Three new advanced threat groups targeted industrial organizations last year
VOLTZITE relies heavily on living-off-the-land techniques and hands-on post-compromise actions with the goal of expanding their access from the IT network perimeter to the OT network. The group is believed to be in operation since at least 2021 and has targeted critical infrastructure entities in Guam, the United States, and other countries with a focus on electric companies. The group has also targeted organizations from the fields of cybersecurity research, technology, defense industrial bases, banking, satellite services, telecommunications, and education.
“Dragos’s analysis of VOLTZITE operations underscores the need for ongoing vigilance among organizations operating in the global electric sector, as the observed activity suggests continued and specific interest in these networks,” Dragos said in its report. “Further, VOLTZITE’s actions involving prolonged surveillance and data gathering align with Volt Typhoon’s assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia-Pacific region.”
Another new group, GANANITE, is focused on cyberespionage and data theft. The group’s targets have primarily been critical infrastructure and government organizations from Central Asia and countries from the Commonwealth of Independent States (CIS). GANANITE is known for using publicly available proof-of-concept exploits to compromise internet-exposed endpoints and for its use of several remote access trojans, including Stink Rat, LodaRAT, WarzoneRAT, and JLORAT. The latter has previously been associated with activity by a known APT group tracked as Turla, which is believed to be associated with the Russian internal security service, the FSB.
“GANANITE has been observed conducting multiple attacks against key personnel related to ICS operations management in a prominent European oil and gas company, rail organizations in Turkey and Azerbaijan, multiple transportation and logistics companies, an automotive machinery company, and at least one European government entity overseeing public water utilities,” Dragos said.
The third new group, LAURIONITE, has been observed exploiting vulnerabilities in Oracle E-Business Suite iSupplier web services belonging to organizations from the aviation, automotive, manufacturing, and government sectors. Oracle E-Business Suite is a popular enterprise solution for integrated business processes used across many industries. LAURIONITE has not been observed attempting to pivot to OT networks yet, but the potential is there given its targets and the type of information about suppliers and vendor relationships that Oracle E-Business Suite iSupplier instances might contain.
Ransomware and hacktivism also pose a threat to operational technology
While ransomware groups don’t typically target OT assets directly, industrial organizations who have ransomware incidents on their IT networks might shut down their OT assets as a preventive measure leading to disruptions. According to Dragos’s tracking, the number of ransomware incidents that impacted industrial organizations increased by 50% last year and over 70% impacted manufacturers.