#### Cyber Threat Perspective ## MANUFACTURING SECTOR **NOVEMBER 2020** ###### DRAGOS, INC. [Intel@Dragos.com](mailto:Sales%40Dragos.com?subject=) [@DragosInc](https://twitter.com/DragosInc) #### Cyber Threat Perspective ## MANUFACTURING SECTOR **NOVEMBER 2020** ----- ### EXECUTIVE SUMMARY #### Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations. Manufacturing relies on ICS to scale, function, and ensure consistent quality control and product safety. The sector produces crucial materials, finished goods, and medicine and is classified as critical infrastructure. Due to the interconnected nature of facilities and operations, an attack on a manufacturing entity can have ripple effects across the supply chain that relies on timely and precise production to support product fulfillment, health and safety, and national security objectives. Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS[1] and CRASHOVERRIDE[2] malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve. 1 [TRISIS: Analyzing Safety System Targeting Malware](https://www.dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/) – Dragos 2 CRASHOVERRIDE R i th 2016 Uk i [El](https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf) t i P E t P t ti F d Att k J Sl ik ----- ###### KEY FINDINGS - Ransomware with the ability to disrupt industrial processes is the biggest threat to manufacturing operations. Adversaries are increasingly adopting ICS-aware mechanisms within ransomware that could stop operations. - Dragos publicly tracks five activity groups that target manufacturing. - Disruptions within manufacturing industrial processes have supply chain implications that impact businesses and potentially operations elsewhere. - The theft of proprietary and confidential manufacturing process details – often considered intellectual property – remains a high risk for manufacturers. - A growing convergence of interconnected enterprise, operations, and process control networks contributes to a growing threat landscape. #### Table of Contents **Executive Summary...................................................................................................1** **Key Findings.............................................................................................................. 2** **Activity Groups......................................................................................................... 3** **ICS Malware............................................................................................................... 4** **Threats to Manufacturing....................................................................................... 5** Ransomware.............................................................................................................................5 Internet-Exposed Assets..................................................................................................... 6 ICS Vulnerabilities....................................................................................................................7 IP Theft......................................................................................................................................7 Third-Party/Supply Chain....................................................................................................8 **IT/OT Convergence................................................................................................... 9** Network Segmentation.......................................................................................................10 Wi-Fi Connections................................................................................................................10 Lack of Visibility......................................................................................................................11 **Defensive Recommendations.................................................................................12** **Conclusion................................................................................................................ 14** ----- ### ACTIVIT Y GROUPS ###### DRAGOS TRACKS AT LEAST PARISITE, operating since 2017, targets FIVE PUBLICLY IDENTIFIED manufacturing, electric utilities, aerospace, oil and gas entities, and government and non ###### ACTIVITY GROUPS [3] TARGETING governmental organizations. Its geographic ###### OR DEMONSTRATING INTEREST targeting includes North America, Europe, and ###### IN MANUFACTURING ENTITIES. the Middle East. **Links: MAGNALLIUM, Fox Kitten, Pioneer** Kitten[8] ##### Pi X t **WASSONITE targets manufacturing, electric** generation, nuclear energy, and research **CHRYSENE** targets manufacturing, entities in India, and likely South Korea and petrochemical, oil and gas, and electric Japan. The group’s operations rely on DTrack generation sectors. Targeting has expanded malware, credential capture tools, and system beyond the group’s initial focus on the Persian tools for lateral movement. WASSONITE has Gulf region, and the group remains active in operated since at least 2018. more than one area.