Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Dragos cybersecurity. Show all posts
Dragos cybersecurity
Critical Infrastructure critical infrastructure cybersecurity Cyber Security Cyber Threats Dragos Dragos cybersecurity

Dragos Warns of New State-Backed Threat Groups Targeting Critical Infrastructure

 

A fresh wave of state-backed hacking targeted vital systems more aggressively over the past twelve months, as newer collectives appeared while long-known teams kept their campaigns running, per Dragos’ latest yearly analysis. Operating underground until now, three distinct gangs specializing in industrial equipment surfaced in 2025, highlighting an ongoing rise in size and complexity among nation-supported digital intrusions. That count lifts worldwide monitoring efforts to cover 26 such organizations focused on physical machinery networks, eleven of which demonstrated live activity throughout the period. 

One key issue raised in the report involves ongoing operations by Voltzite, which Dragos links directly to Volt Typhoon. Instead of brief cyber intrusions, this group aimed at staying hidden inside U.S. essential systems - especially power, oil, and natural gas networks - for extended periods. Deep infiltration into industrial control setups allowed access beyond standard IT zones, reaching process controls tied to real-world machinery. Evidence shows their goal was less about data theft, more about setting conditions for later interference. Long-term positioning suggests preparation mattered more than immediate gain. 

Starting with compromised Sierra Wireless AirLink devices, hackers gained entry to pipeline operational technology environments during one operation. From there, sensor readings, system setups, and alert mechanisms were pulled - details that might later disrupt functioning processes. Elsewhere, actions tied to Voltzite relied on a network of infected machines scanning exposed energy, defense, and manufacturing systems along with virtual private network hardware. Analysts view such probing as groundwork aimed at eventual breaches. 

One finding highlighted three emerging threat actors. Notably, Sylvanite operates as an access provider - exploiting recently revealed flaws in common business and network-edge systems before passing entry points to Voltzite for further penetration. Following close behind, Azurite displays patterns tied to Chinese-affiliated campaigns, primarily targeting operational technology setups where engineers manage industrial processes; it gathers design schematics, system alerts, and procedural records within heavy industry, power infrastructure, and military-related production environments. 

Meanwhile, a different cluster named Pyroxene surfaced in connection with Iran's digital offensives, using compromised suppliers to breach networks while deploying disruptive actions when global political strain peaks. These developments emerged clearly through recent investigative analysis. Still, Dragos pointed out dangers extending beyond China and Iran. Operations tied to Russia kept challenging systems in power and water sectors. Across various areas, probing efforts focused on industrial equipment left visible online. Even when scans did not lead to verified breaches, their accuracy and reach signaled growing skill. 

The report treated such patterns as signs of advancing tactics. Finding after finding points to an ongoing trend: silent infiltration of vital system networks over extended periods. Instead of causing instant chaos, operations seem built around stealthy placement within core service frameworks, building up danger across nations and sectors alike. Not sudden blows - but slow seepage - defines the growing threat.
Read more »
Vulnerabilities and Exploits
Dragos cybersecurity NATO Breach US Military Volt Typhoon Vulnerabilities and Exploits

Volt Typhoon Still Targeting Critical Infrastructure, Report Finds

 


Cybersecurity investigators are warning that the threat actor widely tracked as Volt Typhoon may still have hidden access inside segments of U.S. critical infrastructure, and some compromises could remain undiscovered permanently.

For nearly three years, U.S. military and federal law enforcement agencies have worked to identify and remove intrusions affecting electricity providers, water utilities and other essential service operators in strategically sensitive regions. Despite these sustained efforts, a newly released industry assessment suggests that the full scope of the activity may never be completely known.

In its latest annual threat report, industrial cybersecurity firm Dragos stated that actors associated with Volt Typhoon continued targeting American utility networks into 2025. The company indicated that, even with heightened public scrutiny and coordinated government response, the campaign remains ongoing.

