{ "id": "5129c206-7fd8-4914-a10f-a044e8ebe5da", "created_at": "2026-04-06T00:13:30.376891Z", "updated_at": "2026-04-10T03:35:19.860738Z", "deleted_at": null, "sha1_hash": "f9c26db0c895722528dd387654aefda9ddfdc6e0", "title": "Critical Infrastructure Remains the Brass Ring for Cyber Attackers in 2024", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60662, "plain_text": "Critical Infrastructure Remains the Brass Ring for Cyber\r\nAttackers in 2024\r\nPublished: 2024-01-02 · Archived: 2026-04-02 12:10:00 UTC\r\nRecent reporting reveals that both state and non state cyber actors are actively targeting critical infrastructures\r\nwith impunity.  Indeed, the Ukraine war, Palestine conflict, and other areas where geopolitical tension exists has\r\ncreated an environment where aggressive offensive cyber operations are unfolding and are even\r\nencouraged.  What has become increasingly clear is that there seems to be very little that the global community is\r\ndoing to deter these types of attacks, which have ranged from gaining access to more disruptive strikes designed to\r\nhamper operations, or the actors conducting them.  This is disconcerting given how the volume of attacks against\r\nthese targets has surged.  According to one cybersecurity company’s findings, in 2022 cyber attacks against\r\ncritical infrastructures spiked 140% from the previous year.  While many of these attacks can be linked to\r\ncybercriminals such as ransomware operators seeking to collect significant ransom payments for compromising\r\nvital networks, as many as 60% of attacks against infrastructures have been linked to nation states indicating that\r\nthe potential intent behind them are for more nefarious purposes.\r\nAs we head toward the conclusion of 2023, the news has been rife with examples of such malfeasance, and from a\r\nvariety of threat actors, which underscores that critical infrastructures are and will remain high-value targets for\r\nboth state and nonstate groups.  A quick review of media found four examples illustrating what the cyber\r\nenvironment looks like and what we can expect to transpire moving into 2024:\r\nOil/Gas.  Israeli hackers dubbed “The Predatory Sparrow” claimed responsibility for conducting a series of\r\ncyber attacks that created disruptions at 70% of Iran’s gas stations and traffic light systems.  Per reporting,\r\nthe group provided visual evidence with screenshots taken of gas stations’ computer systems, as well as\r\npayment information and management system data.  The group asserted that the attack was retaliation for\r\nIranian aggression in the region.  The recent attack wasn’t the first time this group conducted cyber attacks\r\nagainst Iran, having executed at least two of them previously that had disrupted Iran’s rail networks and\r\nsteel factories.\r\nTelecommunications.  Russian hacker group “Solntsepek” (a group tied to Russia’s military intelligence-linked Sandworm Team) claimed responsibility for a cyber attack against Ukraine’s\r\nlargest telecommunications provider.  The attack didn’t compromise customer data but did impact\r\noperations for at least a day causing outages and disrupting air raid sirens, some banks, ATMs, and point-of-sale terminals, making it one of the most impactful cyber attacks of the Ukraine war.  It also had a\r\ncausal effect by creating service surges for competitors not ready to accept an increase in user traffic.  The\r\nties to Sandstorm Team is noteworthy as that group has been very active against critical infrastructure\r\ntargets such as Ukraine’s electrical grid in 2016 and 2017.\r\nHospitals/Medical.  Israel’s National Cyber Directorate (NCD) attributed November 2023 cyber attacks\r\nagainst Safed Ziv Medical Center to the hacker group known as AGRIUS, and which is linked to the\r\nIranian Intelligence Ministry.  The NCD indicated that AGRIUS also had assistance from Lebanese Cedar,\r\nhttps://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/\r\nPage 1 of 3\n\na group linked to Hezbollah.  Though the attack was only partially successful, its intent appears to have\r\nbeen to disrupt hospital operations, which could create an impact in treating Israeli defense forces as it\r\nengages its conflict with HAMAS.  More importantly, the attack shows how cyber attacks can play a role\r\nin supporting ground activities by achieving tactical objectives.\r\nWater Facilities.  Iranian cyber actors recently attacked a small Pennsylvania water  authority, as well as\r\nother victims across the United States.  But Iran is not alone.  A recent news report revealed that hackers\r\nlinked to China’s military had been gaining access into computer systems or more than 24 U.S. critical\r\ninfrastructure organizations to include water utilities, a port, and at least one oil and gas pipeline.  The\r\narticle suggested that these intrusions were part of a plan to sow panic and hamper logistics in the event\r\nconflict should erupt between China and the United States over an issue like Taiwan.  