2021 Year In Review
2021 ICS Cybersecurity Year In Review
2021 Year In Review
2021 Year In Review
Dragos's annual ICS/OT Cybersecurity Year in Review provides an overview and analysis of ICS vulnerabilities, global threat activity targeting industrial environments, and industry trends and observations gathered from customer engagements worldwide. Our goal is to give asset owners and operators proactive, actionable information and defensive recommendations in order to prepare for and combat the world’s most significant industrial cybersecurity adversaries.
The 2021 Year In Review follows the same interactive web experience as last year’s review and includes an in-depth report as well as an executive summary.
Growth of ICS-Focused Threat Activity Groups
Visibility into the industrial threat landscape has never been better. Dragos has been tracking ICS Threat Activity Groups since its inception in 2016. In 2021 we discovered 3 new activity groups, bringing the total of tracked groups to 18 worldwide.
In the animated graphic below, you’ll see the sectors and regions in which Dragos analysts have observed this ICS-targeting threat activity over time.
In the animated graphic below, you’ll see the sectors and regions in which Dragos analysts have observed this ICS-targeting threat activity over time.
2020
2014
2015
2016
2017
2018
2019
2020
North America
2020 North America // Electric

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

TALONITE
Since 2019
Focused on physical destruction and long-term persistence
Go to the TALONITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

TALONITE
Since 2019
Focused on physical destruction and long-term persistence
Go to the TALONITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

TALONITE
Since 2019
Focused on physical destruction and long-term persistence
Go to the TALONITE page

KOSTOVITE
Since 2021
In March of 2021, the activity group KOSTOVITE compromised a renewable energy operator.
Go to the KOSTOVITE page

ERYTHRITE
Since 2020
ERYTHRITE is an activity group that broadly targets organizations in the U.S. and Canada with ongoing, iterative malware campaigns.
Go to the ERYTHRITE page
2020 North America // Oil & Gas

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

ERYTHRITE
Since 2020
ERYTHRITE is an activity group that broadly targets organizations in the U.S. and Canada with ongoing, iterative malware campaigns.
Go to the ERYTHRITE page
2020 North America // Manufacturing

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

COVELLITE
Since 2017
IT compromise with hardened anti-analysis malware against industrial orgs
Go to the COVELLITE page

ERYTHRITE
Since 2020
ERYTHRITE is an activity group that broadly targets organizations in the U.S. and Canada with ongoing, iterative malware campaigns.
Go to the ERYTHRITE page
2020 North America // Transportation

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

ERYTHRITE
Since 2020
ERYTHRITE is an activity group that broadly targets organizations in the U.S. and Canada with ongoing, iterative malware campaigns.
Go to the ERYTHRITE page
2020 North America // Chemical

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

ERYTHRITE
Since 2020
ERYTHRITE is an activity group that broadly targets organizations in the U.S. and Canada with ongoing, iterative malware campaigns.
Go to the ERYTHRITE page
Europe
2020 Europe // Electric

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page
2020 Europe // Oil & Gas

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page
2020 Europe // Manufacturing

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page

KAMACITE
Since 2014
Known to facilitate operations leading to disruptive ICS attack
Go to the KAMACITE page
2020 Europe // Transportation

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page

DYMALLOY
Since 2016
Deep ICS environment information gathering, operator credentials,
industrial process details
Go to the DYMALLOY page
2020 Europe // Chemical

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page
Africa
2020 Africa // Electric
2020 Africa // Oil & Gas

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page
2020 Africa // Manufacturing
2020 Africa // Transportation
2020 Africa // Chemical

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page
Middle East
2020 Middle East // Electric

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

ALLANITE
Since 2017
Watering-hole and phishing leading to ICS recon and screenshot collection
Go to the ALLANITE page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page
2020 Middle East // Oil & Gas

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page

XENOTIME
Since 2014
Focused on physical destruction and long-term persistence
Go to the XENOTIME page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page
2020 Middle East // Manufacturing

CHRYSENE
Since 2021
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2021
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page
2020 Middle East // Transportation

CHRYSENE
Since 2021
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2021
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page
2020 Middle East // Chemical

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

CHRYSENE
Since 2017
IT compromise, information gathering and recon against industrial orgs
Go to the CHRYSENE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page
Asia Pacific
2020 Asia Pacific // Electric

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

TALONITE
Since 2019
Focused on physical destruction and long-term persistence
Go to the TALONITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

TALONITE
Since 2019
Focused on physical destruction and long-term persistence
Go to the TALONITE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

RASPITE
Since 2017
IT network limited, information gathering on electric utilities with some similarities to CHRYSENE
Go to the RASPITE page

TALONITE
Since 2019
Focused on physical destruction and long-term persistence
Go to the TALONITE page

