Dragos have released the findings from their annual Year in Review report for 2022. The report covers the state of the industrial sectors and the threats against them.
Significantly, the report disclosed the identification of two new threat groups: CHERNOVITE and BENTONITE. It also examines new and existing threat activity, key ransomware findings, service engagement updates, as well as information disclosed around key vulnerabilities.
Specifically, the report found that cybersecurity risks for industrial organizations continued to grow in 2022 (nearly doubling) as attacks increased on industrial infrastructure sectors, particularly in the electric and manufacturing verticals. The manufacturing industry continued to be the most targeted sector, with 72% of all ransomware attacks targeting 437 manufacturing entities in 104 unique manufacturing subsectors. The report found that ransomware attacks against industrial organisations increased 87% over the last year.
The Russian invasion of Ukraine in 2022 illustrated the impact of geopolitical conflict and physical warfare on the cybersecurity risks to industrial infrastructure sectors. Dragos disclose that Ukraine saw increased threat group activity targeting its energy and critical industrial infrastructure sectors.
PIPEDREAM, the first known cross-industry scalable ICS/OT malware with disruptive capabilities, brought in a new era in the evolution of malware development. PIPEDREAM was developed by the threat group CHERNOVITE. CHERNOVITE’S PIPEDREAM toolkit has the capabilities to impact tens of thousands of industrial devices that control critical infrastructure. Dragos have assessed with high confidence that a state actor developed PIPEDREAM intending to leverage it in future operations for disruptive or destructive purposes. Although, they had not observed any examples of employment thus far.
The second newly identified threat group is BENTONITE, who have been increasingly and opportunistically targeting maritime oil and gas (ONG), governments, and the manufacturing sectors since 2021. The believe that BENTONITE conducts offensive operations for both espionage and disruptive purposes by exploiting vulnerable remote access assets or internet-exposed assets that can facilitate access.
Last year’s report found that the Ransomware groups known as LockBit and Conti have been the most active in targeting organisations and Industrial Control System (ICS)/Operational Technology (OT) environment in 2021.
The 2022 report also found that there was a 27% increase in the number of vulnerabilities that Dragos investigated in 2022 over 2021. The full report can be read here.