[4] **Links: Lazarus Group, COVELLITE9** **Links: APT 34, GREENBUG, OilRig[5]** **XENOTIME compromised several ICS vendors** **MAGNALLIUM has targeted energy, aerospace,** and manufacturers, posing a potential supply and supporting entities since at least 2013. chain threat.[.10] This group is known for the Although MAGNALLIUM has not specifically TRISIS attack that caused disruption at an oil targeted manufacturing operations, chemical and gas facility in Saudi Arabia in August 2017. In manufacturing processes are within the scope 2018, XENOTIME activity expanded to include of victimology for this group. The activity electric utilities in North America and the Asia group initially targeted firms based in Saudi Pacific region; oil and gas companies in Europe, Arabia but expanded targeting to include the United States (U.S.), Australia, and the entities in Europe and North America, including Middle East. Expanded activity also includes U.S. electric utilities. MAGNALLIUM lacks an control system devices beyond the Triconex ICS-specific capability, but the group remains controllers targeted in the 2017 incident. focused on initial IT intrusions.[6] **Links: Temp.Veles[11]** **Links: PARISITE, APT 33, Elfin[7]** 3 Dragos categorizes ICS-targeting activity into activity groups based on observable elements that include an adversary’s methods of operation, infrastructure used to execute actions, and the targets they focus on. The goal, as defined by the Diamond Model of Intrusion Analysis, is to delineate an adversary by their observed actions, capabilities, and demonstrated impact– not implied or assumed intentions. These attributes create a construct around which defensive plans can be built. At this time, two activity groups possess ICS-specific capabilities and tools to cause disruptive events: XENOTIME and ELECTRUM. [4 CHRYSENE – Dragos](https://www.dragos.com/threat/chrysene/) [5 OilRig – MITRE ATT&CK](https://attack.mitre.org/groups/G0049/) [6 MAGNALLIUM – Dragos](https://www.dragos.com/threat/magnallium/) [7 APT33 – MITRE ATT&CK](https://attack.mitre.org/groups/G0064/) [8 Fox Kitten – Widespread Iranian Espionage-Offensive Campaign – Clear Sky; Who is PIONEER KITTEN? – CrowdStrike](https://www.clearskysec.com/fox-kitten/) [9 COVELLITE – Dragos](https://www.dragos.com/threat/covellite/) [10 XENOTIME – Dragos](https://www.dragos.com/threat/xenotime/) [11 TEMPVeles – MITRE ATT&CK](https://attack.mitre.org/groups/G0088/) ##### X t ----- ----- ### THREATS TO MANUFACTURING #### Ransomware and fulfillment, or loss of view to enterprise resource management tools. For example, enterprise technologies like Enterprise Resource Planning (ERP) software are The most common threat to manufacturing integrated with data historians containing is ransomware. Dragos observed a significant process data to distribute information across a rise in the number of non-public and public company. By encrypting ERP and related files ransomware events that have affected ICS on a workstation, a ransomware adversary environments and operations over the last could stop vital communication and record two years. keeping, indirectly impacting manufacturing This year, Dragos identified multiple process and logistics operations. ransomware strains adopting ICS-aware functionality, including the ability to “kill” (i.e., stop) industrial processes if identified in **CASE STUDY** the environment, with activity dating back to 2019. EKANS,[15] Megacortex, and Clop are just a few ransomware strains that contain On 04 March 2020, a Ryuk infection at the manufac­ turer EVRAZ impacted North American operations this type of code.[16] Past concerns with including email, shipping, product certification, ransomware in ICS focused on propagation. internet availability, and corporate networks. The attack resulted in shutdowns of steel and pipe divi­ IT-focused ransomware could impact control sions, and temporary layoffs for over 1,000 workers system environments if it is able to migrate for at least four days.[17] into Windows-based portions of control system networks and disrupt operations. Ransomware operators are increasingly **EKANS and other ICS-aware ransomware** incorporating data theft techniques into **represent a unique and specific risk to** their campaigns to further ransom demands. **industrial operations not previously observed** An adversary may steal data from a target **in ransomware operations.