Researchers observed clear connections in 2024 between state and nonstate actors who are targeting critical infrastructure, according to a new report published today by cybersecurity firm Dragos.

The company confirmed that since 2022 it has observed convergence between three state actor groups and six hacktivist groups with overlaps in Ukraine to use shared infrastructure and intelligence to attack operational technology (OT) and industrial control system (ICS) targets.

“The strategic implications for ICS defenders are significant, as adversaries may transition between espionage-focused campaigns and destructive operations based on broader objectives while leveraging hacktivist personas to conduct lower-sophistication attacks,” Dragos said in its eighth annual year in review report. “The role of hacktivist personas, whether as a deliberate distraction from the primary attack or for other purposes, remains a subject of ongoing analysis and debate.”

In a briefing with reporters before the release of the report, Dragos CEO and cofounder Robert M. Lee says these connections have been “rumored for years, but being able to see the connections is very important.”

This is because state actors “tend to be a little more focused in their attacks,” Lee explains. State actors will create malware and go after specific sites—looking to strike with low frequency but create a high consequence. “But your nonstate actors don’t,” Lee continues; they are “hitting anyone wherever they can.”

For instance, Lee mentions the hacktivist group Cyber Army of Russia Reborn (CARR) that has a strong connection with the state groups Dragos refers to as ELECTRUM and KAMACITE that are responsible for the electric grid outages in Ukraine in 2015 and 2016. Dragos has also observed connections between ELECTRUM with hacktivist groups called KillNet and Solntsepek, while KAMACITE has a connection with XakNet.

There are valid reasons for state actors to weaponize nonstate actors and encourage attacks on critical infrastructure. Some state actors may believe that targeting civilian infrastructure could have blowback, so using a nonstate group could shield them from blame while achieving their end goal.

“Scaring the public is an important thing for some state actors,” Lee says. “Doing it in an election year, you could swing an election.”

If connections between state actors and nonstate actors increase, Lee adds that he’s concerned about the sharing of knowledge between the groups. When this happens, Lee says that we’ll start to see lower-frequency, high-consequence attacks become higher-frequency, higher-consequence attacks that require more investment to prevent, detect, and respond to than what Dragos is seeing in the OT security space right now.

Geopolitical Connections

Dragos observed continued cyber activities targeting infrastructure linked to geopolitical conflicts in 2024. Some threat groups, including hacktivists, looked to use more “overt cyber operations” to further their goals, while mature groups “sought to cause disruptive effects,” according to the report.

Europe. Looking at the Ukraine-Russia conflict, which is now entering its fourth year, Dragos flagged activity by KAMACITE and ELECTRUM—groups sometimes known as Sandworm that collaborate to support Russian military objectives by targeting Ukrainian critical infrastructure.

“KAMACITE establishes a foothold into victim IT networks and hands control to ELECTRUM for OT operations, such as the 2016 CRASHOVERRIDE attack, which temporarily cut power to party of Kyiv,” the report explained. “In 2024, KAMACITE used the Kapeka backdoor targeting Ukrainian critical infrastructure entities supplying heat, water, and electricity. Meanwhile, ELECTRUM collaborated with hacktivist groups to obscure its cyberattack against Kyivstar, a Ukrainian telecommunications company.”

Earlier this month, Microsoft’s threat intelligence team published research observing similar activity—further validating Dragos’ original assessment.

“Since early 2024, the subgroup [KAMACITE] has expanded its range of access to include targets in the United States and United Kingdom by exploiting vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and monitoring software and Fortinet FortiClient EMS security software (CVE-2023-48788),” Microsoft wrote. “These new access operations built upon previous efforts between 2021 and 2023, which predominantly affected Ukraine, Europe, and specific verticals in Central and South Asia, and the Middle East.”

Based on this observed activity from KAMACITE, Dragos recommends that organizations increase employee education about identifying phishing attempts, properly segment enterprise IT and OT/ICS networks, and maintain visibility into their ICS environments.

“Defenders should monitor for suspicious activity, such as terminated connections between control centers or abnormal polling of substations to toggle breaker statuses,” according to the report.

ELECTRUM likes to use wiper malware (which erases victims' systems), so Dragos recommends that asset owners use basic security measures to prevent or monitor activity in their ICS environments, as well as create backups of engineering files.

“End users should disallow new service installs, disable service changes, and implement application whitelisting so only authorized applications can execute on devices if possible,” the report explained.

Dragos also noted two new variants of ICS malware that made their debut in 2024 in relation with the Ukraine-Russia conflict. The first new ICS malware variant to arrive in 2024 is FrostyGoop, which was used to modify instrument measurements that resulted in heating outages in more than 600 apartment buildings in Ukraine during the winter.

“It was just a very scary thing for civilians and the populace, and honestly a really cruel thing to do,” Lee says of the incident.

The Cyber Security Situation Center, part of Ukraine’s Security Service, shared details of the January 2024 incident with Dragos. One concerning find from researchers’ analysis was that common antivirus software was unable to detect FrostyGoop because it blended malicious activity with normal operations.

“Exploitation of well-known ICS protocols is becoming more frequent within ICS malware development, underscoring the need for more sophisticated OT-aware detection and response methods,” the report said.

The second new malware was used by the hacktivist group BlackJack, which claimed to use Fuxnet malware to breach Moskollektor—an organization that maintains Moscow’s gas, water, and sewage network. Media coverage and visibility into what effect the malware had on Moscow’s infrastructure is limited, but Lee says the more important aspect is that the group created a malware that leveraged a common industrial control to cause an effect.

