Industrial cybersecurity firm Dragos disclosed that the cybersecurity threat landscape in 2024 was heavily influenced by rising geopolitical tensions and their impact on industrial operations worldwide. Global geopolitical climate is driving increased concern for cybersecurity in industrial and critical infrastructure, as 2024 saw the expansion of adversaries, tools, and ransomware events targeting industrial organizations. It also reported the expansion of new adversaries that target critical infrastructure, connections between state and non-state actors, and internet-exposed ICS devices were among the most exploited vectors for OT-targeting attacks.
The report, ‘OTICS Cybersecurity Report,’ published Tuesday, is Dragos’ eighth annual publication that examines the cybersecurity threats and attacks anticipated in 2024. It highlights the increasing complexity of the threat landscape. It emphasizes the urgent need for defenders to enhance visibility and bolster the resilience of OT/ICS (operational technology/industrial control systems) networks. The report identifies that from ongoing campaigns by well-established threat groups to opportunistic strikes by hacktivists and ransomware operators, cyber adversaries increasingly recognize OT/ICS environments as viable targets to fulfill their objectives.
“There’s a lot of geopolitical strikes and unfortunately one of the realities is state actors and non-state actors tend to target critical infrastructure,” Robert Lee, CEO and co-founder at Dragos, said in a briefing call last week.
He also noted that while everyone professes a desire to protect civilians, data consistently shows that critical infrastructure is being targeted, driven largely by the current geopolitical climate, which fuels both concern and these attacks.
“We also saw in 2024 the expansion of new adversaries that are targeting critical infrastructure, but also very interesting connections between state and non-state actors,” Lee said. “And I think that’s one thing that’ll hit it very heavily in this report and it’s pretty big newsworthy of being able to show those connections as they’ve been rumored for years, but being able to see the connections is really really sort of important.”
Dragos identified that 2024 demonstrated that OT is no longer a niche target. The proliferation of adversaries—enabled by greater awareness and understanding of OT and the effectiveness of basic attack techniques — has made defending critical infrastructure more challenging than ever.
Skilled adversaries remain hidden within critical infrastructure while hacktivists exploit exposed weak infrastructure. Both are enabled by an environment where a majority of the community is not yet aware of the specific threat to OT differentiated from IT or worse, is informed but knowingly chooses to ignore or downplay its veracity. Doing the basics continues to be the prime directive for most of the community. Now more than ever, defenders who can uncover and illuminate hidden threats are stepping up to hunt.
The Hanover, Maryland-headquartered firm reported that a striking trend in 2024 was the continued lowering of the barrier to entry for adversaries targeting OT/ICS. “Adversaries that would have once been unaware of or ignored OT/ICS entirely now view it as an effective attack vector to achieve disruption and attention. For example, Blackjack’s Fuxnet malware, revealed in April 2024, though rudimentary compared to more sophisticated ICS-capable malware like PIPEDREAM, signaled a growing awareness of the impact that disruptive attacks on OT networks can have.”
Similarly, Dragos added that the hacktivist persona CyberArmyofRussia_Reborn’s (CARR) campaigns targeting internet-exposed OT devices through much of 2024 demonstrated that even basic techniques, such as manipulating internet-exposed human-machine interface (HMI) settings remotely, could result in tangible disruptions.
Dragos recognizes that this shift does not necessarily indicate a deeper technical understanding of OT, but rather a broader recognition of its effectiveness in achieving adversarial objectives. For ransomware operators, this has led to targeting manufacturing environments where downtime exerts immediate pressure on victims to pay the ransom. For hacktivists, targeting OT provides a swift and disruptive means to amplify their messages. These attacks underscore a vital truth – high sophistication is not always required to achieve significant outcomes, and the growing number of adversaries increases the overall risk.
It also recognized that while defenders have advanced in grasping the importance of securing OT environments, this advancement is inconsistent across different sectors and regions. Regulated industries, such as North America’s electric power sector, exhibit higher levels of maturity compared to less regulated sectors like water utilities or manufacturing. Programs like the Dragos Community Defense Program (CDP) help raise awareness, yet in many instances, the visibility into OT environments still trails behind the tactics employed by adversaries.
The report highlights uneven progress among organizations, noting that while many have implemented secure remote access, they often lack the internal network monitoring and visibility needed to identify third-party and legacy connections, which can leave their networks vulnerable to compromise. “While a lack of visibility prevents organizations from understanding attack vectors inside their network, it is the root of why organizations fail to understand their external attack surface, leaving them vulnerable to opportunistic adversaries relying on tools like Shodan and Censys to discover exposed devices. Internet-exposed ICS devices were among the most exploited vectors for OT-targeting attacks in 2024.”
Dragos reported that in 2024, there was a continuation of offensive cyber activities associated with ongoing geopolitical conflicts. Threat groups, including hacktivists, transitioned to more overt cyber operations aligned with the objectives of their respective sides, while the more advanced groups aimed to create disruptive effects.