While it did not\r\nappear that these intrusions had made their way into accessing industrial control systems that operate\r\ncritical functions, accesses gained could impact targets enough to disrupt services.  Given that one of the\r\ntargets supported U.S. Pacific Fleet in Hawaii, the attack provides another example of how cyber attacks\r\ncould pre-position an adversary to affect ground operations in the event of a conflict.\r\nThough there are no codified norms of state behavior in cyberspace, the targeting of critical infrastructures has\r\nalways been considered taboo, largely because any such attack would directly impact services to civilians.  Since\r\nthe North Atlantic Treaty Organization (NATO) agreed that a cyber attack against a member state could trigger\r\nArticle 5, it would appear that this would underscore the gravity with which any such attack could be viewed,\r\ninterpreted, and be subject to retaliation.  Indeed, in 2019, an article by NATO Secretary General Jens\r\nStoltenberg asserted that NATO would guard its cyber domain and invoke collective defense if deemed\r\nnecessary.  Although criteria by which a serious cyber attack was never defined, given what has transpired in the\r\nrealm of disruptive and destructive cyber attacks, one potentially severely impacting critical infrastructure\r\ncertainly seems that it would fit the criteria.\r\nYet, despite this acknowledgement, nation states continue to test the boundaries and push the limits about the\r\ntypes of attacks they conduct against critical infrastructures raising the question if there is any real red line that\r\nwill determine when action would be taken.  Perhaps more worrisome is that continued failure to set any such\r\nconditions on nations states has freed up nonstate actors to target these vital networks for their own purposes,\r\nwhether as a means of financial extortion or to support a benefacting state’s interests.  Since the potential\r\ndetrimental impact against critical infrastructures is not the sole purview of state actors, the Red Cross put\r\nforth ethical guidelines for hacktivists to consider before wading into cyber conflicts, though the effort has been a\r\nmore symbolic gesture than one that has achieved any tangible results.\r\nSo where does this put us in 2024?  Not in a favorable position.  What’s evident is that there has been no threat of\r\npunishment, and certainly no repercussion, that has successfully discouraged threat actors from continuing to\r\ntarget critical infrastructures.  Even when the attacks have been potentially detrimental, like the Iranian one that\r\nraised chlorinelevels in Israeli water facilities that could have had consequential effects on civilians, or the recent\r\nattack against the Israeli hospital disrupting potentially life-saving measures, there has been little effort by the\r\ninternational community to collaborate on going after these actors and/or punishing the states on whose behalf\r\nthey may be acting.  \r\nhttps://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/\r\nPage 2 of 3\n\nWorse, heading into 2024 there is little evidence that the global community is trying to develop a strategy to deter\r\nsuch activity from happening in the first place.  Therefore, it appears that states will be left up to their own\r\njudgement as to how they will respond to such activities, which risks quick escalation and entry for other actors –\r\nwhether offensively or defensively – to join the fray.  \r\nAbsent codified cyber norms and/or treaties, this does not improve cyber defense as much as exacerbate an\r\nalready tense situation.\r\nAbout the Author\r\nEmilio Iasiello\r\nEmilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government\r\ncivilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat\r\npresentations to domestic and international audiences and has published extensively in such peer-reviewed\r\njournals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the\r\nCyber Defense Review, among others. All comments and opinions expressed are solely his own.\r\nSubscribe to OODA Daily Pulse\r\nThe OODA Daily Pulse Report provides a detailed summary of the top cybersecurity, technology, and global risk\r\nstories of the day.\r\nSource: https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/\r\nhttps://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/" ], "report_names": [ "critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "2b45a355-6d1d-44d8-8bc3-20c17e30757d", "created_at": "2023-12-21T02:00:06.092349Z", "updated_at": "2026-04-10T02:00:03.501337Z", "deleted_at": null, "main_name": "Solntsepek", "aliases": [], "source_name": "MISPGALAXY:Solntsepek", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434410, "ts_updated_at": 1775792119, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9c26db0c895722528dd387654aefda9ddfdc6e0.pdf", "text": "https://archive.orkl.eu/f9c26db0c895722528dd387654aefda9ddfdc6e0.txt", "img": "https://archive.orkl.eu/f9c26db0c895722528dd387654aefda9ddfdc6e0.jpg" } }