Dragos: Surge of new hacking groups enter ICS space as states collaborate with private actors

Cyberattacks against industrial organizations surged in 2024 as a glut of new threat actors increasingly targeted operational technology (OT) and industrial control systems (ICS), according to cybersecurity firm Dragos.

According to a report released Tuesday, attacks on industrial organizations soared by 87% last year, while the number of ransomware groups impacting the OT/ICS space jumped 60%.  

Dragos CEO Rob Lee said much of the increased activity is happening downstream of larger geopolitical conflicts. Currently, Russia-Ukraine, China-Taiwan, U.S.-Russia, U.S.-China, India-Pakistan, and Israel-Hamas are  in open war, on the cusp of it or engaged in cold war-like conflicts.

“There’s just a lot of geopolitical strife and unfortunately one of the realities is state actors and non-state actors tend to target civilian infrastructure,” Lee told reporters in a briefing ahead of the report’s release.

Indeed, U.S. national security officials have spent much of the past year sounding the alarm about Volt Typhoon, a Chinese government-linked hacking group that has been stealthily embedding itself into U.S. critical infrastructure networks for years. Officials have said they believe the group is pre-positioning for possible future destructive attacks on U.S. industry in an effort to deter Washington from responding if China invades Taiwan.

But according to Lee, Volt Typhoon is part of a larger group of actors who have been shifting to target operational technology and industrial control systems over the past year — software designed to control and operate the physical machinery routinely used in manufacturing plants, electric utilities and other industrial sectors.

While attacks on industrial IT systems can be disruptive to an organization, experts believe that many of the worst harms from hacking critical infrastructure — like poisoning the water supply or shutting down portions of the electric grid — can happen when hackers gain access to and manipulate the physical machinery that underpins many industrial operations.

Lee said one of the most striking things about the way Volt Typhoon has targeted critical infrastructure has been the group’s sophisticated understanding of where weak points are in the American system. That includes identifying specific substations at ports that would be used to deploy U.S. troops to the South China Sea or locating key generators essential for restarting power in the event of a power outage.

“They did a good job of researching and understanding what ‘critical’ was, and they didn’t just go after the biggest [entities] — they went after some very small and very strategic sites,” Lee said. “It wasn’t just, ‘let me get access to the IT network, steal some passwords, maybe get access to operations networks and steal some passwords.’ They were getting into the operational technology networks and actually stealing the information that would be useful for disruption.”

Even as policymakers in Washington, D.C. have become more attuned to critical infrastructure threats in recent years, OT and ICS security has typically been a niche field compared to traditional IT. This has historically complicated both attackers’ and defenders’ understanding of the space’s intricacies. However, this dynamic is beginning to shift. 

Now, “adversaries that would have once been unaware of or ignored OT/ICS entirely now view it as an effective attack vector to achieve disruption and attention,” the report states.

Further, signs have emerged over the past year indicating that states are increasingly collaborating with cybercriminal groups to amplify attacks on rival nations’ critical infrastructure. As one example, Lee cited evidence that since 2022, CyberArmyofRussia_Reborn (CARR), a U.S.-sanctioned hacktivist group, has been sharing infrastructure and intelligence with Russian government hacking groups.

Lee said this shift doesn’t just increase the number of malicious actors targeting critical infrastructure. Historically, nation-states have carried out OT/ICS attacks,  focusing on “low-frequency, high-impact” operations  against assets that align  with broader government objectives. To wit, there have been fewer than 10 distinct ICS-specific malware variants observed globally. 

But many cybercriminals and hacktivist groups are motivated by the potential for a big payday or creating a significant spectacle.  As a result, their attacks tend to be far more indiscriminate and less focused on specific targets. As countries continue to work with private actors, sharing their expertise and resources to  attack critical infrastructure, the frequency of these attacks is likely to increase. 

“The top concern for most people in a lot of the governments I talk to is the proliferation of knowledge and capabilities from state actors to non-state actors,” Lee said. “To where these non-state actors, who have not been capable of targeting industrial control systems very effectively start getting the knowledge, training, tooling, infrastructure and capabilities from state actors who can.”