“KAMACITE and ELECTRUM continue to collaborate in support of Russian military objectives by targeting critical infrastructure in Ukraine. KAMACITE establishes a foothold into victim IT networks and hands control to ELECTRUM for OT operations, such as the 2016 CRASHOVERRIDE attack, which temporarily cut power to part of Kyiv,” Dragos reported. “In 2024, KAMACITE used the Kapeka backdoor targeting Ukrainian critical infrastructure entities supplying heat, water, and electricity. Meanwhile, ELECTRUM collaborated with hacktivist groups to obscure its cyber attack against Kyivstar, a Ukrainian telecommunications company.”
KAMACITE targeted European oil and natural gas (ONG) organizations, using the 2024 Gas Infrastructure Europe (GIE) conference, which was hosted in Germany as a spear-phishing theme. “The campaign relied on a relatively complex infection chain, leading to the deployment of another custom-developed Windows backdoor named ‘Edam.’ This was a notable shift from an exclusive focus on Ukraine to broader European targets. This coincided with the expiration of an agreement allowing Russian state-owned company Gazprom to supply gas to Eastern and Central Europe.”
Dragos added that ELECTRUM has technical overlaps with the Sandworm APT. While they were not as active as KAMACITE in 2024, ELECTRUM used hacktivist personas to conceal their other operations and developed a new wiper capability, ACIDPOUR. ELECTRUM has demonstrated its ability to reach Stage 2 – Execute ICS Attack of the ICS Cyber Kill Chain. Given ELECTRUM’s history of wiper malware usage, asset owners should implement basic security measures to prevent or at least monitor binary execution within control system environments or monitor when such files transfer into the ICS network.
The report analyzed ELECTRUM’s new capability, AcidPour, which is a binary compiled for Linux operating systems that can search and wipe Unsorted Block Images (UBI) directories in embedded devices, including devices in OT environments. “AcidPour extended the functionality of AcidRain, a previously used wiper, in February 2022. AcidRain impacted ViaSat modems and caused a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. The attack also impacted wind turbines in Germany. The discovery and implications of AcidPour underscore the persistent threat posed by ELECTRUM’s arsenal of wiper malware, particularly considering their potential to inflict substantial operational disruptions and damage in OT environments.”
Throughout the year, the VOLTZITE threat group continued its activities, compromising SOHO (small office/home office) routers and interacting with geographic information systems (GIS). Analysis reveals that VOLTZITE and its affiliates are using infrastructure from compromised organizations as relay points for use in a botnet. These actions facilitate adversary-controlled peer-to-peer (P2P) relay networks that enumerate internet-exposed critical infrastructure, impacting sectors such as electric, oil and gas, water and wastewater, and government entities.
“VOLTZITE is arguably the most crucial threat group to track in critical infrastructure. Due to their dedicated focus on OT data, they are a capable threat to ICS asset owners and operators,” Dragos reported. “This group shares extensive technical overlaps with the Volt Typhoon threat group tracked by other organizations. VOLTZITE has a history of OT network intrusions, and like in previous years, Dragos observed VOLTZITE continuing to use different proxy networks and steal GIS data, OT network diagrams, and OT operating instructions from their victims.”
Dragos identified that aided by this ICS-focused data, VOLTZITE could craft a malicious OT-specific tool capable of operational disruption. Instead, this threat group uses tools already available on the systems known as living-off-the-land (LOTL) techniques. With careful monitoring and investigation of ‘odd’ network communication, defenders can identify and defend against VOLTZITE.
VOLTZITE continues to focus on exfiltrating OT-related data from its victims’ networks. In many cases, Dragos observed VOLTZITE exfiltrating GIS data that contains critical information about the spatial layout of energy systems. VOLTZITE usually exploits vulnerabilities in internet-facing VPN appliances or firewalls for initial access.
Dragos calls upon asset owners and operators to implement adequate patch management and system integrity plans on those types of assets in their network. It expects VOLTZITE operations against critical infrastructure of the United States and Western-aligned nations to continue into 2025. Defenders must monitor activity at every level of the Purdue model, from internet-facing VPN appliances to the business network through DMZs and OT networks to identify VOLTZITE.
The best way to identify VOLTZITE is by monitoring its behaviors; it purposely blends in with trusted networks and uses tools already available. Compare any unusual lateral movement with expected traffic within the network and validate suspicious user activity that originates from regular employee accounts.
The report also detailed two newly coined Dragos threat groups – GRAPHITE and BAUXITE- that were very active during this period, conducting a series of conflict-adjacent campaigns.
GRAPHITE targets entities in the energy, oil and gas, logistics, and government sectors across Eastern Europe and West Asia. This shift aligns closely with Russian military operations in Ukraine, raising concerns about its potential impact on industrial organizations. Since 2024, Dragos observed GRAPHITE relying more on legitimate internet services (LIS), such as API endpoint testing services or GitHub, for staging payloads and C2 activities.
