###### 2019 YEAR IN REVIEW THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS ----- ###### CONTENT **EXECUTIVE SUMMARY** **4** **2019 KEY FINDINGS** **5** **INTRODUCTION** **6** **RECOMMENDATIONS** **6** UNDERSTAND AND ANTICIPATE THREAT PROLIFERATION **6** EFFECTIVELY OPERATIONALIZE THREAT INTELLIGENCE **7** CONDUCT OSINT ASSESSMENTS **7** PRIORITIZE DEFENSE TO “CROWN JEWELS” **7** DEPLOY ICS-SPECIFIC MONITORING AND THREAT DETECTION **7** **THE HUMAN AND SAFETY COMPONENT** **8** **THREATS IN DETAIL** **9** PROLIFERATION OF THREATS **10** DISRUPTIVE MALWARE, RANSOMWARE, AND SABOTAGE **12** THIRD-PARTY AND SUPPLY CHAIN TARGETING **14** VULNERABILITIES IN REMOTE ACCESS SERVICES **15** COMMON TACTICS REMAIN EFFECTIVE **18** ICS-SPECIFIC TACTICS GROWING **20** ----- ###### CONTENT **THREAT ACTIVITY GROUPS** **21** HEXANE **22** PARISITE **24** MAGNALLIUM **26** WASSONITE **28** XENOTIME **30** DYMALLOY **32** ALLANITE **34** CHRYSENE **36** RASPITE **38** ELECTRUM **40** COVELLITE **43** **CONCLUSION** **44** **APPENDIX** **45** ----- ###### EXECUTIVE SUMMARY THE AMOUNT OF ACTIVITY TARGETING INDUSTRIAL CONTROL SYSTEMS (ICS) INCREASED SIGNIFICANTLY IN 2019. Despite no publicly reported destructive attacks, and deploying new wiper malware against ICS network intrusion and disruption persists, Middle East oil and gas operations. Additionally, and the associated cyber risk continues to grow XENOTIME began targeting electric utilities and and remains at a high level. expanding targeting to North America and the Asia Pacific region and obtaining D R A G O S I D E N T I F I E D T H R E E N E W access to documentation that T A R G E T E D A C T I V I T Y G R O U P S, B R I N G I N G could inform disruptive attacks. T H E T O T A L N U M B E R O F A C T I V I T Y G R O U P S Furthermore, ransomware and T A R G E T I N G I C S E N T I T I E S T O 1 1 . other malware infections con The growing threat landscape affirms tinue to be a major issue across industrial previous Dragos assessments: as the commu- operations. LockerGoga malware disrupted nity achieves greater visibility into the industrial operations at the Norwegian aluminum manthreat landscape through increased visibility, ufacturer Norsk Hydro, becoming the most threat hunting, ICS-specific threat detection, high-profile disruptive ICS event of the year. and rising industrial cybersecurity investment, Additionally, Emotet malware, Ryuk ransomwe will continue to identify new adversaries and ware, and related infections caused business gain a better understanding of the behaviors, disruptions to multiple industrial and related tradecraft, and threats to ICS environments. entities. Although not specifically targeted to ICS, such attacks demonstrate how commod Dragos identified three new activity groups ity malware, sometimes limited to IT networks targeting ICS: HEXANE, PARISITE, and only, impacts operations especially when there WASSONITE. Dragos also identified an evolution is interconnectivity on the operations technol of tracked adversary behavior including ogy (OT) networks that is not fully understood, MAGNALLIUM expanding its targeting to include documented, or hardened. North American electric entities and developing ###### EXECUTIVE ###### THE AMOUNT OF ACTIVITY TARGETING INDUSTRIAL CONTROL ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### 2019 ##### KEY FINDINGS ###### » In 2019, Dragos identified three new activity groups targeting ICS entities globally increasing the total count to 11 activity groups.[1] » Threat proliferation contributed greatly to increased risk as entities expanded targeting and capabilities. This includes an increased focus on ICS organizations, specifically in critical infrastructure across the United States and APAC.[2] » Third-party and supply chain threats are increasing, including threats to telecommunications, managed service providers, and backbone internet service providers.[3] » Ransomware and commodity malware – like Ryuk and Emotet – remain threats to industrial operations. Such malware can potentially bridge the IT/OT gap to disrupt operations.[4] » Common tactics such as phishing, password spraying, and watering holes remain popular and effective as initial access vectors into industrial organizations. » Adversaries are increasingly targeting remote connectivity such as virtual private networks (VPNs), vendor and business management integrations, remote desktop connections, and managed service providers. » Escalating geopolitical tensions increase the chance that offensive cyber effects operations against ICS will be employed more regularly putting critical infrastructure and human life at higher risk.[5] [6] ##### KEY FINDINGS ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### RECOMMENDATIONS ###### RECOMMENDATIONS Such a program should evaluate the potential impact of an ICS-disruptive cybersecurity incident and include ICS-specific monitoring, threat detection, and response. Traditional, and even modern, information technology (IT) enterprise approaches are insufficient to defend an industrial environment. ###### UNDERSTAND AND ANTICIPATE THREAT PROLIFERATION Due to the increasing proliferation of threats, asset owners and operators across all industries must be aware of threats to ICS. As evidenced by XENOTIME and MAGNALLIUM, activity groups that historically target one vertical can expand their focus at any time. ###### RECOMMENDATIONS UNDERSTAND AND ANTICIPATE ###### THREAT PROLIFERATION The following defensive recommendations can historically target one vertical can expand their help asset owners and operators move beyond focus at any time. basic security best practices and defend against increasingly capa I C S - S P E C I F I C T H R E A T I N T E L L I G E N C E C A N ble adversaries targeting industrial P R O V I D E C O M P R E H E N S I V E I N F O R M A T I O N networks. Such a program should A B O U T A D V E R S A R Y B E H A V I O R S A N D evaluate the potential impact of T A R G E T I N G T H A T C A N H E L P I N F O R M an ICS-disruptive cybersecurity P R O A C T I V E D E F E N S E . incident and include ICS-specific monitoring, threat detection, and response. Tradi This can ensure asset owners and operators tional, and even modern, information technology proactively defend against threats to critical infra (IT) enterprise approaches are insufficient to de structure before they become a potential target. fend an industrial environment. ###### UNDERSTAND AND ANTICIPATE ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### EFFECTIVELY OPERATIONALIZE THREAT INTELLIGENCE ###### PRIORITIZE DEFENSE TO “CROWN JEWELS” An attacker looking to achieve specific objectives will target an organization’s crown jewels, or the highest-valued assets that, if compromised, could cause major impact to the organization. Asset owners and operators should identify such assets and implement a risk-based approach that can accurately scope ICS security controls, tailored threat hunting, and regular security assessments. Dragos created the Crown Jewel Analysis Model[8] to help asset owners and operators effectively understand and implement ICS cybersecurity strategies. ###### EFFECTIVELY OPERATIONALIZE ###### PRIORITIZE DEFENSE TO ###### “CROWN JEWELS” Threat intelligence can inform operations beyond An attacker looking to achieve specific objectives cybersecurity. Knowledge about adversaries’ will target an organization’s crown jewels, or the tactics, techniques, and procedures (TTPs) can highest-valued assets that, if compromised, could inform business continuity and remediation plans cause major impact to the organization. Asset in the event of a cyberattack. Such information owners and operators should identify such assets can help business and risk decision making – and implement a risk-based approach that can threat intelligence should be delivered to technical accurately scope ICS security controls, tailored practitioners, but also operation and strategic threat hunting, and regular security assessments. business managers to understand risk tolerance. Dragos created the Crown Jewel Analysis Model[8] Effectively operationalizing and communicating to help asset owners and operators effectively threat intelligence[7] by delivering appropriate understand and implement ICS cybersecurity messaging about threats to critical infrastructure strategies. can ensure a company D E S P I T E O F T E N C O N T A I N I N G S I M I L A R wide understanding of T E C H N O L O G I E S, I T A N D O T A R E F U N D A M E N T A L L Y an enterprise’s position within the threat D I F F E R E N T E N V I R O N M E N T S A N D R E Q U I R E T W O landscape. The more D I F F E R E N T D E F E N S E A N D R E S P O N S E P L A N S . organizations know As a result, Dragos advises asset owners and about the threat surface, threat landscape, and operators implement and invest in ICS-specific their internal environments can enable a better threat detection and response. understanding how adversaries are going to interact with them. ###### DEPLOY ICS-SPECIFIC MONITORING AND THREAT CONDUCT OSINT ASSESSMENTS Dragos has observed adversaries including DETECTION XENOTIME accessing publicly available data that Every year this becomes more and more evident. If support disruptive attacks. Asset owners and you don’t see it, you can’t respond to it. If you don’t operators are encouraged to conduct regular know you have it, you don’t know how to protect open source intelligence (OSINT) assessments. it. These are the basic axioms of monitoring and Users