Power lines connected to the Suvorovo hydroelectric dam in Suvorovo, Bulgaria. (Photo by Hristo Rusev/Getty Images)

Dragos detailed three new threat groups targeting industrial control systems in its annual report, including one technologically adept group that seems to be scouting out potential disruptive attacks in the energy sector.

Not all ICS groups intend to sabotage active systems. Several are looking to steal intellectual property. Of the ones that do, many are not yet entirely capable of performing that attack. Dragos categorizes them by the ICS kill chain, developed in part by its founder Rob Lee, separating groups into those trying to breach ICS systems but not yet able to do so; those able to do so but either not intending or not quite yet prepared to perform a disruptive attack; and the rarer few entirely prepared to do that attack.

Kostovite, an energy-sector-focused group among the three new groups detailed by Dragos, appears to fall into the second category: a group able to breach ICS systems but not yet ready to pull the trigger on disrupting the energy sector.

"We don't know the intent of the adversary — we can't reach back out to them and ask them what they were trying to do — but based on our analysis, and based on what we found, everything points to the fact that they were getting access for long-term access for future disruptive actions," said Lee in a meeting with reporters.

Kostovite targeted a "major" operation and maintenance (O&M) firm for the renewable energy sector, and leveraged its access to multiple companies' OT networks in the United States and Australia.

The group appears consistent with actors profiled by Mandiant in April who targeted Ivanti Pulse Secure VPN devices, targeting government agencies and the defense industrial base. Mandiant reported the attackers likely came from several groups supporting Chinese espionage. After the Mandiant report, CISA issued an alert to government agencies and critical infrastructure.

"The systems that they were embedding themselves into and getting access to, were there for the purpose of control and monitoring those generation assets. And there wasn't anything that they were taking or getting that really would have been valuable for intellectual property," said Lee.

Lee said that Dragos came across Kostovite during an incident response case and was able to mitigate the group before any damaging attack came to fruition. But the group, he said, showed alarming stealthiness during their breaches, capable of using native ICS functionality rather than malware to achieve its ends.

Other new groups cataloged in the report include Petrovite, a burgeoning group targeting central Asian manufacturing and energy, that appears to use the Zebrocy malware associated with Russian intelligence, and Erythrite, a group with wide targeting of United States and European networks with some technological overlap to known data-stealing group SolarMaker first profiled by Morphisec.

Though Dragos does not confirm that the two groups are the same, Erythrite uses the same SEO poisoning and malicious PDF files as SolarMaker, and Dragos says its Erythrite findings are consistent with other reports of SolarMaker infecting 96 Fortune 500 companies. SolarMaker appears to be operated by a Russian-speaking actor, per the Morphisec report, and is seen widely in the IT space in addition to OT.

Dragos' report also makes an interesting note about the common vulnerability scoring system (CVSS) grading over the past year: 38% of common vulnerabilities and exposures (CVEs) reviewed by the company contained errors in computing the CVSS threat score.

"Asset owners should take this into account when making patching and mitigation decisions for their
networks," said the report.