GRAPHITE is a relevant threat for OT/ICS organizations as its targeting profile may shift in response to geopolitical developments in Eastern Europe but has not yet demonstrated Stage 2 capabilities. Dragos encourages defenders of industrial organizations, especially those involved in any way with Ukraine, to familiarize themselves with this adversary.
Moving to the conflict in the Middle East, BAUXITE targets entities in oil and gas, electric, water and wastewater, and chemical manufacturing in the U.S., Europe, Australia, and West Asia. BAUXITE demonstrates technical alignment with the pro-Iranian group CyberAv3ngers. Given the ties to the IRGC-CEC, BAUXITE is likely to enhance its capabilities and continue disruptive activities against OT/ICS entities globally, especially those party to the Israel-Hamas conflict.
Through 2025, BAUXITE is expected to enhance its capabilities and attempt to conduct disruptive operations against OT/ICS entities globally. Dragos recommends identifying assets with SSH exposed to the internet and concealing access behind VPN; and double-check that accounts with SSH access do not have default or easily guessed passwords.
BAUXITE conducted port scanning of multiple internet-exposed OT/ICS devices, likely to identify potential targets for future operations. Internet-exposed devices targeted include Siemens S7 devices via s7comm; CIMON Automation devices via CIP; devices running OPC Unified Architecture (OPC/UA) server via UDP/4840; Omron Factory Interface Network Service (FINS) TCP/9600; and devices running CODESYS.
Dragos emphasized the increasing use of ICS-focused malware as a strategic tool in conflict-driven campaigns. BlackJack has claimed responsibility for disrupting industrial sensors in Moscow, while FrostyGoop malware has impacted heating systems in Ukraine. In April 2024, two new ICS malware variants were linked to the Ukraine-Russia conflict. “While the use of ICS malware as a toolset in geopolitical conflicts is not a new concept, the alleged deployment by both parties to the Ukraine-Russia war indicates a tit-for-tat escalation with implications for the larger OT/ICS community,” the report evaluated.
“Pending evidence of its compiled form, Fuxnet is the eighth known ICS-specific malware due to its ability to disrupt Meter-bus communication to the industrial sensors,” the report highlighted. “Meter-bus is a European standard protocol for reading specific sensor data from water, gas, and electricity meters. By overwhelming the device with randomly generated requests, it is possible Fuxnet triggered unknown zero-day vulnerabilities in the industrial sensor’s Meter-bus protocol stack, thus rendering them inoperable. The sensor gateways were likely physically damaged and required device replacement to resume normal operations.”
Dragos observed that the attack on Moskollektor underscores the normalization of attacks on industrial devices by groups driven by geopolitical conflicts. Fuxnet was highly tailored to Moskollektor and is unlikely to be used against another industrial environment without significant changes to the codebase. Poor practices such as default credentials help adversaries and can be commonplace in operational facilities. Dragos telemetry indicates that default credentials are still commonly used in environments.
Last April, Dragos discovered FrostyGoop, the ninth known ICS malware. FrostyGoop modified instrument measurements of ENCO controllers, resulting in heating outages for over 600 apartment buildings in Ukraine during the winter. FrostyGoop interacts with ICS devices over Modbus TCP/502, a standard ICS protocol used worldwide. It combines generic, publicly available Modbus libraries with logging capabilities to send commands to read and write registers on ICS devices.
“Natively, FrostyGoop can impact any Modbus device with a UnitID of 254. Dragos recommends looking for vulnerable devices in your own network and continuously monitoring them, including monitoring devices for new Modbus connections on TCP/502,” Dragos warned in the report. “We also recommend restricting access to Modbus TCP/502 and ensuring Modbus devices are not accessible from the public-facing internet.”
Dragos highlights a troubling trend of increasing normalization in targeting ICS by various threat groups amid geopolitical conflicts. These cyber hackers are becoming more adept at causing disruptions, raising risks for ICS asset owners and operators.
The report emphasizes the need for robust cybersecurity measures, urging organizations to update their OT incident response plans and conduct annual attack surface analyses to secure vulnerable network gateways and resources. Organizations must also understand their attack surface; proactively conduct annual attack surface analysis and prioritize network gateways and perimeter resources such as VPN, RDP, and SSH devices targeted by BAUXITE.
Furthermore, industrial environments must increase visibility and monitoring. OT-aware monitoring solutions can help detect adversaries like VOLTZITE’s subtle movements before they strike, steal information, or take other actions. They must also focus on remote access. Vendor remote access continues to be an attack vector. Ad hoc access points should undergo the same scrutiny as main firewalls and corporate VPN connections with increased access logging, alerting, and multifactor authentication.
Lastly, it is essential to ensure that the approach to vulnerability mitigation is strategic and focused on real-world threats relevant to the industry. A thorough understanding of CVEs should be enriched to verify their accuracy, with a focus on those that could lead to a loss of view or control of the process.