The manufacturing industry suffered at least 437 ransomware attacks in 2022, making up more than 70% of these types of costly and disruptive assaults that industrial companies faced last year, according to the cybersecurity firm Dragos.
The number of attacks against manufacturing plants also jumped about 107% compared with the 211 recorded against the sector in 2021, according to data from Dragos, which specializes in cybersecurity for industrial systems. Overall, the firm recorded a total of 605 ransomware attacks affecting the industrial sector last year, a 92% increase over the 315 attacks the firm detected in 2021.
The report from Dragos comes as industrial cybersecurity experts are gathering this week in Miami for the annual S4 conference where battling the growing number of cyberattacks on critical infrastructure will be a the primary focus for attendees and speakers.
Robert M. Lee, the CEO of Dragos, said that one of the issues facing manufacturing facilities is that all too often the operators have little to no visibility into their systems as well as shared credentials between information networks and operational technology systems.
Also in its report, Dragos noted that is has been tracking two new threat groups it calls Chernovite and Bentonite that focus on attacking the the industrial sector. “There was a period in time when it’s very, very rare to have a single threat group targeting industrial. And if you were tracking one of these threat groups, it was a big deal,” Lee said. Now, however, the company is seeing three to five new groups surface every year focusing on industrial cyberattacks.
Chernovite, which Dragos dubbed “the most dangerous threat group to date,” is a likely nation-state hacking group that developed Pipedream, a modular ICS toolset designed to cause destructive effects against electric, liquid and natural gas companies in the U.S. and Europe.
It’s not completely clear how and when Pipedream was uncovered, but it was apparently revealed before it could be used against U.S. targets, Dragos said at the time. The cybersecurity firm Mandiant refers to the same malware as “Incontroller.”
“One of the things that makes Pipedream truly unique, is this is the first time ever that we’ve had a set of malware that can be disruptive or destructive in industrial control system environments across industry,” Lee said. “I don’t think people understand how close it was to happening.”
Compared with other ICS malware such as CrashOverride, which was used to target Ukraine’s grid in 2016, Pipedream apparently has the ability to be deployed across multiple critical infrastructure sectors, lowering the barrier to entry for attacks against industrial control systems, Lee said.
“You could put it in a data center. You could put it in a wind farm, you could put it in an oil and gas refinery, on an offshore rig. You could put it targeting drones and the control system aerial packages and servo motors and similar on aerial vehicles,” Lee said, who also noted that Pipedream should should be getting more attention from industry.
The other hacking group dubbed Bentonite does appear to be as sophisticated, Lee notes. Bentonite is a “highly opportunistic” group that targets maritime oil and gas, governments and manufacturing and has used common vulnerabilities such as Log4J and VMWare Horizons found in internet-facing devices.
Dragos said that Bentonite has overlapping activity with with Microsoft’s Phosphorus, an Iranian-linked hacking group, and CrowdStrike’s Nemesis Kitten. While Bentonite has mainly focused the operations on IT networks, Lee said that they maintain a heavy interest in OT networks and materials found in those networks such as industrial equipment diagrams and information around operations environments.
“They’re smart. They’re stealing the right information to do capability development for disruptive effects,” Lee said.