War & Geopolitical Ransomware Account For 70% of All Attacks

Why Trust Techopedia

  • Ransomware attacks are increasingly driven by international tensions, with nation-state actors targeting critical infrastructure.
  • 70% of cyberattacks were fueled by geopolitics.
  • Factories and industrial facilities, reliant on digital transformation, are a prime target for IT-OT system breaches.
  • Traditional security methods are insufficient. Organizations need innovative approaches to secure IT and OT environments.
  • Historic, international initiatives, laws, and legal instruments like the Pall Mall Declaration are rising in response to the state of global cybersecurity.

From water and energy providers to manufacturers, data centers, and healthcare organizations, state-supported ransomware groups increasingly target those operating IT-OT environments.

Unlike other sectors that rely mostly on IT digital systems, the critical infrastructure sector and industries now connect their IT environments with their Operational Technology (OT).

The new Dragos 2023 OT Cybersecurity Year in Review report found alarming vulnerabilities in industrial control systems, new emerging threats, and bad actor groups. Dragos’s report reveals that OT attacks are on a dramatic rise, with manufacturing the most targeted sector.

Techopedia talked with cybersecurity experts to understand the threat landscape of IT-OT security and dive deeper into the report and security trends to discover the best practices for modern IT-OT operations.

The Digital Cold War: Attacks Driven By Geopolitical Tensions

Dragos’s new report says that driven by digital transformation, manufacturing has become a rich target for cybercriminals.

The report warns that geopolitical tensions are driving nation-state hacker groups to ramp up attacks on infrastructure. Dragos highlights how conflicts in Ukraine, the Middle East, and Asia are shaping the cybercriminal world.

“In 2023, a surge in global tension resulted in an increase in cyber threat activity and disruptions in critical infrastructure worldwide. Escalating conflicts, including those between Ukraine and Russia, Israel and Hamas, and countries in the South China Sea, emboldened adversaries and hacktivists to develop new capabilities and reuse old techniques.”

Ukraine-Russia, Israel-Hamas, and China-Taiwan Conflicts

According to Dragos, cyber threat activity has continued escalating one year after Russia’s invasion of Ukraine. Additionally, the conflict in the Middle East also led to cyber attacks on critical infrastructure, with Pro-Isreal and Pro-Hamas hacktivists attacking gas and oil infrastructure, water, and manufacturing.

In the region of Asia, tensions between China and Taiwan led to attacks around the world including electric, satellite communications, telecommunications, emergency management, and defense industrial base sectors.

Tyler Reguly, Senior Manager of Security R&D at Fortra, spoke about the escalation of global cyber warfare related to ongoing conflicts and tensions.

“You have to wonder when certain nation-states will start to consider cyberattacks to be a declaration of war.”

“As the frequency of these attacks increase, as specific high-value targets are attacked, where is the line, and when will someone cross it?” Reguly asked.

“It also doesn’t help that the nation-state responsible for the greatest number of zero-day [threats] also has veto powers on the UN Security Council, which could make it difficult for the Security Council to pass any resolutions on the subject.”

Understanding ICS-IT-OT Critical Infrastructure At Risk

The U.S. cyber defense agency, CISA, explains that 16 critical infrastructure sectors in the U.S. are being targeted. These sectors are part of sophisticated interconnected systems that, if threatened, “could have potentially debilitating national security, economic, and public health or safety consequences.”

Keeping up with recent trends and attacks, CISA released on March 19 another advisory on State-Sponsored cyber activity and actions for critical infrastructure leaders, warning the group Volt Typhoon — linked to China — (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) was poised inside U.S. critical infrastructure organizations’ networks with the goal of “enabling disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies”.

Dragos’s research following this trend of attacks says ransomware against industrial organizations skyrocketed by 50% in 2023. 71% of all attacks targeted 638 manufacturing entities in 33 unique manufacturing subsectors. Dogo explained how digital transformation creates a unique digital attack surface ripe with vulnerabilities.

“More than ever, factories, power plants, and pipelines share common devices, software packages, network protocols, and facility designs; industrial facilities have moved towards more homogenous infrastructure.”

Attackers leverage these new interconnected IT-OT environments by remotely breaching IT systems to exploit Industrial Control Systems (ICS) and OT.

IT-ICS-OT infrastructures and architectures increase the risk of zero-day exploitation attacks, phishing, and file-less attacks and present numerous vulnerabilities that bad actors can exploit to access critical systems and data and launch malicious payloads and malware, such as ransomware and spyware.

The Pall Mall Process

Reguly from Fortra spoke about spyware as a weapon of choice and the Pall Mall Process (a recently launched international effort presented by the U.K. and France to tackle the misuse of cyber intrusion tools sold by private companies) that was well-received by the international community.