KOSTOVITE
Since 2021
In March of 2021, the activity group KOSTOVITE compromised a renewable energy operator.
Go to the KOSTOVITE page

PETROVITE
Since 2021
PETROVITE demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan.
Go to the PETROVITE page
2020 Asia Pacific // Oil & Gas

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

HEXANE
Since 2018
IT compromise and information gathering against ICS entities
Go to the HEXANE page
2020 Asia Pacific // Manufacturing

PETROVITE
Since 2021
PETROVITE demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan.
Go to the PETROVITE page
2020 Asia Pacific // Transportation
2020 Asia Pacific // Chemical

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page

MAGNALLIUM
Since 2017
IT network limited, information gathering against industrial orgs
Go to the MAGNALLIUM page
Disclaimer: this data only represents public reporting. Customer confidential information is not shared.
TIMELINE OF ICS THREAT ACTIVITY IN 2021
2021
2022
February
March
April
May
June
July
August
September
October
November
December
02.21 Cyber Attack
Oldsmar Municipal Water Attack
02.21 Activity Group Update
STIBNITE renewed activity
03.21 Malware
Honeywell Breach
03.21 Activity Group Update
KAMACITE renewed activity
03.21 Activity Group Update
Dragos identifies new Activity Group, KOSTOVITE
04.21 ICS Cybersecurity Advancement
Biden Administration Announces 100-Day Plan to Address Cybersecurity Risks to the U.S. Electric System
05.21 Ransomware
Colonial Pipeline Ransomware Attack
05.21 Ransomware
JBS Foods Ransomware Attack
05.21 ICS Cybersecurity Advancement
DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
06.21 ICS Cybersecurity Advancement
Energy and Commerce Committee passed 4 energy cybersecurity bills
06.21 Vulnerability
Windows Zero-Day Vulnerability: PrintNightmare
07.21 ICS Cybersecurity Advancement
MITRE Engenuity Releases First ATT&CK® Evaluations for Industrial Control Systems Security Tools
07.21 ICS Cybersecurity Advancement
Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure
08.21 Activity Group Update
KAMACITE renewed activity
09.21 Ransomware
New Cooperative Ransomed
10.21 Activity Group Update
Renewed WASSONITE activity
11.21 New Activity Group
ERYTHRITE NEW ACTIVITY GROUP
12.21 New Activity Group
PETROVITE NEW ACTIVITY GROUP
12.21 Vulnerability
Apache Log4J Vulnerability
12.21 Cyber Attack
Cyber adversaries used HP iLO rootkit to wipe servers
02.21 Cyber Attack
Oldsmar Municipal Water Attack
The cyber a ttack on the Oldsmar water system in Florida demonstrated the potential vulnerabilities of municipal water systems throughout the world. During a press conference, the City of Oldsmar announced there was an unlawful intrusion into the City’s water treatment system and that an adversary attempted to poison the water supply.
02.21 Activity Group Update
STIBNITE renewed activity
The identified activity targeted Azerbaijani environmental science, technology, and industrial engineering experts, researchers, and practitioners interested in technical conferences. Victims were sent spear-phishing emails about such events as a first attempt at installing a new version of PoetRAT.
03.21 Malware
Honeywell Breach
Honeywell reported a malware intrusion that disrupted a limited number of its information technology (IT) systems. The OEM produces a range of industrial products used by oil & gas manufacturers in North America, and the breach was a reminder of potential cyber threats to the manufacturing industry and the supply chain.
03.21 Activity Group Update
KAMACITE renewed activity
Dragos’s continual discovery of new GREYENERGY files in the wild demonstrates that KAMACITE continues its development of GREYENERGY to further its operations. KAMACITE may be using all GREYENERGY components in conjunction with other actions and tools to facilitate more disruptive ICS/OT attacks.
03.21 Activity Group Update
Dragos identifies new Activity Group, KOSTOVITE
During an incident response investigation at a renewable energy operator, Dragos confirmed that KOSTOVITE reached Stage 2 of ICS Kill Chain capabilities with an intrusion into the OT networks and devices. KOSTOVITE compromised the perimeter of the target network by exploiting a zero-day vulnerability in the remote access solution Ivanti Connect Secure, formerly known as Pulse Secure.
04.21 ICS Cybersecurity Advancement
Biden Administration Announces 100-Day Plan to Address Cybersecurity Risks to the U.S. Electric System
05.21 Ransomware
Colonial Pipeline Ransomware Attack
The largest fuel pipeline in the U.S. that delivers approximately 45% of the gasoline consumed on the East Coast announced a ransomware attack of its IT systems. To contain and limit damage of the attack, Colonial Pipeline halted pipeline operations, resulting in gas shortages and panic-buying by its customers.
05.21 Ransomware
JBS Foods Ransomware Attack
