.png){kind=small}
Source: CSO Online
Date: February 28, 2025
Operational technology networks and industrial control systems are seeing increased malicious activity, as industrial organizations also deal with a sharp rise in ransomware attacks.
Attacks against operational technology (OT) networks are on the rise, fueled by geopolitical tensions and conflicts, as OT security fast becomes a mainstream concern.
Two new threat groups emerged in 2024, joining seven other active attackers of OT systems, and two new malware families targeting industrial control systems (ICS) were added to the attackers’ arsenals as well, according to researchers from Dragos.
“A striking trend in 2024 was the continued lowering of the barrier to entry for adversaries targeting OT/ICS,” researchers from the industrial security firm wrote in their annual report. “Adversaries that would have once been unaware of or ignored OT/ICS entirely now view it as an effective attack vector to achieve disruption and attention.”
In addition to ICS-specific malware threats, industrial organizations, especially those in the manufacturing sector, are also dealing with a sharp rise in ransomware attacks. The number of ransomware attacks targeting OT/ICS asset owners increased 87% in 2024 and the number of groups going after such targets rose by 60%.
New Iranian group gains ICS-targeting capability
Dragos tracks 23 threat groups that have targeted OT networks with the intention of collecting information or manipulating industrial control systems. Each group’s capabilities are broken down into the two stages of the ICS Cyber Kill Chain.
Dragos saw activity from nine of those 23 groups last year, two of which were new and one of which had ICS Cyber Kill Chain stage 2 capabilities. Tracked under the alias BAUXITE, the group has overlaps with CyberAv3ngers, a hacktivist persona that the US government previously attributed to a unit inside Iran’s Islamic Revolutionary Guard Corps (IRGC).
Between November 2023 and January 2024, BAUXITE compromised Israeli-made Unitronics Unistream and Vision series programmable logic controllers (PLCs) that were exposed to the internet. These PLCs belonged to more than 100 organizations, including water and wastewater management and energy companies.
“The adversary is capable of downloading logic to these controllers, causing a denial of service (DoS) equivalent to execute an ICS attack,” the Dragos researchers wrote.
Throughout 2024, the group also targeted Sophos firewalls and conducted port scanning on multiple OT/ICS assets, including Siemens S7 devices, CIMON Automation devices, devices running OPC Unified Architecture (OPC/UA) server, Omron Factory Interface Network Service (FINS), and devices running CODESYS. These protocols are also targeted by Pipedream or Incontroller, a piece of ICS malware discovered in 2022 and attributed to a group dubbed CHERNOVITE.
In late 2024, BAUXITE also managed to compromise more than 400 global OT/ICS devices and firewalls, deploying a custom-embedded Linux backdoor called IOControl on them.
New Russian group focused on Ukraine
The second new group to launch attack campaigns against industrial organizations last year, dubbed GRAPHITE, has overlaps with APT28 activities. Also known as Fancy Bear or Pawn Storm, APT28 is believed to be a unit inside Russia’s General Staff Main Intelligence Directorate (GRU).
GRAPHITE launched constant phishing campaigns against hydroelectric, energy, and government entities in Eastern Europe and the Middle East. The group exploits known vulnerabilities to deploy malware that steals credentials, and while it has not yet displayed ICS Cyber Kill Stage 2 capabilities, other groups tied to the Russian government and GRU have that capability, for example ELECTRUM, also known as Sandworm.
New ICS malware used in the Ukraine conflict
Russian groups have launched multiple confirmed OT/ICS attacks against Ukrainian organizations in recent years, even before the war started, resulting in power blackouts and downtimes.
One such attack happened in January 2024 and involved a piece of malware called FrostyGoop. The attack led to heating outages for more than 600 apartment buildings in the Ukrainian city of Lviv in the middle of winter during freezing temperatures.
FrostyGoop targeted ENCO controllers over the Modbus protocol, but the Dragos researchers said its capabilities are not limited to ENCO devices and could also interact with PLCs, DCS, sensors, actuators, and field devices.
Ukraine-affiliated groups responded with their own attacks. In April 2024, a hacktivist group dubbed BlackJack breached Moskollektor, a Moscow municipal organization in charge of the communication system for gas, water, and sewage networks. The group claimed it disrupted communications to thousands of industrial sensors.
Researchers established that a new piece of malware called Fuxnet was used, making it the eighth known ICS-specific malware family ever discovered. The malware overwhelms sensors by sending a flood of Meter-Bus requests. Meter-Bus is a protocol for reading data from water, gas, and electricity meters. In addition, Fuxnet also has a Linux wiper component that wipes the file system of sensor gateways.
“The attack on Moskollektor underscores the normalization of attacks on industrial devices by groups driven by geopolitical conflicts,” the researchers wrote. “Fuxnet was highly tailored to Moskollektor and is unlikely to be used against another industrial environment without significant changes to the codebase.”
A quarter of vulnerabilities were exploitable at network perimeter
Last year Dragos reviewed 606 public vulnerability advisories for ICS devices and applied its own patch prioritization framework that splits vulnerabilities into the categories: now, next, and never. Six percent of the flaws fell into the patch-now category, being remote exploitable with no authentication and were either actively exploited or had proof-of-concept exploits. Another 63% were put into the patch-next category as they could be mitigated with network hygiene and segmentation.
Overall, 22% of vulnerabilities were both exploitable over the network and located in network perimeter devices, meaning they could more easily be targeted by attackers over the internet. This was an increase from 16% in 2023.
Patching ICS devices is not always easy or fast because these devices often handle critical processes, so they require scheduled shutdown and maintenance windows. As such, mitigation is often preferred to patching in many cases. Unfortunately, 57% of advisories that provided patches offered no alternative mitigation and 18% of advisories offered no patch or mitigation at all.
“Adversaries are not just testing OT networks — they are actively embedding themselves within critical infrastructure, positioning for long-term access, operational disruption, and potential large-scale consequences,” the researchers wrote. “The time for reactive security is over. Defenders must move toward continuous monitoring, proactive threat hunting, and incident response capabilities tailored for OT environments.”