Rob Lee, chief executive of Dragos, said in recent media briefings that the group is actively studying infrastructure environments and establishing footholds not only in the United States but also across allied nations. When asked whether every previously breached organization could ultimately detect and eliminate the intruders, Lee responded that certain compromised sites in both the U.S. and NATO countries may never be identified.

U.S. officials have previously assessed that the objective of Volt Typhoon is to position access within operational technology environments in advance of any geopolitical conflict. Operational technology systems manage physical processes such as electricity transmission, water treatment and industrial production. By embedding themselves in these networks ahead of time, attackers could potentially disrupt or delay U.S. military mobilization during a crisis. Lee added that the group prioritizes strategically significant entities and works to preserve long-term, covert access.

He also noted that regulatory measures expected over the next three to five years may strengthen detection standards across the sector. Larger electricity providers often possess advanced monitoring capabilities and incident response programs that improve their ability to uncover and expel actors. However, many smaller public utilities, particularly in the water sector, lack comparable technical resources. In Lee’s assessment, while investigations are technically possible at such organizations, it is unlikely that all will reach the maturity needed to detect and remove deeply concealed compromises. He suggested that, at the current pace, some portion of infrastructure may remain infiltrated.

China has rejected allegations linking it to Volt Typhoon. Nonetheless, previous U.S. government investigations reported discovering evidence of concealed access in infrastructure systems in Guam and in proximity to American military installations, raising concerns about strategic intent. Officials have also acknowledged that the total number of affected entities is unknown and that any publicly cited figures likely underestimate the scale.

The Dragos report further describes another activity cluster, referred to by the company as SYLVANITE, which allegedly secures initial entry into infrastructure networks before access is leveraged by Volt Typhoon. According to the firm, this activity has targeted operational technology systems across North America, Europe, South Korea, Guam, the Philippines and Saudi Arabia, affecting oil and gas operations, water utilities, electricity generation and transmission entities, and manufacturing organizations.

Lee characterized this second group as facilitating access rather than directly causing operational disruption, effectively preparing entry points for subsequent exploitation.

Researchers also linked recent high-profile vulnerability exploitation campaigns to these actors, including flaws in widely deployed enterprise software from Ivanti and the Trimble Cityworks geographic information system platform developed by Trimble. A year ago, the federal civilian cybersecurity agency instructed government bodies to urgently remediate a Cityworks vulnerability, after which private security firms reported that Chinese-linked actors had used it to compromise multiple local government networks.

Dragos warned that unauthorized access to geographic information system data can provide detailed infrastructure mapping and asset intelligence. Such information, if exploited, could enable adversaries to design targeted and potentially disruptive industrial control system operations. The firm concluded that Volt Typhoon’s more recent activity reflects movement beyond conventional IT data theft toward direct engagement with operational technology devices, including the collection of sensor readings and operational parameters, heightening concerns for essential service resilience.


Read more »
Large-scale breaches
Cyber Attacks Cyber Breaches cybercrime group cybercrime group attack Dragos Dragos cybersecurity Dragos hacked Large-scale breaches

Dragos Links Coordinated Polish Power Grid Cyberattack to Russia-Backed ELECTRUM Group

A wave of connected cyber intrusions struck multiple points in Poland’s electricity infrastructure near the end of 2025. Dragos, an industrial control system security firm, assessed with limited certainty that the activity aligns with a Russia-linked group known as ELECTRUM. While attribution is not definitive, the techniques and patterns resemble previous operations tied to the cluster. Investigators also flagged unusual entry routes through third-party maintenance channels, with disruptions occurring amid heightened geopolitical tensions. No major blackouts followed, but systems recorded repeated probing attempts. Response teams moved quickly to isolate affected segments, and attribution was supported by forensic traces left during the breaches. Officials emphasized continued vigilance despite containment. 

At one site, critical hardware was destroyed and left unusable, marking what Dragos described as the first large-scale cyberattack focused on decentralized energy systems such as wind turbines and solar generation connected to the grid. Operational technology used in electricity distribution was accessed without authorization, and systems managing renewable output faced interference even though overall service stayed online. Communication failures also affected combined heat and power facilities. Entry was gained through systems tied to grid stability, with damage remaining localized but irreversible at one location. 