** company before encrypting infected In 2020, the number of publicly reported machines and threaten to publish the data ransomware attacks on manufacturing online either on adversary-run websites entities has more than tripled compared or hacking forums if a ransom demand is to 2019, based on data tracked by Dragos. not paid. This method could encourage Although most ransomware strains companies to pay ransoms demanded by impacting ICS and related entities are IT- hackers. Data stolen or leaked by adversaries focused, ransomware can have indirect could contain sensitive information on the impacts on operations and process control target company such as proprietary process networks by impacting resources such as details and information about its equipment logistics, fleet management, sales operations suppliers. Although a ransomware adversary 15 [EKANS Ransomware and ICS Operations – Dragos](https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/) 16 [Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families – FireEye](https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html) [17 Evraz Steel shuts down Regina plant after continent-wide computer hack – 980 CJME One of Roman Abramovich’s companies got hit by ransomware – ZDNet](https://www.cjme.com/2020/03/05/ransom-ware-attack-at-evraz-could-bring-layoffs-to-regina-plant/) ###### CASE STUDY ----- may only be interested in leveraging data for financial purposes, adversaries interested in specifically targeting manufacturing operations could use leaked data to aid in attack development. For example, an adversary could use customer data to identify potential opportunities for third-party or supply chain compromise. Data like schematics, process details, network diagrams, or other internal documentation could be used to identify targets for operational gain and assess the level of obscurity a target has from internal and external resources. Ransomware is not just for financially motivated operators. State-sponsored actors may also leverage ransomware in cyber operations targeting manufacturers. In May 2020, the Republic of China (Taiwan) government attributed ransomware events targeting oil and gas and semiconductor companies to the Winnti Group[18] a threat group that is likely state-associated activity. The LockerGoga ransomware attack on Norsk Hydro in 2019 may have been the work of state-sponsored adversaries aiming to cause disruption rather than make money from the operation.[19] #### Internet-Exposed Assets Industrial and networking assets exposed to the internet are a high risk for manufacturing that can facilitate initial access to a victim environment. Various tracked ICS-targeting activity groups – PARISITE, MAGNALLIUM, ALLANITE, and XENOTIME – have previously targeted or currently attempt to exploit remote access technology or logon infrastructure. According to the 2019 Dragos Year in Review report detailing lessons learned from the incident response and services team, 66 percent of incident response cases involved adversaries directly accessing the ICS network from the internet, and 100 percent of organizations had routable network connections into their operational environments.[20] Recent cyber intrusions targeting water infrastructure[21] in Israel were the result of Programmable Logic Controllers (PLCs) exposed to the open internet. Dragos also responded to ransomware events at industrial entities that leveraged internet-connected remote access portals to infiltrate the operations network and deploy ransomware. In July 2020, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) published an alert encouraging asset owners and operators to take immediate actions restricting exposure of OT assets to the internet.[22] According to the alert, behaviors observed recently before publication include: spearphishing to gain initial access to Information Technology (IT) before pivoting to Operational Technology (OT), deploying commodity ransomware to impact both IT and OT environments, connecting to internet accessible PLCs that require no authentication, using common ports and standard application layer protocols to communicate with controllers and download modified control logic, using vendor engineering software and program downloads, and modifying control logic and parameters on programmable logic controllers. [18 國內重要企業遭勒索軟體攻擊事件調查說明 – Taiwan Ministry of Justice Investigation Bureau; Bureau Names Ransomware Culprits – Taipei Times](https://www.mjib.gov.tw/news/Details/1/607) 19 [Spyware, Stealer, Locker, Wiper: LockerGoga Revisited – Joe Slowik, Dragos](https://www.dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf) [20 Dragos Year In Review 2019 Lessons Learned – Dragos](https://www.dragos.com/wp-content/uploads/Lessons_Learned_from_the_Front_Lines_of_ICS_Cybersecurity.pdf?hsCtaTracking=ea40a828-084b-4ee9-a0fc-0908864d3f8e%7C4eafb14d-2e38-44e0-9e6d-08c2aea4a480) 21 [Hackers Target PLCs and SCADA Systems at Water Facilities in Israel – Control Automation](https://control.com/news/hackers-target-water-sector-facilities-in-israel/) [22 NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems – U S Department of Defense](https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/1/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF) ----- ###### CASE STUDY Adversaries are quick to weaponize and exploit vulnerabilities in internet-facing services including Remote Desktop Protocol (RDP) and VPN services. New vulnerabilities revealed in the summer of 2020 impact critical network infrastructure services including F5, Palo Alto Networks, Citrix, and Juniper network devices will likely be exploited by ICS-targeting adversaries, if they are not already.