Key Points

  • Operational technology (OT) is more interconnected with traditional information technology (IT) systems than ever before. Knowing the cyber threats to OT helps decision-makers assign resources and prioritize security controls.
  • Attacks directly targeting OT are most likely to be conducted by nation-state–associated threat actors, particularly those associated with the Russian or Chinese state. Ensure abundant logging to detect anomalous behavior.
  • Financially motivated cybercriminals have targeted organizations using OT, knowing that a ransom is more likely to be paid to restore operations. Block initial access attempts and have procedures in place to prevent significant operational downtime.
  • Hacktivist groups have previously targeted industrial control systems (ICSs), demonstrating that attacks have the potential for significant impact. Avoid exposing OT to the internet and ensure systems are properly configured.
  • Insiders pose a significant threat to organizations using OT: Most events involve a data breach, trojanizing software or creating backdoors. Adopt the principle of least privilege to restrict access to sensitive material.
  • The ReliaQuest Threat Research team has theorized an attack chain targeting OT which begins with a phishing email before privilege escalation and pivoting throughout the IT network to reach OT.
  • To mitigate threats affecting OT, baseline activity, segment networks, and limit internet access for OT, as well as have comprehensive antivirus and endpoint detection and response (EDR) tool coverage.

The term OT is used to describe the hardware and software used to monitor and control physical processes, devices, and infrastructure. These systems perform various tasks, like monitoring critical infrastructure and ICSs on manufacturing floors. OT underpins enterprises operating across numerous sectors, including energy, manufacturing, pharmaceuticals, utilities, and health care. Traditionally, OT has a decades-long lifecycle, is difficult to patch due to stability concerns, and lacks basic security features such as authentication or encryption.

Although there are publicized instances in which threat actors have targeted OT and ICSs, impacted organizations typically share scant details of such attacks, owing to the sensitive nature of the systems involved. The first in a series exploring threats to OT, this report discusses overarching threats to organizations that employ OT, describes a theoretical attack chain, and provides recommendations on how to mitigate such threats. Future reports will examine the tactics, techniques, and procedures (TTPs) of specific threat groups and malware known for targeting these organizations.

By analyzing these details and common TTPs used across such attacks, this series aims to increase visibility into these threats and provide our customers with practical, actionable advice on how to tackle them, with ReliaQuest’s help.

Cyber Threats to OT

Once air-gapped, OT is now more integrated with traditional IT systems, bringing benefits like constant performance and system condition updates that simplify system management and ultimately reduce downtime. However, OT-associated risks that were once tolerated because of its isolation, coupled with this interconnectivity, increase an organization’s attack surface and vulnerability to cyber attacks.

Often difficult to predict, cyber threats to OT differ greatly from those affecting traditional IT systems.

Drivers and objectives: Cyber attacks on OT usually vary based on geopolitical events. Threat actors are likely to target OT to disrupt plant services, destabilize critical national services like water and electricity—in turn sowing distrust among citizens—or steal sensitive intellectual property.

Attack development: Rather than attacking OT directly, threat actors and groups often use more traditional methods, like phishing, to compromise IT systems first. Successful phishing emails enable the threat actors to gain initial access, deploy a malware payload, and establish persistence. Alternatively, threat actors may exploit vulnerabilities in public-facing endpoints to achieve initial access. Once inside a network, threat actors can then pivot, depending on the permissions obtained, to compromise the OT.

Knowing the risks their organizations face can help CISOs make decisions about where to focus their resources for cybersecurity defenses, build better security architecture, and avoid the wide-ranging consequences of cyber attacks affecting OT, including:

  • Lost revenue
  • Loss of human life
  • Health and safety issues
  • Disruptions to business continuity
  • Lost public trust
  • Negative environmental impact

Arguably the most famous example of an attack on OT conducted by a nation-state occurred in 2010, when the “Stuxnet” worm exploited zero-day vulnerabilities to target and derail Iran’s then-emerging nuclear program. It was widely reported that Stuxnet was jointly developed as a cyber weapon by the US and Israel in a large, collaborative effort known as Operation Olympic Games. However, more recent examples, like the “Volt Typhoon” campaign described below, demonstrate that this is a continuing priority for nation-states. Recent physical attacks on critical infrastructure, such as the 2022 Nord Stream Pipeline attack, may be an indicator of when cyber attacks could occur, as kinetic and cyber activity have been used hand in hand in modern warfare.