should identify and limit information detection forming the basis of any defensible available about vendors and partners; documents, environment. ICS environments provide unique schematics, and data sheets; job advertisements; assets, configurations, processes, data, protocols, and credentials in public dumps. Security teams and many other distinctive characteristics that should also identify gaps in security architecture significantly hamper traditional IT enterprise such as remote login portals that lack strong products from performing effectively. It is passwords and multi-factor authentication. insufficient to use an “IT” approach to achieve ICS Additionally, users should proactively identify defensibility. scanning or automated information scraping Asset owners and operators should monitor for activity and implement mechanisms to prevent potentially malicious behaviors within the ICS, such automation such as requiring CAPTCHA or an as monitoring for callouts to the internet or internet email address to download public documentation. routable IP addresses, new account creation, new Ensure all employees limit exposure of sensitive devices on the network, and configuration changes information, such as employment data on LinkedIn, outside of change windows. that could facilitate targeting operations. ###### CONDUCT OSINT ASSESSMENTS ###### THREAT INTELLIGENCE ###### DETECTION [8] ----- ###### SAFETY [9] ----- ###### THREATS IN DETAIL Threats to ICS are increasing in sophistication and number. In 2019, through intelligence gathering, information sharing, and incident response engagements, Dragos identified a variety of new and ongoing threats to ICS. The following are the most concerning to Dragos. ----- ###### PROLIFERATION OF THREATS Cyber threats to ICS are proliferating as adversaries increasingly invest money, time, and talent into the ability to disrupt critical infrastructure. Such targets include oil and gas, electric power, and water. Cyber threats to ICS are proliferating as adversaries increas- power, and water. ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** Disruptive or destructive attacks on critical infrastructure require significant resources, which are increasing across the board as capabilities and targeting expand. The proliferation of cyber threats to ICS can be illustrated by the activity groups XENOTIME and MAGNALLIUM. In 2019, Dragos identified a change in behavior for XENOTIME, the activity group behind the destructive TRISIS malware. While working with clients across various utilities and regions, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.[10] XENOTIME expanded its probing activity to include electric utilities, using the same techniques previously deployed against oil and gas entities. Additionally, as identified in previous Dragos reporting, XENOTIME has targeted, and in some cases successfully compromised, original equipment manufacturers (OEMs), potentially impacting the entire industrial supply chain.[11] Also this year, Dragos identified MAGNALLIUM beginning to target electric, financial, and government entities in North America. This behavior coincided with an escalation of political and geographic tensions in the Middle East over the summer.[12] The activity demonstrated an expansion of the behavior for the group previously focused on oil and gas entities, largely in or relating to operations in the Middle East. THE GROUP USED THE SAME INITIAL ACCESS ATTEMPT TECHNIQUES EX HIBITED IN PREVIOUS CAMPAIGNS AGAINST ENERGY COMPANIES, NAME LY PASSWORD-SPRAYING AND PHISH ING, IN AN EFFORT TO GAIN A FOOT HOLD WITHIN COMPANIES. ###### It is important to note this behavior is not a RECOMMENDED shift – rather it is an expansion of targeting SECURITY IMPROVEMENT for two groups historically focused on the oil and gas sector. This means that all ICS Leverage ICS-specific threat ###### entities must be aware of malicious activity intelligence to become knowl- and adversary behaviors across industrial edgeable about adversary TTPs across all industrial sec- ###### sectors as interest and targeting from any tors to prepare for potential shifts in targeting. ###### group could change. [12] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### DISRUPTIVE MALWARE, RANSOMWARE, AND SABOTAGE DRAGOS HAS IDENTIFIED AN UPTICK IN MALWARE INFECTIONS, PARTICULARLY RANSOMWARE, AT INDUSTRIAL COMPANIES GLOBALLY. LIKE IN 2018, DISRUPTIVE IT MALWARE WAS AGAIN A THREAT TO ICS ENTITIES IN 2019. ###### INDUSTRIAL COMPANIES GLOBALLY. LIKE IN 2018, ###### DRAGOS HAS IDENTIFIED AN UPTICK IN MALWARE ###### TO ICS ENTITIES IN 2019. [15] This year the major malware families and events included LockerGoga, Emotet, and Ryuk infections. Additionally, Dragos identified an increase in new IT-based wiper malware activity targeting industrial entities in the Middle East. Dragos has also responded to ransomware events impacting ICS environments, underscoring the potential threat to operations from IT-focused malware if it breaches IT/OT boundaries. LockerGoga ransomware family first appeared in an incident at French engineering company Altran Technologies in January 2019.[13] In addition to two US-based chemical manufacturers likely impacted in early March 2019, the most notable impact was to Norway-based Norsk Hydro on 19 March 2019. The crippling event resulted in prolonged and costly operational impacts.[14] ###### INFECTIONS, PARTICULARLY RANSOMWARE, AT The LockerGoga variant likely used at Hydro encrypted all files outside the Windows directory, instead of just files with typical document extensions. The Hydro variant also implemented various changes to make restoration difficult, if not impossible. Thus, Dragos classified LockerGoga as a destructive malware type used for sabotage instead of mere ransomware. Superficially, this is similar to the NotPetya ransomware event from June 2017, where malware appearing to be ransomware actually resulted in system loss due to the inability to recover files.[15] Emotet first appeared toward the end of 2018, infecting multiple ICS-related entities. Throughout 2019, it continued to affect businesses, with a brief drop-off over the summer.[16] Emotet is a modular trojan commonly observed deploying Trickbot and Ryuk malware. In February 2019, Emotet malware infected a deep draft vessel bound for the Port of New York and New Jersey which impacted their shipboard network (though no essential control systems were impacted) according to the US Coast Guard.[17] Ryuk affected multiple organizations associated with the aviation industry. According to publicly available data and information shared with Dragos, attackers used Ryuk in events involving a US ransomware. Superficially, with Dragos, attackers used this is similar to the NotPetya Ryuk in events involving a US [14] [16] [13] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** airport, US airline, Canadian supply chain company, and a Europe-based aviation industry supplier. Additionally, Mitsubishi Canada Aerospace experienced a Ryuk ransomware attack beginning on March 19 and lasting “weeks,” according to local media.[18] Ryuk also impacted an unspecified marine facility, disrupting its camera and physical access control systems, as well as causing a loss of critical process control monitoring systems, according to a December bulletin from the US Coast Guard.[19] In June, UK’s National Cyber Security Centre (NCSC) warned of ongoing Ryuk ransomware campaigns targeting global organizations. Then in October, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) released an advisory on a widespread malicious email campaign to spread Emotet malware in Australia. The Australian government received dozens of reports of confirmed Emotet infections in sectors including critical infrastructure providers and government agencies. The ACSC said it was aware of at least 19 Emotet infections in Australia, some of which deployed the Trickbot malware.[20] Numerous other malware events disrupted ICS entities in 2019. In July, a ransomware attack on the IT systems at Johannesburg, South Africa’s City Power prevented prepaid electricity purchase via online systems, and prevented customers who had previously bought power to load it to their meter boxes;[21] in September, Rheinmetall Automotive experienced an unnamed malware attack that disrupted some production processes;[22] also that month, a cyber event disrupted production and distribution at Danish health device manufacturer Demant;[23] BitPaymer ramsomware impacted order fulfillment and delivery at the automation firm Pilz in October;[24] and oil company Petroleos Mexicanos experienced a ransomware attack in November that disrupted the company’s administration, business, billing, and supply chain operations.[25] Government and intelligence organizations frequently publish detailed information on threats to businesses and citizens alike, providing some valuable visibility into threat trends in various countries. However, such releases provide a limited view of malicious activity. Dragos performed incident response cases against a number of IT-focused malware infections at industrial organizations, including a Sodinokibi ransomware infection at an ICS entity that disabled multiple systems required for control of the affected plant. Such events often go unreported in the public sphere, thus Dragos’ incident response capabilities and intelligence collection generate additional insights into threat trends like disruptive ransomware. 