[23] These vulnerabilities can enable adversaries to gain initial access to enterprise operations and potentially pivot into industrial operations. cause a loss of view and/or loss of control within a compromised environment. Of the vulnerabilities assessed by Dragos impacting manufacturing industrial equipment, 70 percent require access to the victim network to exploit, 26 percent require an adversary to have access to the vulnerable device itself, and 8 percent require an adversary to be on the local area network to facilitate exploitation. Asset owners and operators are encouraged to be aware of the threat these vulnerabilities pose to manufacturing operations. A loss of view or control, for instance, may cause safety concerns and potentially put workers’ lives or the environment at risk. #### IP Theft Dragos assesses with high confidence intellectual property theft and industrial espionage are major threats to manufacturing entities, especially by state-sponsored adversaries and malicious insiders. In the 2018 report Foreign Economic Espionage in Cyberspace, [24] the U.S. National Counterintelligence and Security Center stated China, Russia, and Iran are, “…three of the most capable and active cyber actors tied to economic espionage and the potential theft of U.S. trade secrets and proprietary information.” For example, insiders working on behalf of Chinese state interests have stolen or attempted to steal data from manufacturing and related entities including Dow Chemical[25] wind turbine manufacturer Sinovel Wind Group,[26] GlaxoSmithKline,[27] and biopharmaceutical company Genentech[28] In July 2020, the U.S. 23 [Caught In The Middle With You – Joe Slowik, Dragos](https://www.youtube.com/watch?v=0OlLsvMlUXQ&feature=youtu.be) [24 Foreign Economic Espionage in Cyberspace – NCSC](https://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf) [25 Ex-Dow Scientist Is Convicted of Selling Secrets in China – New York Times](https://www.nytimes.com/2011/02/08/business/global/08bribe.html) [26 Chinese Company Sinovel Wind Group Convicted of Theft of Trade Secrets – U.S. DOJ](https://www.justice.gov/opa/pr/chinese-company-sinovel-wind-group-convicted-theft-trade-secrets) [27 Second Former Glaxosmithkline Scientist Pleads Guilty to Stealing Trade Secrets to Benefit Chinese Pharmaceutical – Company – U.S. D](https://www.justice.gov/usao-edpa/pr/second-former-glaxosmithkline-scientist-pleads-guilty-stealing-trade-secrets-benefit) [28 Former Genentech Employees Charged With Theft Of Trade Secrets – U.S. DOJ](https://www.justice.gov/usao-ndca/pr/former-genentech-employees-charged-theft-trade-secrets) ----- Department of Justice (DOJ) published an indictment charging two Chinese nationals with hacking hundreds of victim organizations globally for over a decade on behalf of the Ministry of State Security and other Chinese government interests. Manufacturing and related companies accounted for at least five of the targeted victims, in addition to multiple other ICS entities. The adversaries operating under the Winnti Group umbrella have targeted manufacturing and other industrial entities globally, conducting initial access and espionage operations. The information could support China’s Belt and Road Initiative (BRI), a massive land and sea infrastructure and economic development project across Asia, Europe, Indian Ocean, South Pacific, and East Africa. ###### CASE STUDY In 2019, Bayerischer Rundfunk reported adversaries infiltrated automotive manufacturers BMW and Hyundai. These adversaries were linked to Vietnamese interests.[29] Car manufacturer VinFast – a subsidiary of VinGroup, the Vietnamese conglomerate with close ties to the country’s government[30] – had recently closed a deal with BMW to license the carmaker’s technology, architecture, and an engine, but not the manufacturing process or sequencing automation details.[31] It is possible adversaries were looking for data to further enrich the automotive manufacturing data already obtained by VinFast to improve production quality, though this is not confirmed. According to BMW, no sensitive data was obtained. The coronavirus pandemic is also causing an increase in attacks targeting manufacturing related entities. As countries race to develop a vaccine for the pandemic that has killed more than one million people globally, adversaries have increasingly targeted pharmaceutical and healthcare organizations to steal ongoing research and development related to the virus and potential vaccines.