“The attack on Moskollektor underscores the normalization of attacks on industrial devices by groups driven by geopolitical conflicts,” the report explained. “Fuxnet was highly tailored to Moskollektor and is unlikely to be used against another industrial environment without significant changes to the codebases.”

Asia. In Asia, Dragos observed the threat group VOLTZITE (the OT-focused unit of Volt Typhoon) and its affiliates using infrastructure from previously compromised organizations as relay points for a botnet.

“These actions facilitate adversary-controlled peer-to-peer relay networks that enumerate Internet-exposed critical infrastructure, impacting sectors such as electric, oil and gas, water and wastewater, and government entities,” according to the report.

Lee adds that VOLTZITE’s activity is concerning not just because it’s a state actor but because it’s hitting “really strategic infrastructure sites,” such as smaller sites that would need to be stood up operators after a major outage.

“If your requirement is to restart the electric system, you don’t go to the biggest ones first,” Lee explains. “VOLTZITE researched and understood what the most critical were—and went after some of the smallest and most strategic sites.”

This targeting included stealing geographic information system (GIS) databases and screenshots of machine interfaces that would be useful for disruption. VOLTZITE also gained access to additional infrastructure to create botnets and find edge devices on OT networks.

When it comes to targeting OT networks, Lee says there are “still big misconceptions that they are air gapped or more segmented than they are, and that if you want to reach them you have to go through an IT network.”

This is untrue, however, since OT networks have devices and VPNs that allow original equipment manufacturers (OEMs) and contractors to connect to them.

“These environments are highly connected and accessible directly without having to go through a companies’ IT network,” Lee emphasizes.

Dragos anticipates that VOLTZITE will continue to target critical infrastructure in the United States and Western-aligned nations in 2025.

“The best way to identify VOLTZITE is by monitoring its behaviors, it purposefully blends in with trusted networks and uses tools readily available,” the report explained. “Compare any unusual lateral movement with expected traffic within your network and validate suspicious user activity that originates from regular employee accounts.”

New Groups to Watch

Generally, Dragos monitors 23 threat groups and observed activity from nine of them in 2024. The firm also identified two new threat actors on the ICS/OT scene: GRAPHITE and BAUXITE.

GRAPHITE is focused on targetining energy, oil and gas, logistics, and government sectors in West Asia and Eastern Europe—aligning with Russian military operations in Ukraine.

“GRAPHITE is a relevant threat for OT/ICS organizations as its targeting profile may shift in response to geopolitical developments in Eastern Europe but has not yet demonstrated Stage 2 capabilities,” the report said, referring to the ICS Cyber Kill Chain stages. “Dragos encourages defenders at industrial organizations, especially those involved in any way with Ukraine, to familiarize themselves with this adversary.”

BAUXITE, on the other hand, is looking at oil and gas, water and wastewater, and chemical manufacturing in Australia, Europe, West Asia, and the United States. Dragos reported that the group is technically aligned with the pro-Iranian group CyberAv3ngers.

“Given the ties to the [Islamic Revolutionary Guard Corps Cyber Electronic Command], BAUXITE is likely to enhance its capabilities and continue disruptive activities against OT/ICS entities globally, especially those party to the Israel-Hamas conflict,” according to the report.

Ransomware on the Rise

While some organizations say there has been a decline in ransomware, Dragos observed that the tactic continues to be a rampant problem—especially for industrial organizations. Ransomware attacks against these targets actually increased 87 percent in 2024, and Dragos tracked 60 percent more ransomware groups impacting OT/ICS in 2024. Most of these ransomware attacks hit organizations in North America (984), followed by Europe (419).

The firm logged 1,693 instances of industrial organizations being affected by ransomware in 2024, with 1,171 attacks (more than 50 percent) targeting the manufacturing sector. Twenty-five percent of these attacks caused a full shutdown of the manufacturer, while 75 percent disrupted operations to some degree, Lee says.

“Ransomware groups know that even brief disruptions can cause significant financial and logistical fallout, putting safety at risk and making manufactures more likely to pay,” the report assessed. “Other industrial sectors, including energy, transportation, and industrial control system vendors, also remain high on the list as ransomware groups refine their tactics to maximize pressure and impact.”

Groups are typically targeting organizations remote services—such as VPNs—and lack of basic network security defense principles, as well as living off the land (LOTL) strategies to conceal their malicious activity.

Dragos noted in the report that of victim organizations, those that had “strict network segmentation between IT and OT systems” and also had backup testing shortened their recovery times significantly while avoiding paying the ransom.

A new trend that asset owners and operators should note is that in 2023 and 2024, Dragos observed hacktivist groups using ransomware as part of their operations. One of these groups was CyberVolk, a member of the hacktivist alliance the Holy League that includes CARR and tends to target NATO-aligned countries using denial of service attacks and ransomware.

“There’s a realistic probability that this fusion of economic, political, and ideological interests has the potential to shape the ransomware threat landscape in 2025 and beyond, particularly in sectors critical to public safety and economic stability that are viewed as strategic targets of interest by hacktivist and self-proclaimed hacktivist groups,” according to the report. “Consequently, OT/ICS asset owners must become more geopolitically aware if their organizations operate within certain high-tension regions or are in sectors that supply critical services and utilities to the public.”

 

For more on how this year’s report compares to previous years, read Security Management's coverage of the 2023, 2022, and 2021 volumes.

 

MOST POPULAR ARTICLES

1. Violence for the Sake of Violence: Understanding Nonideological Extremism

2. Protests Target Tesla Showing How Brands Can Be Focus of Political Ire

3. Five Years Later: Security in a Post-COVID World