{ "id": "b4877726-2d38-4b1d-ab8c-e47e4e3394c5", "created_at": "2026-04-06T00:07:56.429896Z", "updated_at": "2026-04-10T03:37:09.394296Z", "deleted_at": null, "sha1_hash": "a6a2bbb8b5d768c347cc5169ae72cf237439279e", "title": "2022 ICS/OT Threat Landscape Recap \u0026 What to Watch for This Year", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4958448, "plain_text": "2022 ICS/OT Threat Landscape Recap \u0026 What to Watch for This\r\nYear\r\nBy Dragos, Inc.\r\nPublished: 2023-04-14 · Archived: 2026-04-05 17:09:44 UTC\r\nOur annual 2022 ICS/OT Threat Landscape webinar, moderated by Dr. Thomas Winston, Director of Intelligence\r\nContent, and delivered by Kent Backman, Principal Adversary Hunter, and Josh Hanrahan, Senior Adversary\r\nHunter, covers the significant events and activity reported by the Dragos Threat Intelligence team in our 2022\r\nICS/OT Cybersecurity Year in Review report. This blog highlights the main topics and trends shared in our recent\r\nwebinar, including new and active adversary threats targeting industrial infrastructure, malware and tools used in\r\ndifferent attack stages, and vulnerabilities targeted for compromise.\r\nHeightened ICS/OT Adversary Activity\r\nDragos Threat Intelligence tracks threat groups that attempt to gain access to ICS/OT environments or conduct\r\nactivity that can be used to facilitate future threats to industrial infrastructure. Dragos adversary hunters are\r\ncurrently tracking 20 ICS/OT threat groups, up from five threat groups in 2017.\r\nIn 2022, the industrial community experienced a shift in the cyber threat landscape that was ushered in by\r\nincreasingly homogenous operational technology (OT) infrastructures and knowledgeable adversaries targeting\r\nindustrial control systems (ICS). Compounding on previous years, last year saw the discovery of new ICS-specific\r\nmalware, new threat groups targeting industrial organizations, and adaptive adversary campaigns leveraging\r\nweaknesses in the industrial community’s defenses. As a result, heightened attention is required to safeguard\r\nagainst disruptions in electric grids, oil pipelines, water systems, and manufacturing plants that can place human\r\npopulations at risk.\r\nICS/OT Malware Development Capabilities Evolve\r\nDragos Threat Intelligence is focused on the threat groups exploiting OT networks and ICS devices, and the\r\nindustries they are targeting for that purpose. A cyber attack in OT requires an understanding of the ICS/OT\r\nenvironment, adversaries need knowledge of devices and systems and how they communicate, and they need to be\r\nable to use that knowledge to manipulate physical processes and create an impact. Several threat groups developed\r\nnew malware capabilities specifically designed for executing attacks on industrial and critical infrastructure.\r\nPIPEDREAM Malware – First-Cross Industry Attack Framework\r\nIn April of 2022, Dragos and a partner announced the discovery of PIPEDREAM — a cross-industry industrial\r\ncontrol system (ICS) attack framework developed by the threat group CHERNOVITE explicitly to attack\r\nindustrial infrastructure. Dragos identified and analyzed PIPEDREAM’s capabilities through our daily business\r\nand in collaboration with various partners in early 2022. PIPEDREAM is the seventh known ICS-specific\r\nhttps://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/\r\nPage 1 of 6\n\nmalware, and the fifth malware specifically developed to disrupt industrial processes. Given the right operational\r\nconditions, PIPEDREAM could be used for destructive effects, but it was found before it was employed.\r\nInitially developed to compromise devices used in the electric industry, as well as oil and gas, PIPEDREAM\r\nrepresents a new evolution in malware development as the first cross-industry scalable ICS malware with\r\ndisruptive capabilities and could easily be adapted for other industries.