Full Report
States are increasingly collaborating with cybercriminal groups to share resources and amplify attacks on critical infrastructure in rival nations, a new report finds. The post Dragos: Surge of new hacking groups enter ICS space as states collaborate with private actors appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Volt Typhoon
## Attribution & Identity
Attributed to the Chinese government. Described as a stealthily embedding hacking group targeting U.S. critical infrastructure networks.
## Activity Summary
Volt Typhoon has been active for years, stealthily embedding itself within U.S. critical infrastructure networks. Officials believe the group is pre-positioning for possible future destructive attacks on U.S. industry, potentially to deter Washington's response should China invade Taiwan. They have been shifting focus to target Operational Technology (OT) and Industrial Control Systems (ICS).
## Tactics, Techniques & Procedures
- Sophisticated understanding of weak points in the American system.
- Identifying specific strategic, smaller sites (e.g., substations at ports, key generators) rather than just large entities.
- Gaining access to operational technology networks, not just IT networks.
- Stealing information specifically useful for disruption rather than just stealing passwords or general access.
## Targeting
- Sectors: Critical Infrastructure (U.S. industrial sector, electric utilities, manufacturing plants, ports).
- Geography: United States.
- Victims: Specific, small, and strategic sites, including power substations and key generators.
## Tools & Infrastructure
- Malware families used: Not specified in detail.
- Infrastructure (C2, domains, IPs): Not specified in detail.
## Implications
Volt Typhoon represents a significant, state-sponsored threat positioning for potential high-impact, destructive attacks against U.S. critical infrastructure. Their sophisticated reconnaissance and focus on OT/ICS manipulation suggest a goal beyond simple espionage, aiming at real-world physical disruption aligned with geopolitical objectives.
## Mitigations
- Enhanced visibility and security posture within Operational Technology (OT) and Industrial Control Systems (ICS) networks.
- Improved understanding and monitoring of weak points within critical infrastructure systems that support military deployment (e.g., port infrastructure).
- Defending against reconnaissance aimed at identifying systems essential for physical operations/recovery.
***
# Threat Actor: CyberArmyofRussia\_Reborn (CARR)
## Attribution & Identity
A U.S.-sanctioned hacktivist group. Evidence suggests collaboration or sharing of infrastructure and intelligence with Russian government hacking groups since 2022.
## Activity Summary
Reported to be sharing infrastructure and intelligence with Russian government hacking groups since 2022. Their activity, combined with state actors, is contributing to the overall surge in attacks on critical infrastructure.
## Tactics, Techniques & Procedures
- Collaboration/Information sharing with state-sponsored actors.
- Motivated by high spectacle and potential financial gain, leading to potentially indiscriminate attacks when engaging in critical infrastructure targeting. (TTPs are generally less focused than state actors).
## Targeting
- Sectors: General critical infrastructure (one example cited involved water facilities).
- Geography: Not explicitly detailed, but linked to operations against U.S. interests via collaboration with Russian state actors.
- Victims: Not specified.
## Tools & Infrastructure
- Infrastructure: Shared with Russian government hacking groups.
- Malware families used: Not specified.
## Implications
The collaboration between state actors and hacktivist/criminal groups like CARR signifies a worrying proliferation of knowledge and capability, enabling non-state actors who previously lacked OT/ICS expertise to conduct more sophisticated attacks with state backing.
## Mitigations
- Monitoring for collaborations/shared infrastructure between known hacktivist groups and established nation-state entities.
- Increased scrutiny of supply chains and infrastructure sharing practices involving known malicious actors.