This ReliaQuest report analyzes Russia-linked APT activity targeting operational technology (OT) over the past year, offering detections and mitigations for OT defenders. It highlights notable incidents (Denmark energy attacks, Kyivstar outage, JetBrains TeamCity, Ukrainian power grid, and Southern Water) and outlines defensive recommendations to separate OT from IT and strengthen access controls. #COSMICENERGY #Industroyer #Industroyer2 #SandwormTeam #Kyivstar #SouthernWater
Keypoints
- This report analyzes cyber attacks conducted by Russia-linked APT groups on OT in the past year, offering detection rules and defender-focused recommendations.
- Mitigations for observed TTPs include restricting new account creations to privileged individuals and managing file sharing communications to prevent lateral tool transfer via named pipes.
- Russia is expected to keep targeting Ukraine and to blend short-term disruption with long-term stealth for espionage.
- There’s a realistic possibility of Russia-linked cybercriminals attacking OT under state direction, potentially under ransomware pretenses.
- Significant incidents include coordinated May 2023 attacks on Denmark’s energy sector exploiting CVE-2023-28771 and Kyivstar’s 2023 outage tied to Solntsepek/Sandworm activity.
- OT-focused malware such as COSMICENERGY and Industroyer/Industroyer2 illustrate Russia’s growing capability to disrupt electrical and industrial infrastructure.
MITRE Techniques
- [T1087.002] Domain Account – Domain account discovery used to identify domain accounts. “We observed the following commands being used by threat actors to identify domain accounts: exe /C net user admAcc /domain, net group “Domain Admins” /domain, net user svcAcc /domain, net user admAcc /domain”.
- [T1136] Create Account – Created domain and local accounts to maintain persistence. “We observed the threat actors creating accounts with local and domain account permissions.”
- [T1570] Lateral Tool Transfer – Named pipe impersonation used to escalate privileges and move laterally. “NamedPipeImpersonation hacking tool being used to achieve privilege escalation.”
- [T1569.002] System Services: Service Execution – PSEXEC pivoting used to remotely execute commands across systems. “We observed the threat actors conducting PSEXEC pivoting.”
- [T1190] Exploit Public-Facing Application – Exploitation of a public-facing app to gain initial access. “exploited CVE-2023-42793 in JetBrains TeamCity servers” and related activity.
- [T1068] Exploitation for Privilege Escalation – BYOVD (Bring Your Own Vulnerable Driver) used to avoid detection and escalate privileges. “BYOVD technique to avoid detection”.
Indicators of Compromise
- [CVE] CVE-2023-28771, CVE-2023-42793 – vulnerabilities exploited in attacks described (Zyxel firewall, JetBrains TeamCity) to compromise OT-enabled networks.
- [Malware/Tool] COSMICENERGY, Industroyer, Industroyer2 – Russia-linked OT/ICS-targeted malware families referenced in the OT threat landscape.
- [Threat Actor] Sandworm Team – linked to multiple OT/ICS intrusion campaigns (e.g., Ukraine/Europe infrastructure attacks).
- [Organization] Kyivstar – Ukraine’s largest telecom provider affected by a 2023/2024 incident attributed to Russia-linked actors.
- [Organization] Southern Water – UK water utility impacted by a January 2024 ransomware operation linked to a Russian-speaking group.
Read more: https://www.reliaquest.com/blog/russia-linked-threats-to-operational-technology