INDUSTRIAL CYBER THREAT ACTIVITY

The OT cyber threat landscape continued to evolve in 2023, with an increase in tracked threat groups, ransomware events, and other threat activities driven by global conflict. The adversaries involved in these activities varied widely in terms of their level of sophistication, deployed capabilities, and intended targets. On one end of the spectrum, some threat groups used advanced techniques, such as leveraging native functionality, including living off the land (LOTL) techniques, to conduct reconnaissance and intelligence operations. Conversely, some adversaries targeted low-hanging fruit such as internet-accessible devices that lacked proper hardening, thus making them easy to damage and cause operational disruptions.

In this article, I wanted to highlight 3 new Threat Groups: VOLTZITE, GANANITE, LAURIONITE 

VOLTZITE

First reported on by the U.S. Cybersecurity and Infrastructure Security Agency and Microsoft in May 2023, was performing reconnaissance and enumeration of multiple US-based electric companies, and since then has been observed targeting electric power transmission and distribution, emergency services, telecommunications, defense industrial bases, and satellite services. VOLTZITE’s actions towards US electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerability within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks. While VOLTZITE has traditionally targeted US facilities, we also are aware of the group targeting organizations in Africa and Southeast Asia. This group heavily uses living off the land (LOTL) techniques, which can make detection and response efforts more difficult. This strategy, paired with slow and steady reconnaissance, enables VOLTZITE to avoid detection from security teams.

Impact and Implications

VOLTZITE conducts enumeration against victims’ internet-facing assets in a slow and sustained fashion, likely to lessen the chance of being detected. Once they have exploited a victim’s internet-facing asset, they exhibit consistent use of living off the land techniques, making detection more difficult for defenders. VOLTZITE’s 2023 behavior suggested operational objectives of espionage and information gathering. Data stolen from operational technology (OT) networks may result in unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks

GANANITE

Threat Group that targets critical infrastructure and government entities in the Commonwealth of Independent States and Central Asian nations. GANANITE focuses on espionage and data theft, with the possibility of handing off initial access to other threat groups. GANANITE focuses persistently on its target sets by employing many known tools to infiltrate its victims. Building on the use of StinkRAT and publicly available proof of concept exploits for internet exposed endpoints, GANANITE also exhibits use of tooling such as TELEMIRIS and JLORAT, which has been attributed by Kasperky as being exclusively used by a threat group under the direction of or working with TURLA.

Impact and Implications

GANANITE has been observed conducting multiple attacks against key personnel related to ICS operations management in a prominent European oil and gas company, rail organizations in Turkey and Azerbaijan, multiple transportation and logistics companies, an automotive machinery company, and at least one European government entity overseeing public water utilities. Although GANANITE has not yet shown evidence of moving into OT networks or an elevated capability resembling Stage 2 actions, their assessed capabilities show efficient use of multiple phases across Stage 1 of the ICS Cyber Kill Chain.

Further, GANANITE’s operations have displayed extensive research and use of known exploits against the external perimeter of its targets. GANANITE uses tools such as Shodan and FOFA search engines that contain data about internet-facing assets to build a profile of its target. After identifying the IP netblocks of its target, they then utilize data from Shodan and FOFA to identify any presence of devices exhibiting known exploitable vulnerabilities. GANANITE then moves on to exploit those vulnerabilities with publicly available exploits. For those reasons, industrial organizations in Europe and Central Asia face a significant risk from GANANITE due to their initial intrusion capabilities, post-compromise espionage TTPs,

and intellectual property theft, all of which can be used in follow-on attacks against the victim organizations.

LAURIONITE

First discovered actively targeting and exploiting Oracle E-Business Suite iSupplier web services and assets across several industries, including aviation, automotive, manufacturing, and government. This group utilizes a combination of open-source

offensive security tooling and public proof of concepts to aid in their exploitation of common vulnerabilities. LAURIONITE has demonstrated the ability to conduct the complete attack cycle of offensive cyber operations that achieve Stage 1 of the ICS Cyber Kill Chain from Reconnaissance to Actions on the Objective. The adversary operators show expertise in various offensive cyber operation skills in navigating target systems, exploiting vulnerabilities, maintaining persistence, conducting lateral movement, internal reconnaissance, defense evasion, and exfiltration. Oracle E-Business Suite is one of the most widely used enterprise solutions for integrated business processes, including numerous industrial organizations such as United States Steel and Unifi textile manufacturing. By utilizing compromised infrastructure. LAURIONITE can remain undetected or overlooked due to its origin being from trusted or known organizations.

Impact and Implications

While current observations and visibility of LAURIONITE operations do not indicate the adversary seeks to advance to OT

networks, Dragos cannot discount this as a possible course of action the adversary may select in the future. LAURIONITE actively seeks out iSupplier instances with a significant presence across many industry verticals and sectors, including industrial organizations such as manufacturing. Targeting companies that use Oracle’s E-Suite iSupplier technology may not inherently impact OT assets; however, the nature of enterprise resource planning software such as iSupplier could allow adversaries like LAURIONITE to gain visibility into third-party vendor relationships, which can lead to follow-on intrusion operations.

The Source & Reference Article from where this information is collected - 7th edition of the Dragos OT Cybersecurity Year in Review, The original content is from DRAGOS and This article serves only as a reference to highlight the current OT Cyber Security Risks.