingly targeted by cyber attackers who seek to compromise Industrial Control Systems (ICS) and Operational Technology (OT).  

Dragos says that the biggest cyber security weaknesses that European energy producers currently face are a lack of asset visibility into their network and weak network authentication policies. 

Without asset visibility organisations are unable to properly secure their OT environments as defenders cannot protect what they cannot see. Industrial operators should evaluate and implement the principle of least privilege to limit unauthorised access to OT environments. If compromised, ICS and OT can enable attackers to disrupt or tamper with critical services.

The report from Dragos details ten different hacking operations that are known to actively target industrial systems in North America and Europe. Dragos also warned that this malicious activity is likely to grow over the next year.

Among the ten operations includes several state-backed hacking gang such as Electrum/Sandworm, which is linked to the Russian military, and Covellite, which has ties to North Korea’s Lazarus Group. Vanadinite is also on the list and has ties to a hacking group working on behalf of China.

Dragos warns that more and more critical infrastructure is connected to the internet, making it accessible to staff by remote desktop protocols and VPNs. They are increasingly easy and attractive targets for malicious hacking groups interesting in breaching networks.

According to Dragos, the 10 most active threat groups targeting critical infrastructure are: 

  •  Xenotime: a group which targets oil & gas companies in Europe, the United States and Australia. It's easily the most dangerous threat activity publicly known. It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of life and environmental damage.
  • Magnallium: a group which initially targeted oil and gas and aircract companies in Saudi Arabia, which has expanded targeted to Europe and North America. It's thought to be related to APT 33, a state-sponsored Iranian hacking group.   
  • Electrum: this group is capable of developing malware that can modify and control OT procedures and Dragos researchers say this operation was responsible for Crash Override a malware attack on Ukraine's power grid in December 2016. Electrum is associated with Sandworm, an offensive hacking operation that's part of Russia's GRU military intelligence agency. 
  • Allanite: a group which targets enterprise and OT networks in the UK and US electricity sectors, as well as German industrial infrastructure and uses access to conduct reconnaissance on networks to potentially stage future disruptive events. It's believed Allanite is linked to Russia.
  • Chrysene: Active since at least 2017, this group has targeted industrial organisations in Europe and the Middle East, and mainly conducts intelligence gathering operations to potentially facilitate further attacks. Chrysense is suspected to be linked to Iran.
  • Kamacite: a group which has been active since at least 2014 and believed to be responsible for cyber attacks against Ukrainian power facilities in 2015 and 2016. The group is linked to Sandworm.
  • Covellite: a group which has targeted electric utilities in Europe, the US and East Asia using malicious attachments in phishing emails. The group is thought to be linked to the Lazarus Group, a state-backed hacking group working out of North Korea.
  • Vanadinite: A hacking group which targets external-facing, vulnerable software in industrial organisations around the world. It's thought to be linked to APT 41, a state-sponsored Chinese hacking operation.  
  • Parasite: a group which targets utilities, aerospace and oil and gas in Europe, the Middle East and North America. Thee group uses open source tools and known vulnerabilities for initial access. Parasite is suspected to be linked to Iran.
  • Dymalloy: a group which targets electric utilities, oil and gas and other advanced industrial entities across Europe, Turkey and North America. Described as "highly aggressive", Dymalloy looks for long-term persistence in networks and is thought to be linked to Russia.

Although it could take years to conduct a successful attack and understand the intricacies of the OT systems, hackers are most likely working to lay the groundwork for a major attack right now.

Dragos:    Allianz:     Oodaloop:      ZDNet:    The Record:      Ars Technica:     CSO Online:  

You Might Also Read:  

The Importance Of Securing OT Platforms:

 

« Impress Your Cyber Insurance Underwriters With These Essential Tips
EU & US Agree New Data Rules To Replace Privacy Shield »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Baker McKenzie

Baker McKenzie

Baker & McKenzie is an international law firm. Practice areas include Data & Technology.

BruCERT

BruCERT

BruCERT is the referral agency for dealing with computer-related and internet-related security incidents in Brunei Darussalam.

Copper Horse Solutions

Copper Horse Solutions

Copper Horse specialises in mobile and IoT security, engineering solutions throughout the product lifecycle from requirements to product security investigations.

Sucuri

Sucuri

Sucuri have offered holistic website security solutions since 2008 including malware removal, malware monitoring and website protection services.

Identity Automation

Identity Automation

Identity Automation is a leading provider of Identity and Access Management software.

idappcom

idappcom

idappcom provides unique industry approved software solutions for auditing and enhancing the threat recognition and response capabilities of your corporate security defences.

Namogoo

Namogoo

Namogoo’s disruptive technology identifies and blocks unauthorized product ads that are injected into customer web sessions by client-side Digital Malware.

Data61

Data61

Data61 is Australia’s leading digital research network offering the research capabilities, IP and collaboration programs to unleash the country’s digital & data-driven potential.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

SmartCyber

SmartCyber

SmartCyber is a company specializing in custom IT projects and Cybersecurity.

Attack Research

Attack Research

We go far beyond standard tools and scripted tests. Find out if your network or technology can stand real-world and dedicated attackers.

LinkShadow

LinkShadow

LinkShadow is a next-generation cybersecurity solution that provides unparalleled detection of even the most sophisticated threats.

Allurity

Allurity

Allurity is a group of tech-enabled cybersecurity service providers, comprised of best-in-class experts with a common mission to enable a safe digital world.

Central Intelligence Agency (CIA)

Central Intelligence Agency (CIA)

The CIA is an independent agency responsible for providing national security intelligence to senior US policymakers. This includes cyber security related activities.

Insurica

Insurica

INSURICA is a full-service insurance agency built upon a tradition of integrity, industry leadership, and excellence.

Assurestor

Assurestor

Assurestor's singular focus is delivering leading cloud-based backup and disaster recovery designed to increase levels of IT resilience.