2019 also saw two new IT-based wiper malware strains targeting energy entities in the Middle East. Dragos discovered KILLGRAVE malware associated with operations against the oil and gas industry in the UAE in July 2019, with likely links to the MAGNALLIUM activity group. Additionally, in December, IBM released public details on a wiper called ZeroCleare targeting unspecified industrial and energy environments in the Middle East.[26] Dragos continues to observe evidence of ZeroCleare use and related variants in the wild. T H E M A L W A R E A N D R A N S O M W A R E I N C I D E N T S L A R G E L Y T A R G E T E N T E R P R I S E N E T W O R K S . H O W E V E R , L I K E D R A G O S H A S O B S E R V E D M U L T I P L E T I M E S , I N C I D E N T A L I N F E C T I O N S W I T H I N T H E O T D U E T O P O O R L Y S E G M E N T E D O R M I S C O N F I G U R E D N E T W O R K S , O R I N F E C T I O N S D I S R U P T I N G I T S O F T W A R E O R S E R V I C E S R E Q U I R E D F O R O P E R A T I O N S – L I K E D A T A , F L E E T , O R P R O D U C T I O N M A N A G E M E N T S O F T W A R E – C A N H A V E O P E R A T I O N A L L Y D I S R U P T I V E E F F E C T S . [23] [22] [24] [18] ----- ###### THIRD-PARTY AND SUPPLY CHAIN TARGETING AS IN 2018, SUPPLY CHAIN THREATS WERE A KEY ISSUE FOR ICS ENTITIES THIS YEAR. IN 2019, NEW THREATS EMERGED AFFECTING TELECOMMUNICATIONS, MANAGED SERVICE PROVIDERS (MSPS), AND BACKBONE INTERNET SERVICE PROVIDERS. **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### THIRD-PARTY AND SUPPLY ###### TELECOMMUNICATIONS, MANAGED SERVICE PROVIDERS (MSPS), ###### AS IN 2018, SUPPLY CHAIN THREATS WERE A KEY ISSUE FOR ICS ###### AND BACKBONE INTERNET SERVICE PROVIDERS. Dragos identified the new activity group HEXANE targeting telecommunications entities in addition to oil and gas in Africa, the Middle East, and Southwest Asia. Additionally, Microsoft[27] and security firm Cybereason[28] published reports on threat actors targeting telecommunications providers globally. Telecommunications networks are valuable targets for ICS-targeting attackers. Gaining access to a mobile or satellite network could allow an adversary to interact with upstream and midstream operations that utilize cellular devices or satellite connections for communication, monitoring, and management. Geographically dispersed and remote operations – such as pipeline compressor stations and offshore oil wells, or solar or wind farms – often depend on cellular or satellite communication networks. Dragos observed ICS-specific targeting via **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### THIRD-PARTY AND SUPPLY ###### CHAIN TARGETING telecommunications networks indicating activity corresponding to initial access attempts, or Stage 1 of the ICS Cyber Kill Chain, trying to bridge to Stage 2 capabilities or access.[29] In April, media reporting indicated business process and information technology outsourcing firm Wipro, which provides services for various ICS verticals, allegedly suffered a breach of corporate systems.[30] Adversaries then used this access to launch follow-on attacks against Wipro clients. Although not directly involved in industrial operations, Wipro products and services – such as the company’s Promax offering – are often tied to industrial processes for data collection, processing, and analysis.[31] The breach was one of multiple third-party service provider attacks Dragos and other entities have identified since 2017, highlighted in Dragos’ 2018 Year in Review reporting.[32] ###### ENTITIES THIS YEAR. IN 2019, NEW THREATS EMERGED AFFECTING [27] [30] [29] ----- ###### External parties routinely have access to operations, and thus it presents an issue where third-party access bypasses corporate IT. Multiple related services surrounding ICS operations – from managing corporate IT through performing data collection and analysis on industrial processes – rely on trusted third parties deeply integrated into the organization’s operations. RECOMMENDED SECURITY IMPROVEMENT In April, Cisco Talos revealed a sophisticated DNS hijacking campaign called Sea Turtle.[33] It targeted 40 organizations in 13 countries, primarily national security organizations in the Middle East and North Africa, and compromised victims included “prominent energy organizations.” The goal of the campaign was to steal credentials to access the primary victims’ networks. The attacks began as early as January 2017 and continued through this year. DNS hijacking is an attack method that could be used to steal sensitive data and obtain legitimate encryption certificates for a target’s domain names by compromising DNS resolution to funnel traffic to a DNS server generally operated by the [33] attacker. In this campaign, attackers compromised third-party entities including DNS registries, internet service providers (ISPs), and organizations affiliated with DNS infrastructure support to control the targets’ DNS records. DNS hijacking can be a useful technique to gain initial access to any network, including industrial organizations. AN ADVERSARY EXPLOITING TECHNOLO GIES FUNDAMENTAL TO INTERNET CON NECTIVITY AND GLOBAL COMMUNICATION IS SIGNIFICANTLY CONCERNING. ###### RECOMMENDED SECURITY IMPROVEMENT Manage third-party connections through policy and technical controls including ICS-specific threat detection, visibility, and response to counter both insider and external threats posed by these connections. attacker. In this campaign, attackers compro- AN ADVERSARY EXPLOITING TECHNOLO- IS SIGNIFICANTLY CONCERNING. ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### VULNERABILITIES IN REMOTE ACCESS SERVICES the flaw to deliver malware to a target workstation, it is possible for the malware to propagate throughout the target network in a wormable fashion. Microsoft said in its initial advisory the vulnerability could enable a malware outbreak similar to the WannaCry attacks in 2017. ###### REMOTE ACCESS SERVICES ###### VULNERABILITIES IN ###### VULNERABILITIES PUBLISHED THIS YEAR FOR Microsoft said in its initial MICROSOFT’S REMOTE DESKTOP SERVICES AS advisory the vulnerability could enable a malware ###### WELL AS THREE VIRTUAL PRIVATE NETWORK outbreak similar to the ###### (VPN) PROVIDERS COULD ALLOW AN ATTACKER TO WannaCry attacks in 2017. ###### LEVERAGE VULNERABLE REMOTE LOGIN PORTALS In November, researchers ###### FOR INITIAL ACCESS. revealed attackers actively exploiting vulnerability to Indeed, Dragos has identified at least one ICS install cryptocurrency mining malware on victim targeting activity group targeting vulnerable machines.[35] This is a relatively low impact VPN appliances, and security researchers exploitation of the vulnerability considering the identified active exploitation of the Windows scale and scope of potential consequences. It vulnerability. In 2019, Dragos also responded is likely attackers will continue to exploit this to cyber events in which adversaries used RDP vulnerability, with potentially more disruptive connections as a means to obtain initial access. effects. The RDP vulnerability is concerning In May, Microsoft published an advisory detailing to ICS asset owners and operators. ICS a critical vulnerability in Remote Desktop environments often contain older versions Services which could allow an attacker to send of Windows operating systems on devices a specially crafted packet to a target system via including human machine interfaces (HMIs), RDP and achieve control of the system.[34] The data historians, and OPC servers. It is especially vulnerability is known as “BlueKeep” or CVE- concerning for DMZ jump hosts, which may 2019-0708 and affects Windows 7, Windows have exposure to corporate networks and would Server 2008 R2, Windows Server 2008, Windows be the initial ICS entry point for any future worm 2003 and Windows XP. If an attacker utilizes which uses this vulnerability. RDP and achieve control of the system.[34] The data historians, and OPC servers. It is especially vulnerability is known as “BlueKeep” or CVE- concerning for DMZ jump hosts, which may 2019-0708 and affects Windows 7, Windows have exposure to corporate networks and would Server 2008 R2, Windows Server 2008, Windows be the initial ICS entry point for any future worm 2003 and Windows XP. If an attacker utilizes which uses this vulnerability. ###### MICROSOFT’S REMOTE DESKTOP SERVICES AS ###### VULNERABILITIES PUBLISHED THIS YEAR FOR ###### FOR INITIAL ACCESS. [35] ----- ###### RDP access is a valuable entry point for attackers, even if patched against this vulnerability but not properly defended. In the Sodinokibi ransomware event mentioned above, Dragos incident responders observed that attackers remotely compromised a plant by brute forcing RDP access. That is, an adversary tried numerous passwords against the victim’s RDP endpoint which was exposed to the internet and eventually guessed correctly. RECOMMENDED Adversaries are also targeting vulnerable VPN appliances for initial access to target networks. Dragos identified PARISITE targeting known vulnerabilities in Pulse Secure Pulse Connect Secure (CVE-2019-11510),[36] Palo Alto Networks GlobalProtect Portal (CVE-2019-1579),[37] and Fortinet FortiOS (CVE-2018-13379)[38] VPN applications. Dragos identified that the identified activity began as early as April 2019. The exploited vulnerabilities could allow remote attackers to take control of a vulnerable system. Details of the vulnerabilities were published earlier this year, and government intelligence agencies previously said multiple adversaries are actively exploiting the vulnerabilities worldwide.