Dragos noted links between ELECTRUM and another group, KAMACITE, with overlaps consistent with the broader Sandworm ecosystem, also tracked as APT44 or Seashell Blizzard. KAMACITE is believed to specialize in initial access, using spear-phishing, stolen credentials, and attacks against exposed public-facing systems. 

After entry, KAMACITE reportedly conducts quiet reconnaissance and persistence in OT environments, creating conditions for later action. Once access is established, ELECTRUM activity is assessed to bridge IT and OT networks, deploying tooling inside operational systems. Actions attributed to ELECTRUM can include manipulating control systems or disrupting physical processes, either through direct operator interface interaction or purpose-built ICS malware depending on objectives. 

Dragos described a division of roles between the clusters that enables long-term access and flexible execution, including delayed disruption. Even without immediate damage, persistent access can create long-term risk. KAMACITE-linked activity also appears geographically unconstrained, with scanning against U.S. industrial systems reported as recently as mid-2025. 

In Poland, attackers targeted systems that connect grid operators with distributed energy resources, disrupting coordination. Roughly three dozen sites experienced operational impact. Investigators said poorly secured network devices and exploited vulnerabilities enabled entry, allowing intruders to reach Remote Terminal Units and move through communications infrastructure. Dragos said the attackers showed strong knowledge of grid systems, successfully disabling communications tools and certain OT components. 

However, the full scope remains unclear, including whether operational commands were issued or whether the focus stayed on communications disruption. Overall, Dragos assessed the incident as more opportunistic than carefully planned, with attackers attempting rapid disruption once inside by wiping Windows systems, resetting configurations, and trying to permanently brick equipment. The hardest-hit devices supported grid safety and stability monitoring. 

Dragos concluded that the damage shows OT intrusions are shifting from preparation into active attacks against systems that manage distributed generation.
Read more »
unauthorised access
Cyber Attacks cybercrime gang Data Stolen Dragos Dragos cybersecurity Dragos hacked Hacked SharePoint cloud platform unauthorised access

Dragos Hacked: Cybersecurity Firm Reveals “Cybersecurity Event”, Extortion Attempt


Industrial cybersecurity company Dragos  recently revealed a “cybersecurity event,” where a notorious cybercrime gang attempted to breach Dragos' defenses and access the internal network to encrypt devices.

The firm disclosed the incident on its blog on May 10, alleging that it took place on May 8 where hackers acquired access to SharePoint and the Dragos contract management system by compromising a new sales employee's personal email address before the employee's start date. The hacker then impersonated the employee to complete the first steps of Dragos' employee-onboarding procedure using the stolen personal information from the hack.

After infiltrating Dragos’ SharePoint cloud platform, the hackers apparently downloaded “general use data” and access 25 intel reports, generally only made available to the customers.

“Dragos' swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure[…]No Dragos systems were breached, including anything related to the Dragos Platform,” the company noted. 

Due to role-based access control (RBAC) regulations, the threat actors were unable to access several Dragos systems during the 16 hours they had access to the employee's account, including its messaging, IT helpdesk, finance, request for proposal (RFP), employee recognition, and marketing systems.

Eleven hours into the attack, after failing to break into the company's internal network, they sent an email of extortion to Dragos executives. Because the message was sent after business hours, it was read five hours later.

Five minutes into reading the extortion message, Dragos disabled the compromised user account, terminated all open sessions, and prevented the hackers' infrastructure from accessing company resources.

The cybercriminal group also attempted to extort the firm by threatening to make the issue public in emails sent to CEOs, senior employees, and family members of Dragos who have public contacts.

One of the IP addresses specified in the IOCs is 144.202.42[.]216, earlier discovered hosting SystemBC malware and Cobalt Strike, both frequently used by ransomware gangs for remote access to compromised systems.

"While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable," Dragos said.   

Read more »
Subscribe to: Comments (Atom)