2021 ICS Cybersecurity Year In Review

The identified activity targeted Azerbaijani environmental science, technology, and industrial engineering experts, researchers, and practitioners interested in technical conferences. Victims were sent spear-phishing emails about such events as a first attempt at installing a new version of PoetRAT.

Honeywell reported a malware intrusion that disrupted a limited number of its information technology (IT) systems. The OEM produces a range of industrial products used by oil & gas manufacturers in North America, and the breach was a reminder of potential cyber threats to the manufacturing industry and the supply chain.

Dragos’s continual discovery of new GREYENERGY files in the wild demonstrates that KAMACITE continues its development of GREYENERGY to further its operations. KAMACITE may be using all GREYENERGY components in conjunction with other actions and tools to facilitate more disruptive ICS/OT attacks.

During an incident response investigation at a renewable energy operator, Dragos confirmed that KOSTOVITE reached Stage 2 of ICS Kill Chain capabilities with an intrusion into the OT networks and devices. KOSTOVITE compromised the perimeter of the target network by exploiting a zero-day vulnerability in the remote access solution Ivanti Connect Secure, formerly known as Pulse Secure.

The largest fuel pipeline in the U.S. that delivers approximately 45% of the gasoline consumed on the East Coast announced a ransomware attack of its IT systems. To contain and limit damage of the attack, Colonial Pipeline halted pipeline operations, resulting in gas shortages and panic-buying by its customers.

JBS Foods—one of the largest beef suppliers in the world, with meatpacking facilities in the U.S., UK, Australia, Canada, Mexico, and Brazil, announced it detected ransomware in their Sao Paulo branch, targeting the food and beverage infrastructure within the organization.

After the attack, JBS Foods shut down many of its operations and paid $11 million in Bitcoin ransom. While JBS Foods could maintain much of its operations without REvil's assistance, it chose to pay the ransom.

Security researchers at Sangfor Technologies accidentally disclosed a Windows zero-day vulnerability nicknamed PrintNightmare on a public GitHub repository. PrintNightmare is a critical security vulnerability affecting the Microsoft Windows operating system that occurs within the print spooler service and allows a remote-authenticated adversary to execute malicious code at SYSTEM-level privileges. This enables an adversary to create new users with full user rights, install malicious software, and modify or delete data.

Dragos’s continual discovery of new GREYENERGY files in the wild demonstrates that KAMACITE continues its development of GREYENERGY to further its operations. KAMACITE may be using all GREYENERGY components in conjunction with other actions and tools to facilitate more disruptive ICS attacks.

The ransomware group BlackMatter attacked New Cooperative, an association of Iowa corn and soybean farmers, and demanded a $5.9 million ransom payment for a decryptor.

Dragos identified the adversary WASSONITE targeting the Kudankulam Nuclear Power Plant (KKNPP) in India. Subsequent intelligence research combined with public announcements from KKNPP confirmed that adversaries had breached its IT network.

ERYTHRITE demonstrated ICS Stage 2 (Develop) Cyber Kill Chain activity in one of its compromises. ERYTHRITE broadly targets English and French organizations in the U.S. and Canada with ongoing, iterative malware campaigns. Dragos has observed ERYTHRITE compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil & Natural Gas (ONG) service firms

Dragos is currently tracking a new adversary identified as PETROVITE. PETROVITE demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan. The overlaps with other activity groups and consistent capability development could lead to more targeted ICS/OT incidents beyond general system reconnaissance and collection.

Dragos coordinated a takedown of malicious domains used during the early exploitation attempts of Log4j. Dragos has also observed other intelligence organizations reporting cyber criminals launching Log4j attacks to deliver Cobalt Strike beacons, malware, cryptocurrency miners, ransomware, DDoS attacks, and other malicious programs.