[39] VPN gateways are common targets for adversaries as they can provide outside access to internal networks and may lack some security protection mechanisms prevalent inside a perimeter. Third-party services often use VPNs to connect with customers for things like business or maintenance purposes thus making them a valuable target for adversaries aiming to take advantage of trusted relationships. [37] [38] Enterprise VPN clients are often used for remote access from IT to OT environments. Dragos has previously reported on adversaries that have shown interest in VPN services, including XENOTIME. Additionally, a September 2019 report described a series of cyberattacks that targeted Airbus via VPN connections between the company and its suppliers reportedly with the intention to steal commercial information and intellectual property.[40] Dragos observes that similar techniques can be used for other disruptive or destructive ICS-specific cyber incidents. ###### RECOMMENDED SECURITY IMPROVEMENT If possible, do not allow direct ac- cess from the internet. Exposing RDP could allow for attackers to bypass a network’s security stack. Enforce multifactor authentication on all remote services. Enterprise VPN clients are often used for remote [39] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### COMMON TACTICS REMAIN EFFECTIVE ICS-TARGETING ADVERSARIES CONTINUE TO USE COMMON AND POPULAR TACTICS TO ACHIEVE INITIAL ACCESS. ###### ICS-TARGETING ADVERSARIES CONTINUE TO USE COMMON party website frequented by the target with malware in order to compromise the actual targets. The groups’ activity this year largely focused on Ukraine, however in September, Dragos observed DYMALLOY establishing watering holes to compromise targets in Europe, North America, and the Asia-Pacific region. In the latter part of 2019, Dragos observed a LinkedIn phishing campaign targeting ICS entities. Adversaries used LinkedIn direct messaging to ###### AND POPULAR TACTICS TO ACHIEVE INITIAL ACCESS. Although password spraying is a relatively common technique attackers use to gain access to enterprise resources, organizations are often vulnerable to these types of attacks because of poor account management and authentication policies for external resources. MAGNALLIUM also remained faithful to its often-observed phishing behavior. MAGNALLIUM frequently uses job-themed phishing lures, largely focused in the Middle East. However, in June and November, Dragos identified MAGNALLIUM phishing campaigns using North American job-themed phishing lures; this change in phishing behavior aligned with shifts in targeting for other MAGNALLIUM activity, including password spraying as mentioned above. Throughout the year, Dragos observed watering hole activity associated with DYMALLOY and ALLANITE. Watering holes, also known as strategic web compromises, refer to an adversary infecting a third **RECOMMENDED** **SECURITY** **IMPROVEMENT** Ensure password com- plexity is enforced and two-factor authentication is enabled if possible. Identify attempts at pass- word spraying through monitoring both network traffic and application in- formation from webmail, remote services, etc. party website frequented by ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** send “project proposal”-themed lures. LinkedIn can be a useful phishing route for an adversary as it can bypass email security filters and attackers can leverage users’ network connections to appear as a legitimate contact. messages specifically targeted electric utilities in the US. Security firm Proofpoint published public details on the campaign. [41] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### ICS-SPECIFIC TACTICS GROWING AS ICS-TARGETING ADVERSARIES BECOME INCREASINGLY SOPHISTICATED AND ADOPT BEHAVIORS SPECIFIC TO ICS ENVIRONMENTS, DEFENDERS MUST BE ARMED WITH TOOLS AND RESOURCES FOR IDENTIFYING AND COMBATING SUCH ACTIVITY. ###### ICS-SPECIFIC TACTICS ###### RESOURCES FOR IDENTIFYING AND COMBATING ###### INCREASINGLY SOPHISTICATED AND ADOPT ###### GROWING Although common enterprise tactics remain effective, adversaries are moving towards ICS specific capabilities. Environmental context is key to threat detection; for instance, the difference between lateral movement in a DMZ or lateral movement from an engineering workstation to a safety instrumented system can make all the difference in detection and response. To that end, Dragos collaborated with MITRE on creating the new ATT&CK for ICS[41] framework. It is designed to help analysts, defenders, and other security practitioners better understand threat behaviors affecting industrial environments and develop defensive strategies. The existing and widely used ATT&CK for Enterprise framework breaks down ###### BEHAVIORS SPECIFIC TO ICS ENVIRONMENTS, ###### AS ICS-TARGETING ADVERSARIES BECOME common tactics, techniques, and procedures observed by numerous activity groups and buckets them into separate fields like initial access, command and control, and lateral movement. Building on the existing documentation, Dragos and MITRE created a framework specifically for ICS to identify what behaviors and methods we observe targeting operations environments. New categories specific to operations environments within the ATT&CK for ICS framework include inhibiting control or response functions, and the ultimate impact. Some of the tactics and visibility we have on ICS activity groups are detailed in the following section as mapped to the ATT&CK for ICS framework.* *Not all of the tactics Dragos has visibility into are shared in this document to avoid threat proliferation. Please contact [info@dragos.com](mailto:info@dragos.com) to learn more. ###### SUCH ACTIVITY. - ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### THREAT ACTIVITY GROUPS Dragos categorizes behavior by activity group,[42] creating threat analytics that provide comprehensive data around actions, capabilities, and intentions for our Dragos Platform technology. We report on these threats in our WorldView intelligence reporting. We currently publicly label 11 ICS-focused activity groups and track more unlabeled activity of interest. The following summaries include newly identified activity groups as well as recent activity that Dragos links with high confidence to tracked activity groups. ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### HEXANE ###### HEXANE ###### DRAGOS IDENTIFIED HEXANE IN MAY TARGETING OIL AND GAS COMPANIES IN THE MIDDLE EAST, INCLUDING KUWAIT AS A PRIMARY OPERATING REGION. Additionally, and unlike other activity groups Dragos tracks, HEXANE also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a steppingstone to network-focused man-in-themiddle[*] and related attacks. Additionally, and unlike other activity groups Dragos tracks, HEXANE also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a - A “man-in-the-middle” attack describes an adversary surreptitiously compromising communications between two or more parties and can be used to conduct espionage or disrupt or alter communications. ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||H|e|x|a|n|e|||| |||||||||||||||||||||| |||||||||||||si|nc|e|20|18||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||M|O|D|E|OF|O|P|ER|A|TI|O|N|||||||| |||IT|c|om|p|ro|mi|se|a|nd|in|fo|rm|a|tio|n||||| |||g|ath|er|in|g|ag|ai|ns|t I|CS|e|nti|tie|s|||||| |||||||||||||||||||||| |||C|A|PA|B|IL|IT|IE|S|||||||||||| |||E|m|be|dd|ed|b|in|ari|es|in|d|oc|u|me|nt|s,|C2||| |||vi|a|DN|S|an|d|H|TT|P,|ev|as|io|n t|ec|h|niq|ue|s|| |||||||||||||||||||||| |||V|IC|TI|M|O|LO|G|Y|||||||||||| |||O|il &|G|a|s,|Mi|dd|le|E|ast|, C|e|ntr|al|A|sia|,||| |||||||||||||||||||||| |||A|fri|ca||||||||||||||||| |||LI|N|K|S|||||||||||||||| |||||||||||||||||||||| |||N|on|e||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| HEXANE intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity. Although the group appears operational since at least mid-2018, Hexane activity accelerated in early- to mid-2019. This timeline, targeting, since 2018 and increase of operations coincides with an escalation of tensions within Middle East, a current area of political and MODE OF OPERATION IT compromise and information military conflict. gathering against ICS entities HEXANE’s telecommunications targeting appears to follow a CAPABILITIES Embedded binaries in documents, C2 trend demonstrated by other activity groups. ICS adversaries are via DNS and HTTP, evasion techniques increasingly targeting third-party organizations along the supply VICTIMOLOGY Oil & Gas, Middle East, Central Asia, chains of potential targets. For instance, in 2018, Dragos identified Africa the activity group XENOTIME targeting several industrial original LINKS equipment manufacturers (OEMs), and hardware and software None suppliers. HEXANE demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE, which are discussed below. These activity groups perform ICS- targeting activities focused largely on oil and gas, and share some similar observed tactics, techniques, and procedures (TTPs). Like HEXANE, MAGNALLIUM also increased its activity in early- to mid-2019. However, the collection of HEXANE behaviors, tools, and victimology makes this a unique entity compared to these previously observed activity groups. ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** # Pi ###### PARISITE ###### PARISITE ###### DRAGOS IDENTIFIED PARISITE IN OCTOBER. PARISITE TARGETS VARIOUS INDUSTRIAL VERTICALS INCLUDING AEROSPACE, OIL AND GAS, AND MULTIPLE UTILITIES INCLUDING WATER, ELECTRIC, AND GAS. PARISITE’s broad geographic targeting includes entities in the US, the Middle East, Europe, and Australia. Although PARISITE appears focused on industrial organizations with ICS environments and related entities, its targeting activity spans across government and non-governmental organizations. # Pi PARISITE’s broad geographic targeting in- cludes entities in the US, the Middle East, Europe, and Australia. Although PARISITE appears focused on industrial organizations with ICS environments and related entities, its targeting activity spans across government ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||| |||||||||||||||||||||| ||||||||||||P|A|R|I|S|IT|E|||| |||||P|i|||||||||||||||| |||||||||||||si|nc|e|20|17||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||M|O|D|E|OF|O|PE|R|AT|IO|N||||||||| |||V|P|N c|o|m|pro|m|is|e o|f|IT|ne|tw|o|rks|t|o||| |||c|on|du|c|t r|ec|on|na|is|sa|nc|e|||||||| |||||||||||||||||||||| |||C|A|PA|B|ILI|TI|ES||||||||||||| |||E|xp|loi|ti|ng|kn|o|wn|V|P|N v|ul|ne|ra|bil|iti|es;||| |||S|S|H.N|E|T,|M|AS|S|CA|N,|a|nd|d|sn|iff||||| |||h|ac|ki|ng|to|ol|s||||||||||||| |||||||||||||||||||||| |||V|IC|TI|M|O|LO|GY||||||||||||| |||U|S,|M|id|dl|e E|as|t,|Eu|ro|pe|, A|u|str|ali|a,|||| |||E|le|ctr|ic,|O|il &|G|a|s,|Ae|ro|sp|ac|e,|||||| |||G|ov|er|n|me|nt|||||||||||||| |||||||||||||||||||||| |||L|IN|KS||||||||||||||||| |||M|A|GN|A|L|LIU|M||||||||||||| |||||||||||||||||||||| Dragos identified PARISITE activity targeting ICS-related entities using known VPN vulnerabilities.[43] PARISITE’s ###### Pi PARISITEsince 2017 current focus of targeting vulnerable VPN appliances indicates an interest in initial access to enterprise networks in order to gain access to industrial networks. MODE OF OPERATION PARISITE infrastructure and capabilities date from at least VPN compromise of IT networks to 2017, indicating operations since at least that time. PARISITE conduct reconnaissance uses known open source penetration testing tools for CAPABILITIES reconnaissance and to establish encrypted communications. Exploiting known VPN vulnerabilities; SSH.NET, MASSCAN, and dsniff This aligns with other activity groups increasingly using hacking tools publicly available tools and resources as opposed to VICTIMOLOGY customized malware once achieving initial access. US, Middle East, Europe, Australia, Electric, Oil & Gas, Aerospace, At this time, PARISITE does not appear to have an ICS-specific Government disruptive or destructive capability. Dragos intelligence LINKS indicates PARISITE serves as the initial access group and MAGNALLIUM enables further operations for MAGNALLIUM. ###### Pi ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### MAGNALLIUM ###### MAGNALLIUM ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||| |||||||||||||||||||||| ||||||||||M|A||G|N|A|L|L|I|U|M|| |||||||||||||||||||||| |||||||||||||si|nc|e|20|16||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||M|O|D|E O|F|O|PE|R|AT|IO|N||||||||| |||IT|n|et|w|ork|li|mi|te|d,|inf|or|m|at|io|n||||| |||g|at|he|rin|g|ag|ai|ns|t i|nd|us|tri|al|or|gs||||| |||||||||||||||||||||| |||C|A|PA|BI|LI|TI|ES||||||||||||| |||||||||||||||||||||| |||S|TO|N|ED|R|IL|L|wip|er|, v|ar|ian|ts|o|f||||| |||T|UR|N|E|DU|P|m|al|wa|re|||||||||| |||||||||||||||||||||| |||V|IC|TI|M|OL|O|GY||||||||||||| |||P|et|ro|ch|em|ic|al|, A|er|os|pa|c|e,|Oil|&|G|as,||| |||E|lec|tr|ic,|S|au|di|Ar|ab|ia|, N|or|th|A|m|eri|ca||| |||||||||||||||||||||| |||L|IN|KS||||||||||||||||| |||||||||||||||||||||| |||A|PT|3|3,|PA|RI|SI|TE|||||||||||| |||||||||||||||||||||| This year Dragos observed MAGNALLIUM deploying password spraying campaigns, a new initial access behavior for this group. MAGNALLIUM also relies extensively on phishing, frequently MAGNALLIUM using job-themed lures to entice victims. since 2016 In July, Dragos identified a new disruptive malware dubbed KILLGRAVE associated with MAGNALLIUM activity. The malware MODE OF OPERATIONIT network limited, information targeted industrial entities in the Middle East and includes gathering against industrial orgs various capabilities to disrupt or potentially destroy infected CAPABILITIES systems depending on parameters. It represents a new threat STONEDRILL wiper, variants of TURNEDUP malware to industrial entities either through indirect disruption via IT VICTIMOLOGY impacts, or direct disruption if attackers gain access to the ICS Petrochemical, Aerospace, Oil & Gas, Electric, Saudi Arabia, North America environment. Dragos intelligence indicates this malware was likely a coordination between MAGNALLIUM and PARISITE, with LINKS APT33, PARISITE the latter staging the malware via VPN gateway compromise and MAGNALLIUM distributing it through the victim network. Dragos initially identified MAGNALLIUM in 2017 and determined that the group targeted petrochemical and aerospace manufacturers since at least 2013. Initially targeting Saudi Arabian energy firms and an aircraft holding company, the group continues to expand targeting across the energy sector and related industries. ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### WASSONITE ###### WASSONITE ###### DRAGOS IDENTIFIED THE WASSONITE ACTIVITY GROUP FOLLOWING A MALWARE INTRUSION AT THE KUDANKULAM NUCLEAR POWER PLANT (KKNPP) NUCLEAR FACILITY IN INDIA.[44] After further investigation, Dragos observed WASSONITE tools and behaviors targeting multiple industrial control system (ICS) entities including electric generation, nuclear energy, manufacturing, and organizations involved in space-centric research. WASSONITE has been active since at least 2018. After further investigation, Dragos observed WASSONITE tools and behaviors targeting multiple industrial control system (ICS) entities including electric generation, nuclear energy, [44] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** WASSONITE targeting focuses on Asian entities, largely in India, as well as possibly Japan and South Korea. At this time, WASSONITE does not appear to have an ICS-specific disruptive since 2018 or destructive capability. All the activity represents Stage 1 of the ICS Kill Chain: access operations within IT networks. WASSONITE operations rely on deploying DTrack malware for IT compromise and information gathering remote access to victim machines, capturing credentials via Mimikatz and publicly available tools, and utilizing system tools DTrack RAT, Mimikatz, system tools for to transfer files and move laterally within the enterprise system. file transfer and lateral movement Researchers first disclosed DTrack in late September 2019,[45] India, South Korea, Japan, Electric, and identified the tool targeting Indian financial institutions Nuclear, Oil & Gas, Manufacturing, and research centers. DTrack is loosely connected to an earlier Research observed malware family, ATMDTrack, used for robbing ATM COVELLITE machines. Third-party security firms associate DTrack and its related malware to the Lazarus Group.[46] Dragos also associates the activity group COVELLITE to Lazarus Group. However, COVELLITE does not overlap with observed WASSONITE activity despite links to broader Lazarus activity due to substantially different capabilities and infrastructure. |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |||||||||||||sin|c|e 2|0|18|||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |||IT|c|om|p|ro|mi|se|a|nd|in|fo|rm|a|tio|n|||||| |||g|ath|er|in|g|||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |||D|Tr|ac|k|RA|T,|Mi|m|ik|atz|, s|ys|te|m|to|ol|s f|or||| ||||||||||||||||||||||| |||fil|e|tra|ns|fe|r a|n|d l|at|era|l|mo|ve|m|e|nt||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |||In|di|a,|So|ut|h|Ko|re|a,|Ja|p|an,|E|lec|tr|ic,||||| |||N|uc|le|ar,|Oi|l &|G|a|s,|Ma|n|uf|act|ur|in|g,||||| |||R|es|ea|rc|h|||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |||C|OV|E|LL|IT|E||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ###### ICS ATT&CK MAPPING HIGHLIGHT WASSONITE uses Valid Accounts (T859) for Persistence DEFINITION Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. IN CONTEXT WASSONITE captures and re-uses legitimate credentials to establish per- sistence within victim networks. Such behaviors can be deployed to facilitate access to OT environments and control system devices. WASSONITE WASSONITE COVELLITE [46] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ## X t ###### XENOTIME ###### XENOTIME ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** Available data indicates XENOTIME relies on capturing legitimate system credentials to move throughout the target network while deploying a combination of legitimate Windows utilities and custom-developed tools. Evidence suggests that unique tools associated with XENOTIME have been in development since 2014. Dragos has also observed entities associated with XENOTIME experimenting with the Cobalt Strike penetration testing framework. This follows the previously-mentioned trend concerning adversaries leveraging legitimate penetration testing frameworks for use in malicious campaigns. Dragos considers XENOTIME to be the most dangerous and capable activity group. It is responsible for the disruptive and nearly life-threatening TRISIS malware attack on an oil and gas facility in the Middle East in 2017. ###### X t ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### DYMALLOY ###### DYMALLOY DYMALLOY ASSOCIATED WITH THE DYMALLOY AND ALLANITE ACTIVITY GROUPS. The compromised websites were associated with Ukrainian sports, media, and entertainment entities. In September 2019, Dragos observed new DYMALLOY-related activity indicating a return to operations