Nation-States

Sophisticated nation-state–associated threat actors—or the states themselves—are most likely to deliberately attack OT, probably in espionage operations designed to steal intellectual property.

The APT groups at the disposal of these nation-states are highly skilled and can conduct long-term espionage campaigns using heavily obfuscated attack methods that focus on data theft and defense evasion. It is realistically possible that APT groups prioritize defense evasion to maintain long-term access in preparedness for future assignments involving acts of sabotage. Many APT groups develop their own tools, exploit zero-day vulnerabilities, and favor spearphishing emails to gain initial access. These groups are also well-known for their ability to successfully conduct complex supply-chain attacks.

The nation-states that are most likely to conduct attacks targeting OT are China and Russia.

China

The Chinese state frequently uses cyber operations to pursue its national interests, preferring to avoid direct confrontation. The primary motive for most Chinese-initiated cyber-threat activity is progress toward strategic goals related to two main state-led initiatives: the Belt and Road Initiative and Made in China 2025. China-linked APT groups are arguably the most sophisticated, technically capable, and persistent of all nation-state–associated groups. They are the pioneers of supply-chain attacks and continue to show a proclivity for such attacks.

Notable groups:

  • In May 2023, the China-linked APT group Volt Typhoon was identified after it had targeted numerous critical infrastructure entities in the US and Guam. It uses Living off the Land (LotL) techniques almost exclusively and gains access by compromising internet-facing endpoints. Volt Typhoon reportedly infiltrated and remained undetected in US networks for at least five years. In early February 2024, the US government announced it had disabled part of Volt Typhoon’s operation. This event demonstrates the ability of the Chinese state to obtain and maintain access to US critical infrastructure for the sole purpose of destroying or disabling it in the event of a conflict over Taiwan.
  • Reports indicate that “APT41” has the capability to target and compromise OT and ICSs; however, there have been no reported instances of the group conducting such activity. Other China-linked groups that have a proclivity for targeting sectors in which OT is used during espionage campaigns include “APT40,” “APT10,” and “Blacktech.”
Russia

Russia’s external interests lie in economic development and reclaiming control over former Soviet nations. It is one of a few nations with proven offensive cyber capabilities, as well as an aggressive domestic surveillance policy. Several prominent APT groups operate in Russia, conducting external—and sometimes internal—espionage operations on behalf of the state. Typically, these activities focus on gathering strategic or valuable information deemed to be useful to the Russian government.

Notable groups:

  • In 2022, “Sandworm Team” attempted to disrupt Ukrainian energy providers with the “Industroyer” (aka CrashOverride) and “Caddy Wiper” malware. Industroyer is commonly used to target ICSs, and it was used to target Ukrainian government agencies in 2018 and to cut power to Kyiv for more than six hours in 2016. The version of Industroyer used in the 2022 attack was customized to target high-voltage electrical substations, but it is unclear how the group gained initial access.
  • Sandworm Team has also used the “BlackEnergy” malware to conduct distributed denial of service (DDoS), espionage, and destructive attacks since at least 2015. “BlackEnergy 2” reportedly used the “human-machine interfaces of ICS systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.” The latest variant, “BlackEnergy 3” was used to target a Ukrainian power grid in 2015. Both examples demonstrate Sandworm Team’s capability for developing custom malware specifically to target OT and ICSs.
  • In 2017, attacks by the threat group “Energetic Bear” (aka Crouching Yeti, DragonFly) were detected targeting the energy sector in Europe and North America. The group used various methods for initial access, including phishing, watering hole attacks, and trojanized software. According to reporting, the group sought to learn how the energy facilities operated and to gain access to their OT. This event is a reminder that traditional initial access techniques will likely be used in attacks affecting OT.