[32] Currently, publicly reported attacks targeting entities researching and/or developing coronavirus vaccines and prevention have demonstrated intrusion and reconnaissance activities within enterprise resources, which could facilitate movement into operations or vaccine production tampering or disruption in a worst-case scenario. IP and theft of trade secrets related to process and automation functions can enable industrial organizations and interested states and governments to fast-track development of critical infrastructure, including manufacturing. It can also support statesponsored espionage activities for political or national security efforts. Obtaining material specifications for products is likely not enough to replicate them. Businesses rely on engineering and industrial design schematics, and sequencing automation details. According to Dragos researchers, adversaries may want to steal the algorithms, engineering designs, and programming specifications to replicate the entire production process, not just the material goods and services output. #### Third-Party/Supply Chain Since 2017, multiple threats migrated toward compromising vendors, Managed Service Providers (MSPs), and external network services as the first step in victim compromise. Adversaries can abuse existing trust relationships and interconnectivity to gain access to sensitive resources – including ICS ###### CASE STUDY [29 Autoindustrie im Visier von Hackern: BMW ausgespäht – BR](https://www.br.de/nachrichten/wirtschaft/fr-autoindustrie-im-visier-von-hackern-bmw-ausgespaeht,RjnLkD4) [30 The Rise and Rise of a Vietnamese Corporate Empire – FT](https://www.ft.com/content/84323c32-9799-11e9-9573-ee5cbb98ed36) [31 VinFast – Follow The Birth of a Car Company Using BMW Tech and Italian Design from Pininfarina – TopSpeed](https://www.topspeed.com/cars/car-news/vinfastfollow-the-birth-of-a-car-company-using-bmw-tech-and-italian-design-from-pininfarina-ar182463.html) [32 Exclusive: Iran-linked hackers recently targeted coronavirus drugmaker Gilead – sources – Reuters; DOJ says Chinese hackers targeted coronavirus vaccine](https://www.reuters.com/article/us-healthcare-coronavirus-gilead-iran-ex/exclusive-iran-linked-hackers-recently-targeted-coronavirus-drugmaker-gilead-sources-idUSKBN22K2EV) [research – Politico ; Advisory: APT29 targets COVID-19 vaccine development – NCSC; Chinese hackers accused of stealing information from Spanish centers](https://www.politico.com/news/2020/07/21/doj-chinese-hackers-coronavirus-research-375855) working on Covid-19 vaccine – El País ----- systems in some cases – with little likelihood of detection. Examples of this activity include activity groups DYMALLOY and ALLANITE that compromised vendors and contractors for subsequent phishing campaigns targeting the electric sector, [33] XENOTIME that targeted several original equipment manufacturers and vendors, and a widespread hacking campaign by APT10 that hijacked connections between MSPs and their customers, which included manufacturing organizations.[34] Contractors, vendors, and other thirdparty individuals often have direct access to operational environments for activities like updates, inspections, or new equipment installations. It is possible for adversaries to compromise equipment used by these individuals as an access point into their ultimate target. ###### CASE STUDY In 2018, a shipping industry group detailed an incident in which a bunker surveyor accidentally infected shipboard computers with malware.[35] The ship had completed bunkering operations, transporting oil to another ship, and the bunker surveyor came aboard to conduct quality assurance and documentation efforts. The surveyor asked to use a host in the engine control room to print documents and inserted a USB drive containing malware. The ship operators did not identify the malware until a subsequent cybersecurity assessment. Enterprise Resource Planning (ERP) providers also provide potential infection vectors that could bridge the IT and OT gap if proper segmentation and security are not in place. ERP services require access to operations assets like data historians to monitor and store information relating to production, supply chain, inventory, and safety. They should be integrated into enterprise functions, like compliance or finance. Recent vulnerability exposures highlight the threat and potential exploitation of these systems. In July 2020, major ERP provider SAP published details and patches for a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component impacting numerous SAP business solutions, including ERP. An adversary could use the vulnerability to take control of trusted SAP connections.