Meet the Latest Players in Industrial Control System Cyber Intrusions

There was a noticeable uptick in new groups targeting industrial control systems (ICS) in 2021, with attacks gaining high profile attention around the world, according to an annual cybersecurity report released Wednesday.

In the fifth ICS/OT Cybersecurity Year in Review 2021 report on ICS and operational technology (OT) cyber threats, the company looked at high-profile incidents that caught media attention—including the Colonial Pipeline and JBS ransomware attacks. Sixty-five percent of the ransomware incidents Dragos tracked in 2021 were focused on the manufacturing sector, and two ransomware groups (Conti and Lockbit 2.0) were responsible for 51 percent of the attacks.

“Currently, Dragos tracks 18 worldwide threat groups, with three of the newest groups discovered during 2021,” according to the report. “Two of the new activity groups—KOSTOVITE and ERYTHRITE—demonstrate Stage 2 ICS Cyber Kill Chain intrusions with a focus on access operations and data theft over disruption. This shows that adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes.”

New Activity Groups

In the Dragos Year in Review report, the authors wrote that the company discovered three new activity groups that are targeting ICS/OT systems. Two of those groups have achieved Stage 2 of the ICS Cyber Kill Chain, which shows “their ability to gain access directly to ICS/OT networks,” according to the report.

The three new groups follow an average of what Dragos has been tracking over the years, said Robert M. Lee, CEO and founder of Dragos, in a briefing with reporters on the report’s findings.

KOSTOVITE. This group has been active since 2021, and it is one of the groups that has achieved Stage 2 activity. Dragos’ incident response team discovered the group following an intrusion at a major renewable energy operation and maintenance (O&M) firm. Their investigation found that KOSTOVITE actors were able to access the O&M firm’s OT networks and devices.

“In March 2021, when KOSTOVITE compromised the perimeter of this renewable energy O&M network, it exploited a zero-day vulnerability in the popular remote access solution Ivanti Connect Secure, formerly known as Pulse Secure,” according to the report.

KOSTOVITE actors then used “dedicated operational relay infrastructure against this target to obfuscate the origin of its activities and then stole and used legitimate account credentials for this intrusion,” the report explained. “KOSTOVITE then used the stolen account information to move laterally and gain access to the OT environments of multiple energy generation facilities in North America and Australia from the one single ingress location. Once past the perimeter ingress, KOSTOVITE used only what is referred to as the target’s organic infrastructure, meaning no tools or code from outside the target’s network, to move laterally across target infrastructure.”

This incident highlights the risks of interconnectivity between organizations, since there is lack of understanding in the ICS community about how intrusions of integrators, suppliers, and maintenance firms connected to their OT networks might impact them, the report added.

Lee explained that while the investigation did not determine the intent of the KOSTOVITE actors, but based on the analysis done post-intrusion, everything would point to the actors attempting to gain long term access for future disruptions. For instance, the actors gained access to systems where they could control and monitor the network.

“It was the access you’d want for turning off that generation capability,” Lee said.

PETROVITE. This group is engaged in Stage 1 ICS Cyber Kill Chain activity, targeting mining and energy operations in Kazakhstan. Dragos has not connected the group to any known, disruptive event, but has identified that PETROVITE is interested in collecting information on ICS/OT systems and networks.

In the briefing, Lee explained that the activity Dragos observed showed that PETROVITE seemed to be collecting intellectual property to learn more about production processes and servers themselves. PETROVITE would also do search engine optimization poisoning, populating information into search results that would lead targets to malicious websites.

“Intrusions during 2019 used compromised legitimate infrastructure in Kazakhstan, whereas intrusions during 2021 focused on compromising legitimate infrastructure in other parts of the world,” according to the report.

ERYTHRITE. This group has been active since at least May 2020 and has been observed in engaging in Stage 2 ICS Cyber Kill Chain activity, focused on organizations in the United States and Canada. These include including a Fortune 500 company, the IT networks of a large electrical utility, auto manufacturers, food and beverage companies, IT service providers, and oil and natural gas service firms.

Like PETROVITE, ERYTHRITE also uses search engine poisoning to ultimately steal legitimate credentials to gain access to targets.

“In ERYTHRITE’s most recent Search Engine Optimization (SEO) poisoning campaign they used a two-pronged approach that began with uploading specially crafted PDF documents to otherwise legitimate websites which in turn linked to malware delivery sites,” according to the report. “ERYTHRITE leveraged the popular WordPress plugin Formidable Forms to upload hundreds of malicious PDFs loaded with thousands of keywords. These keywords were optimized for search engine crawling so that the SEO poisoned PDFs hosted on the otherwise legitimate but subverted websites appeared at the top of a search. When Dragos reached out to the owner of one subverted website, the owner confirmed that the adversary abused an unprotected Formidable Forms-based contact form, enabling arbitrary file uploads. Dragos assesses with moderate confidence that ERYTHRITE has misused the unprotected Formidable Forms contact pages of multiple other websites.”

Mitigations

Along with an uptick in activity, Dragos also tracked an increase in the release of common vulnerabilities and exposures (CVEs) in 2021. Unfortunately, however, nearly all of these advisories—92 percent—had no mitigation measures. Thirty-eight percent of the ICS vulnerability advisories released contained errors that would make it difficult to prioritize them; 49 percent could cause both a loss of view and control in OT systems; and 65 percent contained no alternative mitigations beyond a patch.

“There continues to be a trend where the guidance in vulnerabilities is lacking in context and details for operators to make risk-based decisions,” the report said. “Dragos needed to add additional mitigation strategies for 61 percent of advisories that did not have sufficient mitigation advice in 2021.”

Following the Colonial Pipeline ransomware attack, the U.S. Transportation Security Agency (TSA) released new regulations for pipelines in the United States that require them to patch their equipment within 30 days. Lee, however, said this is not good advice.

“And if you were to do that, you’d reduce the resilience of our pipeline infrastructure and probably cause more outages than just leaving the vulnerabilities alone,” he said.

Lee added that the big push to patch for known vulnerabilities in the ICS/OT environment is misaligned with the risks. Instead, he explained that it’s more important to think about the risk the vulnerability poses to the overall system and if that risk is acceptable.

“Could you use that vulnerability to cause impact on the industrial world?” Lee said. “In this past year, 49 percent of vulnerabilities fell into this category.”

Lee also said that actions like the 100-day sprints that the U.S. government has initiated for the electric, oil and gas, and water utility sectors have been more beneficial because they have focused on putting the ability to detect and respond to threats in place.

Additionally, Dragos included in the report its recommendations for five security controls to enhance OT/ICS networks against cyber threats.

1. A defensible architecture
   
   
2. ICS network monitoring
   
   
3. Remote access authentication
   
   
4. Key vulnerability management
   
   
5. ICS incident response plan

“Most of the world’s infrastructure is in no way monitored,” Lee said, adding that more than 80 percent of Dragos’ customers previously had limited or no visibility into their OT environment. “When adversaries get in…it’s very challenging to find them and it’s very challenging to mitigate them.”

For more information or to read the Dragos report in full, visit its website here: ICS/OT Cybersecurity Year in Review 2021. For comparison to the 2020 report, check out previous analysis in the Critical Infrastructure issue of Security Technology. 

Megan Gates is senior editor at Security Management. Connect with her at [email protected]. Follow her on Twitter: @mgngates.