Operational security firm Dragos has released its latest Year in Review report, highlighting 12 months of emerging threats and trends over the course of the last 12 months.
One of the more concerning findings is not just that some well-established groups with a habit of targeting OT systems are expanding – which is exactly what threat actors such as KAMACITE and ELECTRUM are doing – but new groups are also continuing to emerge.
“This year’s report introduces three new threat groups – AZURITE, PYROXENE, and SYLVANITE – and documents significant evolution in established groups like VOLTZITE, KAMACITE, ELECTRUM, and BAUXITE,” Dragos said in its 9th Annual OT Cybersecurity Year in Review report.
“Several of these groups now operate in paired models where one team develops initial access and hands it off to a second team with ICS-specific capability. That division of labour compresses the timeline from compromise to operational readiness, in some cases from weeks to days, and lowers the barrier for the groups that ultimately cause impact.”
So let’s have a look at these new kids on the OT security block.
Threat actor: AZURITE
Dragos has observed the China-linked threat group it refers to as AZURITE targeting entities in the manufacturing, automotive, electric, oil and gas, pharmaceutical, defence industrial, and government sectors, and it has gone after targets in the United States, Australia, Europe, Japan, South Korea, and Taiwan.
The group is not believed to have ICS Kill Chain Stage 2 capabilities – that is, the capability to directly attack industrial control systems – but it is highly skilled at data-gathering and exfiltration.
“AZURITE has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” Dragos said.
“This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”
AZURITE is known to exploit vulnerabilities in public-facing infrastructure, particularly SOHO devices such as VPNs, firewalls, and NAS devices. From there, the threat actor pivots into data-gathering activities.
Hunting advice: “As part of threat hunting exercises, audit connections of valid sessions into the network via internet-facing network devices such as VPN gateways and compare with baselines of normal usage. Investigate outliers in the number of sessions, IP addresses, user locations, bytes transferred per session, access times, and any other properties of remote access sessions that can be analysed.”
Threat actor: PYROXENE
The group that Dragos has dubbed PYROXENE, on the other hand, is thought to be linked to Iran and focuses on targets in the aviation, aerospace, defence, and maritime sectors in the United States, western Europe, Israel, and the United Arab Emirates.
This group is thought to work hand in hand with a previously reported group, PARASITE, which provides initial access to PYROXENE.
“Dragos assessed with high confidence that PARISITE functions as an initial access provider, handing off compromised access within critical infrastructure networks to PYROXENE in early 2024,” Dragos said.
“This access enabled PYROXENE to conduct internal network reconnaissance and establish pathways towards an OT environment.”
Alarmingly, Dragos believes that PYROXENE does have ICS Kill Chain Stage 2 capabilities and is likely positioning itself to actively cause “loss of view, loss of control, or loss of availability in ICS environments”.
In addition, the group uses social engineering lures against specific individuals in order to deliver tailored malware capable of deploying stealthy backdoors into target environments.
Hunting advice: “As part of threat hunting exercises, audit third-party and contractor access patterns, particularly those with privileged access to IT-OT boundary systems such as jump servers and historian databases. Monitor for stolen credentials and proof-of-concept exploits used to access exposed services, including Citrix, VMware, and Azure VDI environments.”
Threat actor: SYLVANITE
This operation is an initial access group involved in a whole raft of overlapping campaigns, classified by Dragos as a Stage 2 threat group. SYLVANITE’s efforts involve targets in the electric power generation, transmission, and distribution; water and wastewater; oil and gas; manufacturing; and public administration sectors in North America, Europe, the United Kingdom, France, Japan, South Korea, Guam, the Philippines, and Saudi Arabia.
The group has technical overlaps with several Chinese-aligned threat actors, including UNC3236, HOUKEN, and Red Dev 61.
“SYLVANITE closely monitors exploit research and rapidly weaponises it,” Dragos said.
“If an active, public POC exists and vulnerable assets are exposed on the internet, adversaries like SYLVANITE will take advantage of them.”
You can read the full 9th Annual Dragos OT Cybersecurity Year in Review here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.