\r\nIndustrial Infrastructure Recon, Initial Access, C2 Activity in 2022\r\nExecuting an impact on industrial control systems can require extensive research and development. Adversaries\r\noften conduct reconnaissance to gain information and initial access to networks to execute a future attack on their\r\nICS/OT targets. That takes time. Moreover, attacks on ICS/OT also do not require intent, so OT networks may be\r\n“targets of opportunity.” Even when an adversary accidentally stumbles onto an OT environment, there is still a\r\nrisk to that environment. In 2022, Dragos observed activity from multiple threat groups targeting industrial\r\norganizations globally for reconnaissance, initial access, and long-term persistence leveraging signature\r\ntechniques, along with the development of new capabilities and attack patterns.\r\nBENTONITE – NEW THREAT GROUP TARGETING OIL \u0026 GAS,\r\nMANUFACTURING IN THE U.S. SINCE 2021\r\nBENTONITE is a highly opportunistic group conducting offensive\r\noperations for espionage. In 2022, BENTONITE was observed exploiting\r\nLog4j and VMWare Horizons vulnerabilities in remote access devices and\r\ninternet-facing assets. Once initial access is achieved, BENTONITE installs\r\na downloader-type malware, and the downloader implant retrieves additional\r\nmalware from an adversary created Github account that allows BENTONITE\r\nto gain command and control, conduct reconnaissance, and perform\r\ninteractive operations. BENTONITE has in the past caused disruptive effects\r\nfrom ransomware and wiper malware, but for different objectives.\r\nKOSTOVITE – SINCE 2021\r\nKOSTOVITE compromises internet-exposed remote access and is skilled\r\nlateral movement \u0026 initial access operations into ICS/OT. Dragos observed\r\nthe activities of multiple adversaries in 2022 sharing common infrastructure\r\nKOSTOVITE. APT5, a KOSTOVITE-linked group, was observed actively\r\nexploiting a zero-day in Citrix perimeter access devices, and have bypassed\r\nIvanti Pulse Secure, Palo Alto, Fortinet, Sophos, and Sonicwall edge devices,\r\nsometimes living off the land inside their target networks, undiscovered, for\r\nmonths.\r\nhttps://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/\r\nPage 2 of 6\n\nXENOTIME – SINCE 2014\r\nXENOTIME has demonstrated the capability of executing disruptive ICS\r\nattacks, such as the 2017 TRISIS incident. TRISIS, the 5th ICS-specific\r\nmalware, was deployed in an industrial facility in the Middle East by a well-funded attack team. This malware targeted safety instrumented systems (SIS)\r\nand was the first malware to specifically target human life, but it ultimately\r\nfailed to disrupt operations at that facility. In 2022, XENOTIME conducted\r\nreconnaissance focus on oil and natural gas, and liquefied natural gas\r\nindustries. XENOTIME makes heavy use of off-the-shelf tools and open-source information sources. This threat group is currently in the development\r\nphase and continues to target downstream \u0026 midstream oil \u0026 gas/liquid\r\nnatural gas, with a focus on pipeline, maritime, refining.\r\nKAMACITE – SINCE 2014\r\nKAMACITE facilitated the 2015 and 2016 Ukraine power events with\r\nELECTRUM and can execute Stage 1 of the ICS Cyber Kill Chain and pivot\r\nto OT networks. In early 2022, KAMACITE targeted vulnerabilities in\r\nWatchGuard and ASUS firewall and router devices used in small/home office\r\ndevices with CYCLOPS BLINK malware. In May, KAMACITE targeted\r\nanother set of routers and IP cameras for initial access, independent of\r\nCYCLOPS BLINK operations. Then, in June 2022, KAMACITE was\r\nobserved communication with the same oblenergo targeted in 2015 Ukraine\r\ncyber attack. Last year, despite a primary focus on the electric sector,\r\nKAMACITE’s CYCLOPS BLINK infrastructure was observed\r\ncommunicating with victims in natural gas, rail, aerospace, food \u0026 beverage\r\nmanufacturing, automotive, and the U.S.