Dragos Report: Top 5 hacker groups have targeted Industrial Control System

The industrial network security company Dragos released a report on March 1, 2018. According to the report, malicious activities of at least five high-level threat groups are mainly concentrated in the Industrial Control System (ICS).

While it is not uncommon for non-targeted malware to intrude into industrial systems, such targeted attacks are also becoming more prevalent. Dragos is continuing to track five threat groups, all of whom have been directly attacking industrial control systems or have shown interest in collecting relevant information about such information.

1. Electrum
   One of the malicious organizations tracked by the company is Electrum when it used CRASHOVERRIDE/Industroyer malware in December 2016 to lead to a massive blackout in Ukraine. There may be a link between Electrum and the Sandworm Team, which is widely recognized as the behind-the-scenes manipulator of Ukraine’s 2015 power outage. The Russian government is accused of being involved in these two rounds of attacks. Although Electrum has not launched any major attacks since the 2016 attack on power facilities in Ukraine, Dragos said it is still active and there is evidence that it has further expanded its target range. Dragos said in its report, “Although the previous malicious activity of Electrum was mainly aimed at Ukraine, from other small-scale malicious incident information and the association between the group and SANDWORM, we think that Electrum is likely to be supported by the supporters ‘Another important task.’ “
2. Covellite
   Another malicious group of concern to Dragos is Covellite, which is linked to North Korea’s notorious Lazarus group. Researchers at Dragos began observing Covellite since September 2017, when it was targeting highly targeted phishing attacks on U.S. grid companies. The researchers later discovered that the group may also attack a number of organizations in Europe, North America, and East Asia. Unlike Electrum, Covellite has so far not used any malware specific to industrial systems.
3. Dymalloy
   The Dragos report also summarizes Dymalloy’s activities. Dymalloy Group in the investigation of the Dragonfly operations gradually surfaced, also known as Crouching Yeti and Energetic Bear. The so-called Dragonfly initiative is likely to be a series of offensive attacks by Russia outside of Havex, a high-complexity malware that has taken place recently. Several energy companies in the United States have recently found that their control systems have been hacked by Dragonfly operations. Dragos believes Dymalloy has no connection to Dragonfly (at least not directly) because the former tools are not as advanced as Havex. However, Dymalloy hackers did manage to intrude on a number of industrial control system vendors in Turkey, Europe, and North America and gained access to HMI devices. Dymalloy seems to have been less active in terms of activity since 2017, probably to avoid the media and security researchers’ high regard for it.
4. Chrysene
   Dragos has been tracking Chrysene for a long time since mid-2017. The group’s main businesses are in North America, Western Europe, Israel, and Iraq, with a special focus on electricity, oil and gas and other industries. Chrysene is currently active and has used a variant of the malicious framework associated with OilRig and Greenbug, an Iranian cyber espionage group. Dragos noted that “although Chrysene’s malware has significantly improved its functionality compared with similar tools used by other threat groups, we have not observed the use of one of those malicious groups that specifically target industrial control systems.” All of its activities to date seem to have focused on IT infiltration and espionage of organizations involved in industrial control systems. ” It is worth noting that recently discovered malware known as Trisis/Triton is the first threat tool specifically designed to sabotage a safety instrumented system (SIS), and some researchers believe it has an association with the Iranian side.
5. Magnallium
   The last threatening organization that triggered Dragos’ concern for industrial control systems was Magnallium, which also has links to Iran. Dragos has been tracking this malicious group since FireEye released a report on its malicious activity using the APT33 code.

Although some media reports found APT33’s main targets to be focused on industrial control systems and key infrastructure levels, the findings of Dragos showed that the organization does not seem to have any attack capability against industrial control systems.
Dragos said that while only one of these malicious groups was able to influence its network operations through malware specific to industrial control systems, all five groups were involved at least in reconnaissance and intelligence gathering activities related to the industrial control system environment. The overall stability of these groups during 2017 is likely to be that some of the security incidents that have taken place have yet to be detected.