[36] Manufacturing entities are part of a global supply chain supporting multiple other industries, making them a target for adversaries targeting industries like electric utility or pharmaceutical. Some manufacturing companies’ activities stretch into multiple industrial verticals. Automotive manufacturer Volkswagen in 2019 became a renewable power provider and aims to compete with energy companies on battery energy storage and management [37] Leveraging third-party connections can enable an adversary to conduct espionage, reconnaissance, and data theft operations to pre-position themselves for a potentially disruptive OT attack. Due to interconnected relationships manufacturing companies have across industrial verticals, asset owners and operators should be aware of threats to all ICS entities and incorporate ICS-specific threat intelligence into security operations and risk management. ###### CASE STUDY [33 America’s Electric Grid has a Vulnerable Back Door – and Russia Walked Through It – The Wall Street Journal](https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112) [34 Inside the West’s failed fight against China’s ‘Cloud Hopper’ hackers – Reuters](https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/) [35 The Guidelines on Cyber Security Onboard Ships – International Chamber of Shipping](https://www.ics-shipping.org/docs/default-source/resources/safety-security-and-operations/guidelines-on-cyber-security-onboard-ships.pdf?sfvrsn=16) [36 Critical Vulnerability in SAP NetWeaver AS Java – CISA](https://us-cert.cisa.gov/ncas/alerts/aa20-195a) [37 Volkswagen plans to tap electric car batteries to compete with power firms – Reuters](https://www.reuters.com/article/us-volkswagen-electric-energy/volkswagen-plans-to-tap-electric-car-batteries-to-compete-with-power-firms-idUSKBN20Z2D5) ----- ### IT/OT CONVERGENCE environments, and a lack of access restrictions, malware wormed its way through industrial operations causing billions of dollars in losses. Although the WannaCry and NotPetya events served as a wakeup call across manufacturers globally, three years later improper network segmentation remains an issue. ###### CASE STUDY In 2020, Dragos observed EKANS ransomware incorporating domain checks to identify if a victim network’s Windows Active Directory (AD) instance could be contacted. Honda was one of its victims, and the ransomware disrupted the automotive manufacturer’s operations across five countries. This suggests poor network segmentation in at least parts of its global operations.[39] #### Wi-Fi Connections In addition to internet-connected process automation and other “smart” manufacturing processes, operators are adopting WiFi enabled machine tools and diagnostic equipment that enable workers to move around plants and factories without tripping over power cords. Internet connected tools connect to historian databases for quality assurance, regulatory, and logistics purposes, among others. Often these tools are connected to enterprise or operations resources and can be used as network access points or targeted in an attack meant to ###### CASE STUDY [39 Honda’s global operations hit by cyber-attack – BBC](https://www.bbc.com/news/technology-52982427) ----- ----- ### DEFENSIVE RECOMMENDATIONS - Passively identify and monitor ICS network assets to identify key assets, chokepoints, and external communications in the network. - Look for threat behaviors and known Tactics, Techniques, and Procedures (TTPs) that adversaries targeting manufacturing use, like those mapped to MITRE® ATT&CK for ICS. - Monitor outbound communications from ICS networks to detect malicious threat behaviors, indicators, and anomalies. Understanding malicious behaviors exhibited by threat activity groups is crucial for defending against them. - Identify and label critical ICS assets to aid with detection and monitoring. Dragos Asset Identification allows for certain analytics to function by detecting malicious behaviors against asset types. - Leverage industrial-specific threat detection mechanisms to identify malware within OT and reinforce defense in depth strategies at the network level, leading to a more robust investigation ability by defenders and analysts. - Ensure corporate networks are patched to prevent malware infections from entering the environment and to prevent subsequent propagation. - Ensure that critical network services, such as Active Directory (AD) and the servers hosting it, are well-defended and that administrative access to hosting devices is restricted to the greatest degree possible. - Evaluate and limit AD federation and sharing between IT and ICS networks to ----- ----- ### CONCLUSION A concerning upward trend of ransomware targeting manufacturing companies leading to op­ erations disruptions exists. Internet exposed assets, supply chain and third-party compromise risks, and a growing convergence of interconnected enterprise and operations networks are contributing to a growing threat landscape. Dragos continues to monitor malicious activity groups and threats targeting manufacturing operations, including concerning ICS-aware ransomware capable of disrupting operations. Addi­ tionally, adversaries do not need to specifically target industrial processes to achieve widespread disruption across plants, fleets, or automation processes, as detailed in this report. Dragos assesses with high confidence the threats to manufacturing will continue to increase over the next year. ###### TO LEARN MORE ABOUT DRAGOS AND OUR TECHNOLOGY, SERVICES, AND THREAT INTELLIGENCE FOR THE MANUFACTURING SECTOR, PLEASE VISIT WWW.DRAGOS.COM. # THANK YOU -----