\r\nERYTHRITE – SINCE 2021\r\nERYTHRITE targets industrial infrastructure companies with search engine\r\noptimization (SEO) poisoning campaigns and credential stealing and remote\r\naccess malware throughout 2022, opening the door for this threat group to\r\nsupply credentials, sensitive information, and remote access to OT\r\nenvironments to third parties. ERYTHRITE has a high volume of activity\r\nand uses hundreds of thousands of vulnerable, otherwise legitimate websites\r\nas part of their adaptable SEO poisoning campaigns. From there,\r\nERYTHRITE deploys custom, rapidly refreshed. This credential stealing and\r\nremote access malware could be deployed in an OT environment for many\r\nmonths before it is detected.\r\nhttps://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/\r\nPage 3 of 6\n\nWASSONITE – SINCE 2018\r\nWASSONITE has primarily focused their activity on a wide range of\r\nindustrial sectors in South and East Asia, with an interest in nuclear energy,\r\nelectric, oil \u0026 gas, advanced manufacturing, pharmaceutical, and aerospace\r\nindustries. As recently as October 2022, Dragos analyzed WASSONITE’s\r\nnuclear-energy themed spear phishing lures that are used for the deployment\r\nof customized variants of the AppleSeed backdoor remote access tool. These\r\ncustomized variants demonstrated significant knowledge of industrial\r\noperations, including hard-coded credentials and non-public IP addresses.\r\nOnce deployed, the AppleSeed backdoor allows WASSONITE to take\r\nscreenshots, log keystrokes, and collect information and files. It can also\r\nupload, download, and execute follow-on commands from a command and\r\ncontrol (C2 server). WASSONITE has been observed using Mimikatz and\r\nother system tools for lateral movement and file transfers.\r\nRansomware Risk to Industrial Organizations\r\nRansomware continued to pose financial and operational risks to industrial organizations worldwide in 2022. Of\r\nall the industrial sectors in 2022, ransomware groups targeted the manufacturing industry more than any other,\r\nnearly twice as much as the other industrial groups combined, with 72 percent of attacks impacting\r\nmanufacturers.\r\nRansomware attacks impacted these sectors the most in 2022:\r\nManufacturing – 72 percent of attacks (437 ransomware attacks)\r\nFood \u0026 Beverage – 9 percent (52 ransomware attacks)\r\nEnergy – 5 percent (29 ransomware attacks)\r\nPharmaceuticals – 4 percent (27 ransomware attacks)\r\nOil \u0026 Gas – 3 percent (21 ransomware attacks)\r\nRansomware in the Manufacturing Sector\r\nThe manufacturing sector is not only the hardest hit by ransomware attacks, but manufacturers are also often the\r\nleast mature in their OT security defenses. In fact, from Dragos services engagements in 2022, when we look\r\nacross the manufacturing industry, 89 percent of manufacturers have limited visibility over their networks and\r\nassets and are not able to detect threats in their environment. A full 82 percent of the manufacturing industry has\r\npoor network segmentation making it easy for ransomware adversaries to pivot to OT. Finally, 82 percent do not\r\nhave secure remote connections, and 73 percent are still sharing passwords. This is concerning when disruption of\r\nonly a few days can have a significant impact on manufacturers and can affect their bottom line. Not only that, but\r\nit can also have an impact on the manufacturing supply chain. In February 2022, Kojima Industries Corp, a\r\nsupplier of Toyota’s plastic parts and electronic components, was the victim of a ransomware attack. When\r\nKojima suspended operations, the just in time and Kanban of Toyota production systems resulted in the\r\nsuspension of Toyota operations as well when they were unable to source the parts needed to continue.\r\nhttps://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/\r\nPage 4 of 6\n\nMoves \u0026 Changes in the Ransomware Space\r\nThe demise of Conti and the introduction of a new version of Lockbit, Lockbit 3.0. Black Basta and several other\r\nransomware groups targeting industrial control systems and operational technologies restructured “the\r\nransomware industry” in 2022.