Preventing attacks by nation-state–associated threat actors is difficult, given their sophistication and frequent exploitation of zero-day vulnerabilities. Ensure vulnerabilities in IT systems are patched as soon as possible to prevent the possibility of a threat actor pivoting throughout a network to the OT. Also, ensure that abundant logging is in place across all systems to identify anomalous behavior.

Cybercriminals

Most cybercriminals are motivated by financial gain and are unlikely to target OT with the intention of causing health and safety issues or widespread public panic. However, threat actors involved in extortion will likely aim for disruption to business operations to increase the likelihood that an organization will pay a ransom.

Of the financially motivated threats, ransomware is highly likely to be the biggest threat to organizations using OT. In January 2024, two major water companies were targeted by ransomware attacks that led to data breaches. When Veolia, a North American water and wastewater systems operator, announced the attack, it confirmed the event did not affect its water treatment operations, only internal backend systems. Meanwhile, UK water supplier Southern Water confirmed it had suffered a ransomware attack after the “Black Basta” ransomware group claimed to leak the company’s data on its data-leak website.

Arguably, the most impactful and widely publicized ransomware attack on critical infrastructure was the May 2021 attack on Colonial Pipeline, the largest fuel pipeline in the US. Colonial Pipeline is responsible for transporting refined petroleum throughout the southern and eastern US, moving millions of barrels per day. The ransomware attack, which was conducted by the “DarkSide” group, resulted in a temporary halt to all pipeline operations, which lasted three days. This attack ultimately led to the demise of the DarkSide group, as the group’s operations shut down in May 2021, following law-enforcement action.

After this event, many ransomware groups changed the operating rules for their affiliates, introducing a ban on targeting organizations involved in critical infrastructure, health care, education, and charitable projects. Affiliates were also told to seek approval from operators before working on new targets. However, these rules have not prevented all ransomware attacks on such institutions. In August 2022, the “Alphv” ransomware group claimed responsibility for an attack on a European gas pipeline, and as recently as January 31, 2024, the “LockBit” ransomware group targeted a US hospital.

These events serve as a reminder that OT is not immune to financially motivated cyber activity. As with organizations running traditional IT, it is equally important for organizations operating OT to protect their systems against the threat of ransomware. Blocking initial access attempts or having procedures in place that prevent significant operational downtime is key.

Hactivism

Typically conducted for ideological purposes, hacktivism often takes the form of disruption or defacement of websites, using denial of service (DoS) or DDoS attacks. Hacktivist attacks are often unsophisticated, with a minimal impact; however, the threat should not be overlooked. Recent attacks have also involved exfiltration of sensitive data from targets, before data destruction, demonstrating that these threat actors have the capability to cause lasting damage to organizations.

Hacktivist groups prefer targeting entities that cannot afford significant downtime, particularly those involved in critical national infrastructure. These attacks are designed to disrupt business operations, for the purpose of promoting the group’s ideological cause—media attention is sought by these groups for this reason. Hacktivist groups like “Killnet” and “NoName057(16)” have thousands of followers on their affiliate Telegram channels, which can be directed to conduct DDoS attacks—there are even incentives for followers who conduct the most attacks. All of this serves to enhance the impact of the attacks.

Most hacktivist activity is driven by geopolitical events. We have previously observed pro-Russia hacktivist groups targeting organizations across multiple sectors within a single region following support by that region’s government for the Ukrainian war effort. We have also observed attacks targeting specific sectors, such as banking and health care. Attacks are typically conducted in line with this, rather than targeting companies with specific technologies; however, there have been limited examples of hacktivist groups directly targeting OT and ICSs.

In the context of the Israel-Hamas conflict, in late November 2023, the hacktivist group “SiegedSec” claimed to have breached Idaho National Laboratory, run by the US Department of Energy’s Office of Nuclear Energy. The group stole data that reportedly contained employees’ personal and financial information. SiegedSec also claimed to have breached the IT security of the North Atlantic Treaty Organization (NATO) on two occasions in 2023 and launched a series of attacks against IP addresses belonging to Israeli infrastructure and ICSs in October 2023.