JBS Foods—one of the largest beef suppliers in the world, with meatpacking facilities in the U.S., UK, Australia, Canada, Mexico, and Brazil, announced it detected ransomware in their Sao Paulo branch, targeting the food and beverage infrastructure within the organization.
After the attack, JBS Foods shut down many of its operations and paid $11 million in Bitcoin ransom. While JBS Foods could maintain much of its operations without REvil's assistance, it chose to pay the ransom.
After the attack, JBS Foods shut down many of its operations and paid $11 million in Bitcoin ransom. While JBS Foods could maintain much of its operations without REvil's assistance, it chose to pay the ransom.
05.21 ICS Cybersecurity Advancement
DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
06.21 ICS Cybersecurity Advancement
Energy and Commerce Committee passed 4 energy cybersecurity bills
06.21 Vulnerability
Windows Zero-Day Vulnerability: PrintNightmare
Security researchers at Sangfor Technologies accidentally disclosed a Windows zero-day vulnerability nicknamed PrintNightmare on a public GitHub repository. PrintNightmare is a critical security vulnerability affecting the Microsoft Windows operating system that occurs within the print spooler service and allows a remote-authenticated adversary to execute malicious code at SYSTEM-level privileges. This enables an adversary to create new users with full user rights, install malicious software, and modify or delete data.
07.21 ICS Cybersecurity Advancement
MITRE Engenuity Releases First ATT&CK® Evaluations for Industrial Control Systems Security Tools
07.21 ICS Cybersecurity Advancement
Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure
08.21 Activity Group Update
KAMACITE renewed activity
Dragos’s continual discovery of new GREYENERGY files in the wild demonstrates that KAMACITE continues its development of GREYENERGY to further its operations. KAMACITE may be using all GREYENERGY components in conjunction with other actions and tools to facilitate more disruptive ICS attacks.
09.21 Ransomware
New Cooperative Ransomed
The ransomware group BlackMatter attacked New Cooperative, an association of Iowa corn and soybean farmers, and demanded a $5.9 million ransom payment for a decryptor.
10.21 Activity Group Update
Renewed WASSONITE activity
Dragos identified the adversary WASSONITE targeting the Kudankulam Nuclear Power Plant (KKNPP) in India. Subsequent intelligence research combined with public announcements from KKNPP confirmed that adversaries had breached its IT network.
11.21 New Activity Group
ERYTHRITE NEW ACTIVITY GROUP
ERYTHRITE demonstrated ICS Stage 2 (Develop) Cyber Kill Chain activity in one of its compromises. ERYTHRITE broadly targets English and French organizations in the U.S. and Canada with ongoing, iterative malware campaigns. Dragos has observed ERYTHRITE compromising the OT environments of a Fortune 500 company and the IT networks of a large electrical utility, food and beverage companies, auto manufacturers, IT service providers, and multiple Oil & Natural Gas (ONG) service firms
12.21 New Activity Group
PETROVITE NEW ACTIVITY GROUP
Dragos is currently tracking a new adversary identified as PETROVITE. PETROVITE demonstrates Stage 1 of the ICS Kill Chain capabilities and targets mining and energy operations in Kazakhstan. The overlaps with other activity groups and consistent capability development could lead to more targeted ICS/OT incidents beyond general system reconnaissance and collection.
12.21 Vulnerability
Apache Log4J Vulnerability
Dragos coordinated a takedown of malicious domains used during the early exploitation attempts of Log4j. Dragos has also observed other intelligence organizations reporting cyber criminals launching Log4j attacks to deliver Cobalt Strike beacons, malware, cryptocurrency miners, ransomware, DDoS attacks, and other malicious programs.
12.21 Cyber Attack
Cyber adversaries used HP iLO rootkit to wipe servers
Iranian researchers reported a rootkit they discovered in a server’s integrated Lights Out peripheral (iLO) boards. The rootkit allowed the adversary to maintain access to the individual board on the server hardware. From this point, the adversary issued low-level commands to the computer hardware, including the ability to wipe the server remotely and potentially install new software along with, or in place of, the standard computer operating system.
Read More
2021 ICS Vulnerabilities
In 2021, Dragos Threat Intelligence assessed 1,703 ICS/OT common vulnerabilities and exposures (CVE) reported by a variety of sources including independent researchers, vendors, and ICS-CERT. The key findings are summarized below.
Advisories with incorrect data
2019
30%
Change
+13%
2020
43%
Change
-5%
2021
38%
Which can prevent operators from accurately prioritizing patch management.
Advisories with no patch
2019
26%
Change
-4%
2020
22%
Change
+2%
2021
24%
Presenting a challenge for operators that want to take action to resolve the published vulnerability.
Of advisories with no patch; % with no mitigation
2019