\r\nDespite leading strong with 58 attacks in the early part of 2022, Conti shutdown operations in May after declaring\r\nalignment with the Russian Federation. Lockbit quickly took up the mantle – their activity accounted for 169\r\nincidents, or 28 percent of ransomware attacks in 2022. The launch of Lockbit 3.0 helped encourage growth in the\r\nransomware space, reducing the barriers to entry for any adversary to participate in Lockbit 3.0 affiliate\r\nenterprises. Making matters worse, the builder used to develop Lockbit 3.0 was leaked online, making it easier for\r\neven unskilled adversaries to start up their own ransomware group. Dragos observed activity targeting industrial\r\norganizations from 39 different ransomware groups in 2022, and there is the potential for the field to get even\r\nmore crowded in 2023.\r\nICS/OT Threat Landscape Takeaways\r\nThe webinar concluded with these final points of focus from Dragos ICS/OT adversary hunters:\r\nPIPEDREAM brings forward a new extensible and modular OT focused malware framework that advances\r\nattack philosophies first showcased with CRASHOVERRIDE and TRISIS. CHERNOVITE presents a\r\nconcerning threats to all ICS organizations.\r\nDragos-tracked threat groups continue to target ICS/OT entities with both existing and new capabilities.\r\nBENTONITE has exhibited Stage 1 capability and has shown evidence of OT data exfiltration from oil \u0026\r\ngas and manufacturing targets.\r\nhttps://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/\r\nPage 5 of 6\n\nManufacturing is the standout sector bearing the burden of ransomware attacks by a large margin. All\r\nmanufacturing organizations should factor in ransomware threats to their threat models.\r\nWatch the 2022 ICS/OT Year in Review Threat Landscape webinar to learn more about these findings.\r\nRecommendations\r\nDragos recommends five critical controls for OT cybersecurity identified by the SANS Institute for a baseline\r\nframework to help defend against adversary activity directed at ICS/OT environments. One way to achieve\r\norganizational alignment on implementing the critical controls is to tie the effort back to real-world scenarios\r\ninvolving newly discovered ICS-specific malware and known OT threat group behaviors. If you are just getting\r\nstarted on your ICS/OT cybersecurity journey, these tips will point you in the right direction but for more\r\ninformation.\r\nDownload our guide to SANS 5 Critical Controls to learn more.\r\nDownload Now\r\nSource: https://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/\r\nhttps://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/" ], "report_names": [ "2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "90615eb1-13f5-49e8-b8f5-d0df9b8bd946", "created_at": "2024-12-25T02:00:03.652379Z", "updated_at": "2026-04-10T02:00:03.797373Z", "deleted_at": null, "main_name": "Wassonite", "aliases": [], "source_name": "MISPGALAXY:Wassonite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a9bca241-5f6f-4a30-8184-c16da1a23c55", "created_at": "2022-10-25T16:07:24.38908Z", "updated_at": "2026-04-10T02:00:04.971876Z", "deleted_at": null, "main_name": "Wassonite", "aliases": [], "source_name": "ETDA:Wassonite", "tools": [ "Dtrack", "Mimikatz", "Preft", "TroyRAT" ], "source_id": "ETDA", "reports": null }, { "id": "091dc6fb-2650-4646-894a-41de0d463f94", "created_at": "2023-11-17T02:00:07.594612Z", "updated_at": "2026-04-10T02:00:03.455179Z", "deleted_at": null, "main_name": "Chernovite", "aliases": [], "source_name": "MISPGALAXY:Chernovite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434076, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a6a2bbb8b5d768c347cc5169ae72cf237439279e.pdf", "text": "https://archive.orkl.eu/a6a2bbb8b5d768c347cc5169ae72cf237439279e.txt", "img": "https://archive.orkl.eu/a6a2bbb8b5d768c347cc5169ae72cf237439279e.jpg" } }