Industrial cybersecurity was analyzed in a recent report by Dragos Inc. The report identified three new OT Threat Groups—VOLTZITE, GANANITE and LAURIONITE. With these additions, analysts now track 21 Threat Groups worldwide that have been observed as being engaged in OT operations in 2023.

VOLTZITE targets electric power generation, transmission and distribution and has been observed targeting research, technology, defense industrial bases, satellite services, telecommunications and educational organizations. The group overlaps with Volt Typhoon, a group that the U.S. government has publicly linked to the People’s Republic of China. The group’s threat activities include living off the land (LOTL) techniques, prolonged surveillance, and data gathering aligned with Volt Typhoon’s assessed objectives of reconnaissance and gaining geopolitical advantage in the Asia-Pacific region. They have traditionally targeted U.S.-based facilities, but also have been seen targeting organizations in Africa and Southeast Asia.

GANANITE targets critical infrastructure and government entities in the Commonwealth of Independent States and Central Asian nations. The group leverages publicly available proof of concept (POC) exploits for internet-exposed endpoints and focuses on espionage and data theft.

LAURIONITE targets and exploits Oracle E-Business Suite iSupplier web services and assets across aviation, automotive, and manufacturing industries. The group utilizes a combination of open-source offensive security tooling and public proof of concepts to aid in their exploitation of common vulnerabilities.

Geopolitical conflicts drove threat activity with regional and global kinetic events overlapping with OT cybersecurity threats. The Ukraine-Russia conflict prompted more mature threat groups, such as ELECTRUM, to increase activity, while tensions between China and Taiwan contributed to increased targeted cyber espionage attacks against industrial organizations in the Asia-Pacific region and the United States.

Ransomware remains the number one attack in the industrial sector increasing 50% from 2022. Lockbit caused 25% of total industrial ransomware attacks, with ALPHV and BlackBasta accounting for 9% each. Manufacturing continues to be the primary target of ransomware and accounted for 71% of all ransomware attacks. The majority of ransomware attacks impacted organizations in North America with 44% of incidents, followed by Europe at 32%. The report tracked 50 ransomware variants in 2023, a 28% increase over last year.

The number of vulnerabilities that require authentication to exploit is rising, pointing to a positive trend for OT defenders. In 2023, 34% of CVEs required some authentication compared to 25% of CVEs in 2020. On the other hand, of the 2010 vulnerabilities impacting industrial environments disclosed last year, 14% contained erroneous information for prioritizing risks in ICS/OT.

Read the full report here.