outside of Ukraine – including North America and APAC. The compromised websites were associated with Ukrainian sports, media, and entertainment entities. In September 2019, Dragos observed new DYMALLOY-related activity indicating ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** DYMALLOY targeting generally focuses on energy companies and advanced industry entities in Europe, Turkey, and North America. Its attention largely shifted to Ukraine this year, ###### DYMALLOY coinciding with Ukrainian parliamentary elections in July since 2016 2019. Previously, DYMALLOY has demonstrated ability to achieve long-term and persistent access to IT and operational environments for intelligence collection and possible future MODE OF OPERATION Deep ICS environment information disruption events. gathering, operator credentials, industrial process details DYMALLOY has used malware backdoors including Goodor, DorShel, and Karagany. These are commodity malware CAPABILITIES GOODOR, DORSHEL, KARAGANY, families, not unique to any particular group, but used together Mimikatz as a toolkit makes this group’s behavior unique. Overall, VICTIMOLOGY DYMALLOY avoids using custom toolkits in its operations, Turkey, Europe, US making detection and specific attribution more difficult without recognizing the entirety of adversary actions. Dragos LINKS Dragonfly2, Berserker Bear has also found the group leveraged Mimikatz, an opensource software security tool for extracting passwords from memory on Windows systems. DYMALLOY has operated since at least 2015 and is linked[*] to the “Dragonfly 2.0” group.[47] ###### ICS ATT&CK MAPPING HIGHLIGHT DYMALLOY uses Screen Capture (T852) for Collection DEFINITION Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices. IN CONTEXT DYMALLOY successfully obtained HMI screenshots while conducting reconnaissance in target operations networks. - Links means that there are technical overlaps or assessments made from other entities that provide some connection to the groups; however this is not to imply that there is a one to one relationship to these groups and they should not be considered aliases. |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||D|Y|M||A|L|L|O|Y||| |||||||||||||||||||||| |||||||||||||sin|c|e 2|0|16||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||M|OD|E O|F||O|PE|R|AT|IO|N||||||||| |||D|eep|IC|S e||n|vir|on|m|en|t i|nf|or|ma|ti|on|||| |||g|athe|rin|g,||op|er|at|or|cr|ed|en|ti|als|,||||| |||in|dus|tria|l p||ro|c|es|s d|et|ail|s|||||||| |||||||||||||||||||||| |||C|AP|ABI|LI||TI|ES||||||||||||| |||G|OO|DO|R,||DO|R|SH|E|L,|KA|R|AG|A|NY|,|||| |||M|imi|kat|z|||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||V|ICT|IM|OL||O|GY||||||||||||| |||T|urke|y,|Eu||ro|pe|, U|S||||||||||| |||||||||||||||||||||| |||LI|NK|S||||||||||||||||| |||||||||||||||||||||| |||D|rag|onf|ly2||, B|e|rse|rk|er|B|ea|r||||||| |||||||||||||||||||||| ###### ICS ATT&CK MAPPING HIGHLIGHT DYMALLOY uses Screen Capture (T852) for Collection DEFINITION Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regard- ing the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of in- tended operations and interactions between critical devices. IN CONTEXT DYMALLOY successfully obtained HMI screenshots while conducting recon- naissance in target operations networks. DYMALLOY DYMALLOY DYMALLOY [47] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ### A L ###### ALLANITE ###### IN 2019, DRAGOS IDENTIFIED WATERING HOLE ACTIVITY ALIGNING WITH ALLANITE AND DYMALLOY ACTIVITY COMPROMISING WEBSITES ASSOCIATED WITH UKRAINIAN SPORTS, ENTERTAINMENT, AND MEDIA ENTITIES. DRAGOS ASSESSES THE GROUPS’ TARGETING SHIFTED DUE TO CURRENT GEOPOLITICAL EVENTS IN UKRAINE. ### A L ###### IN 2019, DRAGOS IDENTIFIED WATERING HOLE ACTIVITY ALIGNING WITH ALLANITE AND DYMALLOY ACTIVITY COMPROMISING WEBSITES ASSOCIATED WITH UKRAINIAN SPORTS, ENTERTAINMENT, AND MEDIA ENTITIES. DRAGOS ASSESSES THE GROUPS’ TARGETING SHIFTED DUE TO ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||A||L|L|A|N|IT|E|||| ||||A|||L|||||||||||||||| ||||||||||||||sin|c|e|20|17||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |||M|O|DE||O|F|O|PE|R|AT|IO|N||||||||| |||W|at|er||in|g-h|ol|e|an|d|ph|is|hin|g|lea|di|ng|t|o|| |||IC|S|re||co|n|an|d|sc|re|en|sh|ot|c|oll|ec|tio|n||| ||||||||||||||||||||||| |||C|AP|A||BI|LI|TI|ES||||||||||||| |||P|ow|er||sh|el|l s|cr|ipt|s,|T|HC|H|yd|ra|,||||| ||||||||||||||||||||||| |||S|ec|ret||s|Du|m|p,|In|vei|gh|, P|S|Ex|ec|||||| ||||||||||||||||||||||| |||V|IC|TI||M|OL|O|GY||||||||||||| |||El|ec|tri||c|uti|liti|es|, U|S|&|U|K|||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| |||LI|N|KS|||||||||||||||||| |||P|al|me||tt|o F|u|sio|n|||||||||||| ||||||||||||||||||||||| ||||||||||||||||||||||| ALLANITE activity historically focuses on ICS reconnaissance and information gathering against US and UK victims. ALLANITE avoids using malware for initial infection and subsequent ALLANITE ###### A L since 2017 activity, relying instead on credential capture from authentication attempts and use of native Windows system tools for system discovery and information gathering. MODE OF OPERATION Watering-hole and phishing leading to ICS recon and screenshot collection ALLANITE relies upon insecure environments lacking adequate network traffic control and using single-factor authentication CAPABILITIES Powershell scripts, THC Hydra, mechanisms for operational techniques. There is no evidence SecretsDump, Inveigh, PSExec that ALLANITE possesses or aims to use any disruptive or VICTIMOLOGY destructive capability within target ICS environments. Although Electric utilities, US & UK superficially similar to other ICS activity groups such as Dragonfly LINKS and DYMALLOY, ALLANITE’s methods, tools, and technology are Palmetto Fusion significantly different from these other entities. ALLANITE has conducted intrusion and reconnaissance activities within ICS corresponding with Stage 1 of the ICS Cyber Kill Chain and demonstrates some level of intent to move to Stage 2. ###### A L ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### CHRYSENE ###### CHRYSENE ###### CHRYSENE IS RESPONSIBLE FOR INITIAL INTRUSIONS ACROSS SEVERAL CRITICAL INFRASTRUCTURE SECTORS, INCLUDING ELECTRIC UTILITIES AND OIL AND GAS, SINCE AT LEAST MID-2017, WITH AN OP- ERATIONAL FOCUS ON EUROPE, NORTH AMERICA, AND THE MIDDLE EAST. Dragos identified phishing activity associated with this group in early 2019 using IT-themed lures and PowerShell for post-exploitation. Dragos identified additional samples of this group’s malware indicating they are active and evolving in more than one area. Dragos identified phishing activity associated with this group in early 2019 using IT-themed lures and PowerShell for post-exploitation. Dragos identified additional samples of this group’s malware ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||||||||||||| ||||||||||||||||||| ||||||||C|H|R|Y||S|E|N|E||| ||||||||||||||||||| ||||||||||sin|c|e|20|17||||| ||||||||||||||||||| ||||||||||||||||||| ||||||||||||||||||| |||MOD|E OF|O|PE|R|AT|IO|N||||||||| |||IT co|mpro|mi|se|, i|nf|or|ma|ti|on|g|ath|er|in|g|| |||and r|econ|ag|ai|ns|t i|nd|us|tri|al|or|gs||||| ||||||||||||||||||| |||CAPA|BILI|TI|ES||||||||||||| ||||||||||||||||||| |||Wate|ring|hol|es|, 6|4-|bit|m|al|w|ar|e,|co|ve|rt|| |||C2 vi|a IPv|6 D|N|S,|IS|M|DO|O|R||||||| ||||||||||||||||||| |||VICT|IMOL|O|GY||||||||||||| |||Oil &|Gas,|M|an|uf|ac|tur|in|g,|Eu|ro|pe|,|||| |||MEN|A, N.|Am|e|ric|a||||||||||| ||||||||||||||||||| |||LINK|S||||||||||||||| ||||||||||||||||||| |||OilRig|, Gre|en|bu|g|||||||||||| ||||||||||||||||||| ###### ICS ATT&CK MAPPING HIGHLIGHT CHRYSENE uses Scripting (T853) for Execution DEFINITION Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an in- terpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpret- ers shipped as a default with many Linux distributions. In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task. IN CONTEXT When CHRYSENE gains code execution on a target host, it may deploy en- coded malware; the executable is decoded and launched via PowerShell command. PowerShell commands can be deployed by adversaries on Win- dows hosts within the ICS environment. following this leak. CHRYSENE CHRYSENE HEXANE [48] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** #### Ra ###### RASPITE ###### DRAGOS FIRST IDENTIFIED RASPITE IN 2018, AND ITS ACTIVITY TO DATE FOCUSES ON INITIAL ACCESS OPERATIONS WITHIN THE ELECTRIC UTILITY SECTOR. ALTHOUGH FOCUSED ON ORGANIZATIONS WITH ICS ENVIRONMENTS, RASPITE HAS NOT DEMONSTRATED AN ICS-SPECIFIC CAPABILITY TO DATE. #### Ra ###### DRAGOS FIRST IDENTIFIED RASPITE IN 2018, AND ITS ACTIVITY TO DATE FOCUSES ON INITIAL ACCESS OPERATIONS WITHIN THE ELECTRIC UTILITY SECTOR. ALTHOUGH FOCUSED ON ORGANIZATIONS WITH ICS ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||||||||| |||||||||||||||||||||| ||||||||||||R|A|S|P|I|T|E|||| |||||R|a|||||||||||||||| |||||||||||||sin|c|e|20|17||||| |||||||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| |||M|O|DE|O|F|O|PE|R|AT|IO|N||||||||| |||IT|n|et|wo|rk|li|mi|te|d, i|nf|or|m|ati|on|||||| |||g|ath|er|in|g|on|el|ec|tri|c|uti|liti|es|w|ith||||| |||s|om|e|si|mi|lar|iti|es|to|C|H|RY|S|EN|E||||| |||||||||||||||||||||| |||C|AP|A|BI|LI|TI|ES||||||||||||| |||S|er|vic|e i|ns|ta|lle|r|ma|lw|ar|e|de|si|gn|ed|to||| |||||||||||||||||||||| |||b|ea|co|n|ou|t t|o|ad|ve|rs|ar|y i|nfr|as|tr|uc|tur|e|| |||||||||||||||||||||| |||V|IC|TI|M|OL|O|GY||||||||||||| |||El|ec|tri|c|Uti|liti|es|, U|S,|S|au|di|Ar|ab|ia,|J|ap|an|| |||||||||||||||||||||| |||LI|N|KS||||||||||||||||| |||N|O|NE||||||||||||||||| |||||||||||||||||||||| |||||||||||||||||||||| In 2019, Dragos identified two new customized applications linked to RASPITE. While the two items were not identified until recently, ###### RASPITE analysis indicates both were developed and Ra since 2017 likely deployed in 2017, coinciding with the first known activity from RASPITE. Further analysis indicates that both applications are tools that MODE OF OPERATION IT network limited, information RASPITE, or another entity, would leverage as gathering on electric utilities with part of an intrusion for network enumeration or some similarities to CHRYSENE propagation. CAPABILITIES RASPITE leverages custom software and Service installer malware designed to beacon out to adversary infrastructure scripts to manipulate victim machines, install malicious services, and enable remote access VICTIMOLOGY to victim networks. After almost exclusively Electric Utilities, US, Saudi Arabia, Japan focusing on political and strategic targets in the LINKS Middle East in 2017, RASPITE pivoted to ICS- NONE related organizations in North America in 2018. ###### Ra ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### ELECTRUM ###### ELECTRUM ###### ELECTRUM IS RESPONSIBLE FOR THE CRASHOVERRIDE MALWARE ATTACK WHICH SUCCESSFULLY BLACKED OUT PORTIONS OF KIEV, UKRAINE IN DECEMBER 2016. IT IS ASSOCIATED WITH THE SANDWORM GROUP.