SiegedSec is part of a wider group known as ThreatSec, which also encompasses “GhostSec,” “Stormous,” and “Blackforums.” In November 2023, ThreatSec claimed it was able to take full control of the IP routing for more than 5,000 servers in the Gaza region. Analysis following this claim showed that many ICSs are inadvertently exposed to the internet, leading threat actors to take advantage. Researchers found that some Israeli organizations had exposed a supervisory control and data acquisition (SCADA) communications protocol to the internet, as well as SCADA Message Queuing Telemetry Transport (MQTT) ports. Palestinian organizations were also reportedly exposing Siemens automation and Symantec systems to the internet. This highlights the importance of ensuring that ICSs are properly configured to prevent unsophisticated system compromises.

In addition to proper configuration, it is also advised that OT and ICSs are not exposed to the internet, especially those running on legacy systems that are no longer supported in terms of patch management. This will prevent threat actors from discovering these systems when performing scans to identify vulnerable instances.

Insiders

Insider threats can usually be classified as either malicious or unwitting. Malicious insiders deliberately sabotage or steal proprietary information, whereas their unwitting counterparts unknowingly provide information or access to those who seek it for nefarious means. Motives vary between insider types, but they include revenge, financial, coercion, or a desire to be helpful.

Insiders can work alone, but they can also be contracted by independent or nation-state–associated threat actors who seek to use their insider knowledge to conduct cyber attacks. Because of this knowledge, and because such attacks often use valid credentials, insider threats can be more difficult to detect by EDR or antivirus software than other cyber threats.

Most insider-related events involve data breaches—stealing information is within the realm of most people’s technical expertise since they likely already have access to the required systems. Organizations running OT possess vast amounts of sensitive information, which will be valuable to cybercriminals looking to sell it and to nation-state–associated threat actors whose aim is to bring their host nation a strategic advantage. Therefore, organizations running OT should be alert to such threats to avoid substantial data breaches.

Insiders with technical competence can also cause changes to computer systems. Insiders may perform network reconnaissance or provide backdoor access for threat actors to support their campaigns. They may also add malicious code to software, encrypt valuable files, or change system configurations. For organizations running OT, this could result in machinery malfunctioning or ceasing to operate entirely, which could result in real-world consequences such as incorrect medicinal formulas or contaminated drinking water.

In June 2023, two former Tesla employees leaked information to the media about the car manufacturer’s employees, customers’ banking details, production secrets, and complaints about Tesla’s self-driving features. The media outlet was prohibited from publishing the data, but had that information landed in criminal hands, the outcome would likely have resulted in severe consequences for Tesla.

In January 2021, an employee fired from Stradis Healthcare pleaded guilty to breaching and temporarily disabling the US company’s shipping system. Although the employee’s credentials were revoked, the individual kept a secret account that provided him with access to the system. The insider’s action meant the distribution of lifesaving medical equipment during the COVID-19 pandemic was disrupted, demonstrating the potentially severe consequences of insider attacks.

To mitigate insider threats, it is recommended that all accounts used by or linked to ex-employees are disabled or that the credentials are rotated. Exercise the principle of least privilege to ensure access to sensitive information is granted only to those who need it. Finally, monitor and control remote access from all endpoints, including mobile devices.

Example Attack Chain

Public reporting regarding attacks directly targeting OT is typically infrequent and comes with scant detail. Below, we outline a theoretical but realistic attack scenario mapped against MITRE ATT&CK TTPs. In this case, we considered a Russia-linked APT targeting SCADA systems to steal sensitive information and cause a power blackout in Ukraine.

Discovery: Network Service Scanning (T1046)

  • Prior to the attack, the adversaries scan the network services to identify SCADA systems and discover which systems to target.

Initial Access: Spearphishing Attachment (T1566.001)

  • Attackers initiate the campaign by sending spearphishing emails to employees at Ukrainian power companies. These emails contain malicious Microsoft Office documents that, once opened, deploy the BlackEnergy 3 malware.

