Cyberwarfare / Nation-State Attacks
,
Endpoint Security
,
Fraud Management & Cybercrime
Threat Groups Are Mapping OT Networks for Future Targeting, Warns Dragos
Several nation-state groups are actively targeting operational technology systems, with the most prominent being a China-linked threat group called Voltzite, which is attacking critical infrastructure organizations to steal network diagrams, OT operating instructions and information about geographic information systems to help prepare for disruptive attacks, according to cybersecurity firm Dragos.
See Also: A Modern Approach to Data Security
Dragos said Wednesday that Voltzite – one of three active nation-state groups the company is tracking – shows extensive technical overlaps with Chinese state-sponsored hacker group Volt Typhoon, infiltrates OT networks by exploiting vulnerabilities in internet-facing VPN appliances and firewalls, and uses tools available on compromised systems to achieve persistence and evade detection.
Dragos researchers said the threat group, known for exclusively targeting OT infrastructure, set up complex chains of network infrastructure using compromised small office and home office routers and operational relay box networks operated by electric utilities. The group then used these trusted devices to gain access to the networks of critical infrastructure organizations that use energy and telecommunications services offered by the utilities.
“Voltzite is arguably the most crucial threat group to track in critical infrastructure. Due to their dedicated focus on OT data, they are a capable threat to ICS asset owners and operators,” Dragos said. “In many cases, Dragos observed Voltzite exfiltrating GIS data containing critical information about the spatial layout of energy systems.”
Though Dragos found technical overlaps between Voltzite and Volt Typhoon, the U.S. Cybersecurity and Infrastructure Security Agency associates both names with a single Chinese state-sponsored threat group. The cybersecurity agency, along with the FBI and the NSA, previously warned that the group pre-positioned malware on critical infrastructure networks to conduct disruptive operations in the event of a major crisis or conflict with the United States.
According to Dragos, the cyberespionage group exploited zero-day and known vulnerabilities in popular VPN products multiple times to gain initial access to targeted OT networks. In December 2023, the group exploited a zero-day remote code execution flaw and another command injection flaw in Ivanti’s Connect Secure VPN to compromise oil and gas, electric, water and wastewater utilities in Japan, South Korea, Guam, the Philippines and Europe, as well as firms in North America.
An FBI investigation found that Voltzite primarily used compromised Cisco and NetGear routers as part of its KV botnet. These routers had reached the end of life and no longer received security patches from manufacturers. FBI investigators, along with the U.S. Justice Department, conducted a court-authorized operation in December 2023 to disrupt a botnet in hundreds of U.S.-based small office/home office routers hijacked by the threat group.
After gaining initial access using powerful botnets, the group deployed a webshell and wiped VPN logs and disabled VPN logging to evade detection, before executing remote code, stealing configuration data and reverse tunneling from the VPN appliance.
The group performed reconnaissance on a U.S.-based telecommunications service provider in January 2024 with the objective of exfiltrating data on geographic information systems. It also compromised SOHO devices in electric, utility and telecommunications cooperative infrastructure in late 2024 and exploited vulnerable Asus routers to deploy a webshell into the networks of internet service providers and telecommunications companies in North America, Europe and New Zealand.
Dragos researchers said Voltzite could use stolen OT network diagrams, OT operating instructions and GIS data to craft malicious OT-specific malware and use them to disrupt operations without warning. The group employs custom botnets, including Kv-botnet and jdy-botnet, to perform network reconnaissance against critical infrastructure network edge devices and enumerate internet-exposed critical infrastructure for future targeting.
Introducing Graphite and Bauxite
The cybersecurity company said it recently discovered two new cybercrime groups, which it tracks as Graphite and Bauxite, that also specifically target critical infrastructure organizations in countries and regions of interest.
Graphite, which has strong technical overlaps with the Russian cybercrime group APT28, has targeted industrial and energy organizations in Eastern Europe and Asia that play a role in the Ukrainian conflict. The group made its presence known in early 2023 when it exploited a no-click flaw in Microsoft Outlook to compromise hydroelectric generation facilities and other ICS organizations in Eastern Europe and the Middle East.
Bauxite, which shares tools and networking infrastructure with the pro-Iranian group CyberAv3ngers, also targeted oil and gas, electric, water and wastewater utilities and chemical manufacturing plants in the U.S., Europe, Australia and the Middle East. “They extensively monitor security advisories from OEMs and ICS protocols, likely documenting and cataloging known vulnerabilities to target in future campaigns,” Dragos said.
Dragos said the choice of targets of groups such as Bauxite, Graphite and Voltzite indicates that today’s cyberattacks and espionage operations are heavily guided by escalating geopolitical tensions and their intersection with industrial operations globally.
“Adversaries that would have once been unaware of or ignored OT/ICS entirely now view it as an effective attack vector to achieve disruption and attention,” the company said. “This shift is not indicative of a deeper technical understanding of OT, but reflects a more widespread recognition of its utility in achieving adversary goals.”