Key Points:
- Report Overview: The Dragos 2025 OT/ICS Cybersecurity Report indicates a significant shift in tactics among attackers targeting critical infrastructure, moving from mere reconnaissance to active development and execution of attacks.
- Active Threat Groups: Out of 23 monitored threat groups, nine were active in 2024, indicating heightened activity in the cybersecurity landscape related to operational technology (OT).
- Sectors at Risk: Attackers targeted multiple critical infrastructure sectors, including manufacturing, oil and gas, telecommunications, and the electric grid.
- Emerging Threat Groups: Two new groups were identified:
- Bauxite: Targeting industrial entities, it shares characteristics with the hacktivist group CyberAv3ngers, linked to Iranian cyber operations.
- Graphite: Focused on energy, logistics, and government sectors in Eastern Europe and the Middle East, revealing connections with the Russian APT group APT28 and growing specialization since the Ukraine conflict began.
- Ransomware Increase: Ransomware attacks on industrial organizations rose by 87% year-over-year, with 60% more ransomware groups targeting OT/ICS in 2024. Manufacturing entities were significantly impacted, comprising 69% of the ransomware attacks across various subsectors.
- Expert Insight: Heath Renfrow, co-founder of Fenix24, highlighted the evolution of nation-state adversaries utilizing advanced malware against industrial control systems.
Executive Summary:
The Dragos 2025 OT/ICS Cybersecurity Report reveals a marked escalation in cyber threats against critical infrastructure, with attackers advancing from basic reconnaissance to conducting sophisticated and disruptive operations. Key findings showcase the emergence of two new threat groups, Bauxite and Graphite, which exploit vulnerabilities in various sectors, particularly those related to the ongoing geopolitical tensions in Eastern Europe. The report also notes a significant increase in ransomware attacks, particularly affecting the manufacturing sector. The findings emphasize the need for enhanced cybersecurity measures within operational technology domains to safeguard critical infrastructure from evolving threats.
For further details, the report can be accessed here. Additional insights are available through the article published on SC Media.
Archive Links:
12ft: https://12ft.io/https://www.scworld.com/news/dragos-attackers-have-moved-beyond-mere-access-and-reconnaissance
archive.org: Dragos: Attackers have moved beyond mere access and reconnaissance | SC Media
Original Link: https://www.scworld.com/news/dragos-attackers-have-moved-beyond-mere-access-and-reconnaissance
User Message: Dragos: Attackers have moved beyond mere access and reconnaissance
Attackers targeting critical infrastructure OT/ICS operations are moving beyond access and reconnaissance to now have the ability to develop, test and launch attacks on critical infrastructure networks.
These were some of the major findings in the Dragos 2025 OT/ICS Cybersecurity Report released on Feb. 25, which found that nine of the 23 threat groups Dragos follows were active in 2024.
Threat actors targeted nearly every important critical infrastructure sector, from manufacturing, oil and gas, and telecommunications, to the defense industrial base, mining, and the electrical grid.
highlights:
Ransomware attacks against industrial organizations increased 87% over the previous year.
Dragos tracked 60% more ransomware groups impacting OT/ICS in 2024.
Sixty-nine percent of all ransomware attacks targeted 1,171 manufacturing entities in 26 unique manufacturing subsectors.
Graphite targets companies in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East. The group has strong technical overlaps with Russia-based APT28 and focuses on organizations with relevance to the military situation in Ukraine. Observable since Russia’s invasion of Ukraine in February 2022 three years ago, Dragos said this focus may indicate a specialized subunit or an expansion of mission goals.
56 page report:
For more on bypassing paywalls, see the post on bypassing methods