Execution: User Execution (T1204)

  • An employee executes the malicious payload by enabling macros in the Office documents, which allows the malware to run on IT systems, collecting credentials.

Persistence: Valid Accounts (T1078)

  • After gaining valid user credentials, the attackers maintain access to the IT network, enabling them to move laterally throughout the network, including to connected OT devices.

Privilege Escalation: Credential Dumping (T1003)

  • The attackers use tools like “Mimikatz” to dump credentials and escalate their privileges within the IT network.

Lateral Movement: Pass the Hash (T1075)

  • With the credentials obtained, the attackers use techniques like “pass the hash” to move laterally within the IT network and eventually cross over to the OT network.

Collection: Data from Information Repositories (T1213)

  • The attackers collect information about the ICS/OT environment to understand how to manipulate it.

Collection: Data Staged (T1074)

  • The attackers stage collected data in password-protected archives prior to exfiltration.

Command and Control: Commonly Used Port (T1043)

  • The attackers communicate with the malware using ports that are typically permitted access to a network by a firewall.

Impact: Inhibit Response Function (T0832)

  • The KillDisk component is used to disrupt the recovery process by erasing critical files on systems and workstations.

Impact: Loss of Control (T0836)

  • The attackers take control of the SCADA systems managing the electrical substations and switch off the power, causing a blackout.

Exfiltration: Exfiltration over C2 Channel (T1041)

  • The attackers exfiltrate data over attacker-controlled command-and-control (C2) servers via HTTP or TCP.

What ReliaQuest Is Doing

The ReliaQuest GreyMatter security operations platform empowers customers to investigate, detect, and respond to the threats that matter most. The platform increases visibility, to help customers get the most out of existing security investments, and reduces the complexity of the detection and incident response lifecycle. This ultimately allows ReliaQuest and our customers to efficiently counter known and emerging threats. We provide customers with detection capabilities and actionable intelligence to mitigate the efforts of espionage and financially motivated threat actors alike.

Recommendations and Best Practices

  • Implement multifactor authentication (MFA). Enable code-based MFA for all user accounts, both OT and IT, especially for remote access and privileged accounts. This adds an extra layer of security and makes it harder for attackers to gain unauthorized access.
  • Baseline activity. Ensure that baselining is conducted for OT traffic and technology behaviors. Understanding what is normal will help identify potentially malicious anomalies.
  • Segment networks. Ensure proper network segmentation of devices so they can communicate only with other devices that are needed to support their specific business functions.
  • Limit access to the internet for OT and allow it to access only specific websites or IP addresses.
  • Apply extended access control lists (ACLs) to block unauthorized protocols outside the trusted network.
  • Filter boundary traffic by blocking the IP addresses from which an attack originates, blocking the ports being targeted, or blocking protocols being used for data-packet transport.
  • Restrict PowerShell use. Use group policy objects to restrict PowerShell use to only specific users or administrators who manage a network or Windows.
  • Regularly scan externally facing systems for vulnerabilities and establish procedures to patch systems, if appropriate, when critical vulnerabilities are discovered through scanning and through public disclosure. Such procedures should be balanced against the difficulty or operational downtime associated with applying that patch for OT.
  • Regularly scan the internal network for available services to identify new and potentially vulnerable services.
  • Ensure comprehensive coverage. Prioritize visibility and validation of visibility. Endpoint logging and visibility play a key role in detecting and addressing exploits or threat activity. Make sure to enable coverage for antivirus or EDR tools in your environment. Additionally, send logs to a central location like a security information and event management (SIEM) platform for comprehensive visibility. This proactive approach enables earlier detection and remediation of intrusions, preventing them from reaching ransomware or extortion levels of severity.
  • Keep all operating systems, software, and firmware up to date, where possible. Some OT may be difficult to patch, or the operational downtime required cannot be accepted to apply a patch. But where possible, regularly update and patch operating systems, software, and firmware. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Develop and implement detection rules to look for anomalous traffic patterns from OT-related subnets and systems.