[50] Dragos identified ELECTRUM and SANDWORM collaborated on CRASHOVERRIDE as part of a two-pronged attack: SANDWORM served as the initial access vector that enabled the ICS-specific entity, ELECTRUM, to conduct a sequenced, ICS-specific attack aimed at physical process destruction. Dragos identified ELECTRUM and SANDWORM collaborated on CRASHOVERRIDE as part of a two-pronged attack: SANDWORM served as the initial access vector that enabled the ICS-specific entity, ELECTRUM, to conduct a sequenced, ICS-specific attack aimed at ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||||||||||| ||||||||||||||||| ||||||E|L|E|C|T|R|U||M||| ||||||||||||||||| ||||||||sin|c|e 2|0|16||||| ||||||||||||||||| ||||||||||||||||| ||||||||||||||||| ||MOD|E OF O|PE|R|AT|IO|N||||||||| ||Electr|ic grid|dis|ru|pt|io|n a|n|d l|on|g-|ter|m||| ||persi|stence|||||||||||||| ||||||||||||||||| ||||||||||||||||| ||CAPA|BILITI|ES||||||||||||| ||CRAS|HOVER|RI|D|E||||||||||| ||||||||||||||||| ||||||||||||||||| ||VICT|IMOLO|GY||||||||||||| ||||||||||||||||| ||Ukrai|ne, Elec|tri|c|Uti|liti|es||||||||| ||||||||||||||||| ||LINK|S|||||||||||||| ||||||||||||||||| ||Sand|worm|||||||||||||| ||||||||||||||||| CRASHOVERRIDE represents the first pub- ###### ELECTRUM licly known application of specialization since 2016 and division of labor to ensure maximal effectiveness and efficiency in critical in- MODE OF OPERATION frastructure-targeting cyberattacks. Electric grid disruption and long-term persistence Dragos did not observe ELECTRUM in 2019. It is possible ELECTRUM has substantially CAPABILITIES CRASHOVERRIDE changed behavior and is now identified as another activity group, reduced their activ- VICTIMOLOGY ity below detectable levels, or gone away Ukraine, Electric Utilities entirely. LINKS Sandworm ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### COVELLITE ###### COVELLITE ###### COVELLITE PREVIOUSLY COMPROMISED IT NETWORKS ASSOCIATED WITH ELECTRIC UTILITIES, PRIMARILY IN EUROPE, EAST ASIA, AND NORTH AMERICA. The group has not shown an ICS-specific capability at this time. While technical activity linked to COVELLITE behaviors exist in the wild, there has been no evidence or indications this group is continuing to target electric utilities.[51] The group has not shown an ICS-specific capability at this time. While technical activity linked to COVELLITE behaviors exist in the wild, there has been no evidence or indications this group is continuing to target electric utilities.[51] ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |||||||||||||||| |||||||||||||||| |||||C|O|V|E|L|L|I|T|E||| |||v||||||||||||| |||||||sin|c|e|20|17||||| |||||||||||||||| |||||||||||||||| |||||||||||||||| ||MOD|E OF OPE|R|AT|IO|N||||||||| ||IT co|mpromise|w|it|h h|ar|de|n|ed|a|nti|-||| ||analy|sis malwa|re|a|ga|in|st|in|du|st|ria|l||| ||orgs|||||||||||||| |||||||||||||||| ||CAP|ABILITIES||||||||||||| ||Enco|ded binari|es|in|d|oc|u|me|nt|s,||||| ||evasi|on techni|qu|es||||||||||| |||||||||||||||| |||||||||||||||| ||VICT|IMOLOGY||||||||||||| ||Elect|ric Utilities|,|US||||||||||| |||||||||||||||| ||LINK|S||||||||||||| |||||||||||||||| ||Laza|rus, Hidde|n|Co|br|a||||||||| |||||||||||||||| COVELLITE is linked to the Lazarus ###### COVELLITE Group, which third-parties attribute to v since 2017 North Korean state interests. Due to a lack of recent ICS targeting observed by this MODE OF OPERATION group, it is possible COVELLITE evolved IT compromise with hardened anti- analysis malware against industrial into a new activity group with different orgs TTPs and targeting focus. Dragos will CAPABILITIES continue to monitor COVELLITE and Encoded binaries in documents, evasion techniques potentially associated groups and VICTIMOLOGY behaviors that may be reflected in future Electric Utilities, US operations against ICS targets. LINKS Lazarus, Hidden Cobra ----- ###### CONCLUSION Dragos anticipates activity targeting and affecting ICS to increase into 2020 and further. We expect to see more adversaries expand their focus to additional critical infrastructure and industrial environments, which will likely align with activity associated with military or geopolitical conflict. Although defenders continue to gain insight through OT-specific detection and monitoring platforms, it is imperative we continue to improve visibility into activities and threats impacting critical infrastructure. Although 2019 did not produce a disruptive or destructive attack with an impact like CRASHOVERRIDE or TRISIS, Dragos expects adversaries to be developing such capabilities and will likely leverage them for disruptive effects in the future. Despite adversaries continuing to evolve and develop their capabilities, Dragos anticipates continued collaboration with our partners, clients, and the community at large to improve cybersecurity awareness and better secure industrial control systems. In 2020, we plan to continue embodying our mission to safeguard civilization. ----- **THE ICS LANDSCAPE AND THREAT ACTIVITY GROUPS** ###### APPENDIX [1 https://dragos.com/adversaries/](https://dragos.com/adversaries/) [2 https://dragos.com/blog/industry-news/threat-pro](https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/) [liferation-in-ics-cybersecurity-xenotime-now-target-](https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/) [ing-electric-sector-in-addition-to-oil-and-gas/](https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/) [3 https://dragos.com/blog/industry-news/sup-](https://dragos.com/blog/industry-news/supply-chain-threats-to-industrial-control-third-party-compromise/) [ply-chain-threats-to-industrial-control-third-party-com-](https://dragos.com/blog/industry-news/supply-chain-threats-to-industrial-control-third-party-compromise/) [promise/](https://dragos.com/blog/industry-news/supply-chain-threats-to-industrial-control-third-party-compromise/) [4 https://dragos.com/blog/industry-news/implica-](https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/) [tions-of-it-ransomware-for-ics-environments/](https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/) [5 https://dragos.com/blog/industry-news/industri-](https://dragos.com/blog/industry-news/industrial-cyber-attacks-a-humanitarian-crisis-in-the-making/) [al-cyber-attacks-a-humanitarian-crisis-in-the-making/](https://dragos.com/blog/industry-news/industrial-cyber-attacks-a-humanitarian-crisis-in-the-making/) [6 https://dragos.com/blog/industry-news/escalat-](https://dragos.com/blog/industry-news/escalating-cyber-tensions-risk-human-life/) [ing-cyber-tensions-risk-human-life/](https://dragos.com/blog/industry-news/escalating-cyber-tensions-risk-human-life/) [7 https://dragos.com/resource/industrial-con-](https://dragos.com/resource/industrial-control-threat-intelligence-whitepaper/) [trol-threat-intelligence-whitepaper/](https://dragos.com/resource/industrial-control-threat-intelligence-whitepaper/) [8 https://dragos.com/blog/industry-news/combat-](https://dragos.com/blog/industry-news/combating-cyber-attacks-with-consequence-driven-ics-cybersecurity/) [ing-cyber-attacks-with-consequence-driven-ics-cyberse-](https://dragos.com/blog/industry-news/combating-cyber-attacks-with-consequence-driven-ics-cybersecurity/) [curity/](https://dragos.com/blog/industry-news/combating-cyber-attacks-with-consequence-driven-ics-cybersecurity/) [9 https://dragos.com/blog/industry-news/rising-cy-](https://dragos.com/blog/industry-news/rising-cyber-escalation-between-us-iran-and-russia-ics-threats-and-response/) [ber-escalation-between-us-iran-and-russia-ics-threats-](https://dragos.com/blog/industry-news/rising-cyber-escalation-between-us-iran-and-russia-ics-threats-and-response/) [and-response/](https://dragos.com/blog/industry-news/rising-cyber-escalation-between-us-iran-and-russia-ics-threats-and-response/) [10 https://dragos.com/blog/industry-news/threat-pro-](https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/) [liferation-in-ics-cybersecurity-xenotime-now-target-](https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/) [ing-electric-sector-in-addition-to-oil-and-gas/](https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/) [11 