76%
Change
-12%
2020
64%
Change
-45%
2021
19%
Which prevents an operator from taking any defensive action using information from the advisory.
Advisories that Dragos provided mitigation for
2019
77%
Change
+1%
2020
78%
Change
-9%
2021
69%
Of the advisories that had no mitigations, Dragos provided mitigation advice for a majority thereby enabling defenders to take action.
Individual CVEs that contained errors
2019
19%
Change
+14%
2020
33%
Change
+64%
2021
97%
Which can mislead practitioners who use CVSS scores to triage for mitigation.
Dragos corrected: MORE severe than public advisory
2019
73%
Change
-40%
2020
33%
Change
+19%
2021
52%
Of the advisories with errors, Dragos assessed a large proportion to be more severe than the public advisory indicated. This can cause issues with patching prioritization.
Dragos corrected: LESS severe than public advisory
2019
26%
Change
0%
2020
26%
Change
+19%
2021
45%
Of the advisories with errors, Dragos assessed a percentage to be less severe than the public advisory indicated. This can cause issues with patching prioritization.
Advisories applied to products bordering the enterprise
2019
21%
Change
+2%
2020
23%
Change
0%
2021
23%
Which can facilitate initial access by an adversary into an operations environment.
Vulnerabilities deep within ICS Network
2019
77%
Change
0%
2020
77%
Change
0%
2021
77%
Which requires existing access to a control systems network to exploit.
Impact: Loss of View & Loss of Control
2019
50%
Change
-14%
2020
36%
Change
-1%
2021
35%
Vulnerabilities that could cause both loss of view & loss of control - preventing operators from monitoring and modifying the system state.
Advisories with incorrect data
Advisories with no patch
Of advisories with no patch; % with no mitigation
Advisories that Dragos provided mitigation for
Individual CVEs that contained errors
Dragos corrected: MORE severe than public advisory
Dragos corrected: LESS severe than public advisory
Advisories applied to products bordering the enterprise
Vulnerabilities deep within ICS Network
Impact: Loss of View & Loss of Control
01 / 12
2021 ICS Environment Assessments
Dragos gathered first-hand insights to understand the state of ICS cybersecurity, impacts for the community overall, and recommendations to improve strategies for all levels of OT cybersecurity maturity. The team's findings are summarized below.
2021
86%
2020
90%
2019
81%
Change
-4%
Extremely limited / no visibility into OT environment
86% of service engagements have a lack of visibility across OT networks, making detections, triage, and response incredibly difficult at scale.
2021
77%
2020
88%
2019
71%
Change
-11%
Poor security perimeters
77% of service engagements included a finding of external connections from OEMs, IT networks, or the Internet to the OT network.
2021
70%
2020
33%
2019
100%
Change
+37%
External Connections to the ICS Environment
70% of ICS Environments had external connections.
2021
44%
2020
54%
2019
54%
Change
-10%
Lacked separate IT & OT user management
44% of service engagements included a finding of shared credentials in OT systems, the most common method of lateral movement and privilege escalation.
01/06
Practical advice for ICS defenders
-
01Build Defensible ArchitectureNetwork architects can leverage traditional tools and concepts such as strong segmentation, firewalls, and software defined networks to reduce cyber risk, especially around remote access. This can take a variety of forms such IEC62443 zones and conduits, DMZs, jumphosts, etc..
-
02Implement Network MonitoringVisibility gained from monitoring your industrial assets validates the security controls implemented in a defensible architecture. Threat detection from monitoring allows for scaling and automation for large and complex networks.
-
03Establish Remote Access AuthenticationThe most effective control for remote access authentication is multi-factor authentication (MFA). Where MFA is not possible, consider alternate controls such as jumphosts with focused monitoring.
-
04Manage Key VulnerabilitiesThe majority of vulnerabilities do not need to be addressed if you have a defensible architecture. Dragos recommends defenders prioritize those that bridge IT and OT over those residing deep within the ICS/OT network.
-
05Create an ICS Incident Response Plan (IRP)Lastly, Dragos recommends that industrial organizations have a dedicated incident response plan (IRP) for their ICS/OT environments, and that these organizations regularly exercise the plan with cross-disciplinary teams (IT, OT, Executives, etc.).
Past Year In Review Reports
View More
2020 ICS Cybersecurity Year in Review
Discover findings from frontline incident response and threat hunts, new activity groups tracked by Dragos in 2020 and industry-specific insights…

2019 Lessons Learned
Dragos 2019 ICS Year in Review: Lessons Learned from the Front Lines of ICS Cybersecurity
Want to speak directly to a Dragos expert?
We'll put you in touch with exactly who you need.