“Spyware is a weapon (cyberweapon) and a dangerous, targeted one that I’d love to see controlled or eliminated, and with any luck, we’ll see conversations around the Pall Mall Process (PMP) and the Pall Mall Declaration put us on that path.”

In February, at a conference in London, delegates from 35 countries discussed the international Pall Mall process and how states can tackle the proliferation of commercial cyber intrusion tools and services.

Leaders from Apple, Google, Microsoft, human rights groups, legal experts, and other relevant fields were present.

As an international declaration, the Pall Mall process would set in stone the commitment of different countries and businesses and take action to stop spyware and develop safeguards.

Nation-State Attacks and IT-OT Security: Experts Weigh in

Techopedia asked cybersecurity experts for their advice for leaders and organizations in the critical infrastructure sector and how they can deter nation-state-supported hackers and secure their IT-OT infrastructures.

‘Think Different’

Adam Maruyama, a cybersecurity and national security professional who serves as the Field CTO for Garrison, a secure isolation technology provider, said organizations should “think differently” when approaching IT-OT security.

“Too many businesses are relying on layers of detection-based security software and improvised techniques bridging the IT-OT gap to protect themselves from zero-days and nation-state threats,” Maruyama said.

“In reality, every layer of security software is another potential vector for a zero-day threat, as we’ve seen from the increasing number of zero-day attacks on security software.

“Instead, organizations should look to innovative approaches, frequently based on hardware security (hardsec) that create full-stack protocol breaks between protected environments and riskier ones – whether the risky network is a more accessible IT network or the Internet itself,” Maruyama explained.

Maruyama added that these secure-by-design networking technologies can help organizations remove entire categories of risk by closing off entire infiltration and exfiltration vectors from adversaries.

This approach differs from engaging in detection and patching-centric cybersecurity (putting out fires) in the “arms race” between attackers and defenders.

Monitoring IT-OT Digital Attack Surface: User Entity Behavior Analytics

Ryan Smith, founder, and CEO of QFunction—a company dedicated to helping businesses protect their data, assets, and reputation from cyber threats and attacks while leveraging the power of AI—said monitoring is the key to IT-OT system security, especially when it comes to detecting zero-day attacks.

“A lot of OT systems do not have the ability to install security software on them, so monitoring for anomalous network traffic can be very helpful in detecting attacks,” Smith said.

Smith also referred to User and Entity Behavior Analytics (UEBA), a cybersecurity technology that uses advanced analytics to identify abnormal network activity.

“User entity behavior analytics solutions work well here, as they can pick up deviations from the normal for the OT networks. For legacy systems and hardware, you have the option of isolating them on their own subnets where inbound and outbound access to/from the systems are heavily regulated.

“You can also install application control software to limit what can actually execute on the legacy systems themselves,” Smith said.

A Game of Patience, Spies, and Old War Tactics

Paul Laudanski, Director of Security Research at Onapsis, described the ongoing digital cold war as extremely challenging and compared it to tactics used in WWII.

“The biggest challenge in attributing and responding to nation-state cyberattacks lies in the adversaries’ remarkable patience and ability to operate in plain sight without being detected.

“This tactic draws parallels to espionage during World War II, where human spies remained undetected within high-level government positions for years if not decades.”

Laudanski explained that machine learning advancements can be used to work smarter when profiling enterprise behaviors, leveraging insights from low, slow, and high-profile attack patterns.

“Furthermore, leveraging human intelligence alongside signal intelligence enhances the ability to respond to these sophisticated nation-state cyber threats with a more comprehensive defense,” Laudanski said.

“Organizations should map out their entire attack surface, identifying all internet-facing assets and enhance detection capabilities to ensure that the systems and processes, complemented by the expertise of their personnel, are operating with efficiency.”

The Bottom Line

From consumer goods to construction, electronics, chemicals, pharmaceuticals, aerospace, defense, and other sectors, ransomware attacks fueled by geopolitical tensions are now the dominant force in cybercrime.

Dragos recommends that critical infrastructure, manufacturing, and industrial sectors take bigger cybersecurity strides and coordinate with partners across the IT-OT community. He also warns that IT-OT cybersecurity programs and strategies must be designed, developed, monitored, and updated.

Critical infrastructure, particularly IT-OT environments that manage industrial processes, is at high risk. While experts offer a mix of proactive solutions to combat this growing threat, and international legal instruments take historic digital shape, the future of infrastructure hinges on updating and modernizing IT-OT environments for times of digital cold war.

Related Terms

Related Article