More State-Sponsored OT Hacking to Come, Says ENISAGeopolitics Drives Major Changes in Threat Landscape
State-backed hacking groups will turn more attention onto operational technology as geopolitics influences the cyberthreat landscape, the European Union Agency for Cybersecurity says in a Thursday report.
"Today's global context is inevitably driving major changes in the cybersecurity threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens," ENISA Executive Director Juhan Lepassaar said. The report analyzes cyber incidents during the second half of 2021 and first half of 2022 and makes some predictions about the near future.
Evidence cited by the agency of growing state-sponsored interest in OT hacking includes the April detection of malware dubbed Industroyer2 by cybersecurity firm Eset and used in an attempt to infect high-voltage electrical substations in Ukraine. That month also saw the public exposure of attack tools dubbed Incontroller. Analysis by Mandiant and Schneider Electric determined that Incontroller "is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction" of machine automation devices.
By ENISA's count, Industroyer2 and Incontroller are the fifth and sixth known examples of industrial control system-specific malware.
"In our assessment, state-backed threat actors will step up their reconnaissance against OT networks develop capabilities and increasingly target them for the foreseeable future, especially during times of crisis and armed conflict," states the cybersecurity agency's report.
The agency also observes state-backed threat actors as increasingly focused on supply chain compromises. Private sector cybersecurity firms have reported significant increases over the past three years in government hacking into targets such as managed service providers and IT service organizations as a means of gaining a foothold in the networks of hundreds of victims.
Although a much-feared cyberwar instigated by Russia's invasion of Ukraine has yet to materialize, ENISA says it's still likely that Western countries and NATO allies will see cyberattacks against critical infrastructure as retaliation for supporting Kyiv.
One possibility is that pro-Russian ransomware gangs conduct the retaliation as the Kremlin's behest, including by using ransomware malware to disguise the Kremlin's footprint and give Moscow plausible deniability.
Ransomware itself - purely for financial motivations - continues be a problem, of course.
The groups behind ransomware strains are reacting to stepped up law enforcement by supposedly retiring from the criminal underground only to come back with a new moniker. ENISA predicts that trend will continue, but that ransomware-as-a-service groups will acquire smaller tier groups, potentially resulting in the overlapping use of different ransomware variants.