https://dragos.com/resource/dragos-oil-and-gas-](https://dragos.com/resource/dragos-oil-and-gas-threat-perspective-summary/) [threat-perspective-summary/](https://dragos.com/resource/dragos-oil-and-gas-threat-perspective-summary/) [12 https://www.wired.com/story/iran-hackers-us-](https://www.wired.com/story/iran-hackers-us-phishing-tensions/) [phishing-tensions/](https://www.wired.com/story/iran-hackers-us-phishing-tensions/) [13 https://cyware.com/news/altran-technolo-](https://cyware.com/news/altran-technologies-hit-by-lockergoga-ransomware-attack-e1f90570) [gies-hit-by-lockergoga-ransomware-attack-e1f90570](https://cyware.com/news/altran-technologies-hit-by-lockergoga-ransomware-attack-e1f90570) [14 https://www.bbc.com/news/business-48661152](https://www.bbc.com/news/business-48661152) [15 https://www.wired.com/story/notpetya-cyberat-](https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/) [tack-ukraine-russia-code-crashed-the-world/](https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/) [16 https://blog.talosintelligence.com/2019/09/emo-](https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html) [tet-is-back-after-summer-break.html](https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html) [17 https://www.dco.uscg.mil/Portals/9/DCO%20Doc-](https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf) [uments/5p/CG-5PC/INV/Alerts/0619.pdf](https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf) [18 https://toronto.citynews.ca/video/2019/04/11/ca-](https://toronto.citynews.ca/video/2019/04/11/canadian-company-victim-of-apparent-cyber-attack/) [nadian-company-victim-of-apparent-cyber-attack/](https://toronto.citynews.ca/video/2019/04/11/canadian-company-victim-of-apparent-cyber-attack/) [19 https://www.dco.uscg.mil/Portals/9/DCO%20](https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf?ver=2019-12-23-134957-667) [Documents/5p/MSIB/2019/MSIB_10_19.pd-](https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf?ver=2019-12-23-134957-667) [f?ver=2019-12-23-134957-667](https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf?ver=2019-12-23-134957-667) [20 https://www.cyber.gov.au/threats/adviso-](https://www.cyber.gov.au/threats/advisory-2019-131-emotet-malware-campaign) [ry-2019-131-emotet-malware-campaign](https://www.cyber.gov.au/threats/advisory-2019-131-emotet-malware-campaign) [21 https://www.news24.com/SouthAfrica/News/](https://www.news24.com/SouthAfrica/News/joburg-prepaid-electricity-users-left-in-the-dark-as-city-power-crippled-by-computer-virus-20190725) [joburg-prepaid-electricity-users-left-in-the-dark-as-city-](https://www.news24.com/SouthAfrica/News/joburg-prepaid-electricity-users-left-in-the-dark-as-city-power-crippled-by-computer-virus-20190725) [power-crippled-by-computer-virus-20190725](https://www.news24.com/SouthAfrica/News/joburg-prepaid-electricity-users-left-in-the-dark-as-city-power-crippled-by-computer-virus-20190725) [22 https://www.rheinmetall-automotive.com/en/](https://www.rheinmetall-automotive.com/en/press/press-releases/news-detail/news/regional-disruption-of-production-due-to-malware-at-rheinmetall-automotive/) [press/press-releases/news-detail/news/regional-dis-](https://www.rheinmetall-automotive.com/en/press/press-releases/news-detail/news/regional-disruption-of-production-due-to-malware-at-rheinmetall-automotive/) [ruption-of-production-due-to-malware-at-rheinmetall-au-](https://www.rheinmetall-automotive.com/en/press/press-releases/news-detail/news/regional-disruption-of-production-due-to-malware-at-rheinmetall-automotive/) [tomotive/](https://www.rheinmetall-automotive.com/en/press/press-releases/news-detail/news/regional-disruption-of-production-due-to-malware-at-rheinmetall-automotive/) [23 https://www.computerworld.dk/art/248774/kritisk-](https://www.computerworld.dk/art/248774/kritisk-it-nedbrud-bliver-dyrt-for-demant-vurderer-it-sikkerhedsekspert-det-ligner-et-ransomware-angreb) [it-nedbrud-bliver-dyrt-for-demant-vurderer-it-sikkerhed-](https://www.computerworld.dk/art/248774/kritisk-it-nedbrud-bliver-dyrt-for-demant-vurderer-it-sikkerhedsekspert-det-ligner-et-ransomware-angreb) [sekspert-det-ligner-et-ransomware-angreb](https://www.computerworld.dk/art/248774/kritisk-it-nedbrud-bliver-dyrt-for-demant-vurderer-it-sikkerhedsekspert-det-ligner-et-ransomware-angreb) ###### APPENDIX [24 https://www.zdnet.com/article/major-german-](https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/) [manufacturer-still-down-a-week-after-getting-hit-by-ran-](https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/) [somware/](https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/) [25 https://elpais.com/economia/2019/11/17/actuali-](https://elpais.com/economia/2019/11/17/actualidad/1574027226_840148.html) [dad/1574027226_840148.html](https://elpais.com/economia/2019/11/17/actualidad/1574027226_840148.html) [26 https://www.ibm.com/downloads/cas/OAJ4VZNJ](https://www.ibm.com/downloads/cas/OAJ4VZNJ) [27 https://www.microsoft.com/security/](https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/) [blog/2019/12/12/gallium-targeting-global-telecom/](https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/) [28 https://www.cybereason.com/blog/opera-](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) [tion-soft-cell-a-worldwide-campaign-against-telecom-](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) [munications-providers](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) [29 https://www.sans.org/reading-room/whitepapers/](https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297) [ICS/industrial-control-system-cyber-kill-chain-36297](https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297) [30 https://krebsonsecurity.com/2019/04/experts-](https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/) [breach-at-it-outsourcing-giant-wipro/](https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/) [31 https://www.wipro.com/consumer-pack-](https://www.wipro.com/consumer-packaged-goods/wipro-promax/) [aged-goods/wipro-promax/](https://www.wipro.com/consumer-packaged-goods/wipro-promax/) [32 https://dragos.com/year-in-review/](https://dragos.com/year-in-review/) [33 https://www.wipro.com/consumer-pack-](https://www.wipro.com/consumer-packaged-goods/wipro-promax/) [aged-goods/wipro-promax/](https://www.wipro.com/consumer-packaged-goods/wipro-promax/) [34 https://blogs.technet.microsoft.com/](https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/) [msrc/2019/05/14/prevent-a-worm-by-updating-remote-](https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/) [desktop-services-cve-2019-0708/](https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/) [35 https://doublepulsar.com/bluekeep-exploitation-](https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6) [activity-seen-in-the-wild-bd6ee6e599a6](https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6) [36 CVE-2019-11510](https://nvd.nist.gov/vuln/detail/CVE-2019-11510) [37 CVE-2019-1579](https://nvd.nist.gov/vuln/detail/CVE-2019-1579) [38 CVE-2018-13379](https://nvd.nist.gov/vuln/detail/CVE-2018-13379) [39 https://www.ncsc.gov.uk/news/alert-vpn-vulnera-](https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities) [bilities](https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities) [40 https://www.france24.com/en/20190926-airbus-](https://www.france24.com/en/20190926-airbus-hit-by-series-of-cyber-attacks-on-suppliers) [hit-by-series-of-cyber-attacks-on-suppliers](https://www.france24.com/en/20190926-airbus-hit-by-series-of-cyber-attacks-on-suppliers) [41 https://collaborate.mitre.org/attackics/index.php/](https://collaborate.mitre.org/attackics/index.php/Main_Page) [Main_Page](https://collaborate.mitre.org/attackics/index.php/Main_Page) [42 http://www.diamondmodel.org/](http://www.diamondmodel.org/) [43 https://www.ncsc.gov.uk/news/alert-vpn-vulnera-](https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities) [bilities](https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities) [44 https://www.zdnet.com/article/con-](https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/) [firmed-north-korean-malware-found-on-indian-nucle-](https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/) [ar-plants-network/](https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/) [45 https://usa.kaspersky.com/about/press-releas-](https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers) [es/2019_dtrack-previously-unknown-spy-tool-hits-finan-](https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers) [cial-institutions-and-research-centers](https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers) [46 https://securelist.com/my-name-is-dtrack/93338/](https://securelist.com/my-name-is-dtrack/93338/) [47 https://attack.mitre.org/groups/G0074/](https://attack.mitre.org/groups/G0074/) [48 https://attack.mitre.org/groups/G0049/](https://attack.mitre.org/groups/G0049/) [49 https://www.zdnet.com/article/source-code-of-ira-](https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/) [nian-cyber-espionage-tools-leaked-on-telegram/](https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/) [50 https://attack.mitre.org/groups/G0034](https://attack.mitre.org/groups/G0034) [51 https://dragos.com/resource/covellite/](https://dragos.com/resource/covellite/) [53 https://www.zdnet.com/article/source-code-of-irani-](https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/) [an-cyber-espionage-tools-leaked-on-telegram/](https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/) 54 https://attack.mitre.org/groups/G0034 55 https://dragos.com/resource/covellite/ -----