Critical Infrastructure’s Most Notorious Cyber Threat Actor Groups

Published Nov 25,2022

This blog post will highlight some of the different types of malicious groups that target Critical Infrastructure and examples of such attacks occurring.


Critical Infrastructure is a term used by governments to describe assets used by the public that are essential for the functioning of a society and economy, and infrastructure. These public assets can be things such as water plants, electricity grids, manufacturing sites or transportation providers. Without the reliability and availability of such public assets, modern society could face significant disruption and chaos, impacting access to food and water supply and loss of safety.


Malicious groups are essentially cyber threat actors (black hat hackers) that work together to attack an organisation through various highly skilled techniques such as spear-phishing and ransomware to gain access to confidential business data or to cause disruption to business processes. Nation state or organised crime groups would target organisations to fund illegal or corrupt operations or achieve political gain. The following sections will highlight some notable threat actor groups and some of their infamous attacks on organisations that are considered as critical infrastructure.


REvil is a Russian-based malicious group that provides ransomware-as-a-service (RaaS) to malicious individuals. REvil’s ransomware operates by utilising their affiliates’ access to an organisation’s systems to spread their ransomware attack. An affiliate is a threat actor that gains access to an organisation’s systems for financial gains or corporate espionage through methods such as discovering vulnerabilities by performing passive (Open Source Intelligence) or active reconnaissance (Such as utilising Nmap) to find insecure or vulnerable services; or gathering information by performing social engineering tactics such as phishing employees of the organisation to gain access to their credentials or tricking them into installing malicious software. Once an affiliate gains access to a system, they transfer their access to REvil who then attempts to infect the system and spread to as many devices as possible while escalating its privileges during that process. When REvil believes that it has reached an appropriate privilege level, it then deploys the ransomware on all infected systems, which encrypts all the system’s files (rendering the files unusable) and demands a ransom from the organisation to regain access to their files. A ransom note is left on systems instructing victims on how to pay the ransom through bitcoin or a similar cryptocurrency (Anonymous wallet) to recover their files. A real-world example of REvil attacking critical infrastructure is JBS foods.


• JBS Foods is the world’s largest meat processing organisation that processes meat globally for various countries such as Australia, New Zealand, and the USA. In May 2021, JBS foods were the victim of a ransomware attack that encrypted and exfiltrated its confidential business and customer data, which resulted in JBS temporarily shutting down its production facilities such as food production sites globally to prevent the spread of the ransomware. It is suggested that the ransomware managed to encrypt and exfiltrate data from JBS due to its employee credentials being leaked online due to a prior data breach that occurred. REvil originally requested a ransom of $22.5M to release the decryption key to JBS, however, through negotiations, the ransom was reduced to $11M, which JBS paid despite having backups to prevent their stolen data from being published publicly online. JBS Foods is considered a critical infrastructure as JBS foods produces meats for various countries, if JBS’s food supply were to be disrupted due to a cyber-attack, it could potentially impact many individuals by causing meat-related shortages within countries, which may additionally lead to an increase in meat prices due to the lack of supply, increase of demand, and individuals panic buying. In this scenario, the impacts of the REvil ransomware attack on JBS Foods include loss of finances to pay the ransom; potential leak of private business and customer data, despite JBS paying the ransom, there is no guarantee that REvil will not leak the data later in the future; loss of revenue due to the interruption of food production; and losing customer and stakeholder trust due to the attack occurring.


DarkSide is a Russian-speaking malicious group that provides Ransomware-as-a-Service (RaaS). DarkSide’s operations are like REvil’s in the sense that it relies on affiliates to give them access to the target organisation’s systems to run a ransomware attack. To become a DarkSide affiliate, an individual must pay a subscription fee to gain access to their ransomware services through a dashboard. Once an affiliate has gained access to an organisation through a vulnerability or other means, DarkSide utilises its access to perform reconnaissance on the organisation to find the most optimal way of spreading ransomware into the organisation. Before the organisation’s data is encrypted by ransomware, DarkSide attempts to steal the organisation’s confidential data to use as a threat if the organisation isn’t cooperating with their negotiations. Once this process is complete, it deploys its ransomware on all infected systems and sends the organisation a threat such as leaking their stolen data to ensure they pay the ransom requested. The fate of DarkSide is that they allegedly shut down after their servers were taken down and their cryptocurrency wallet was drained. However, it is suggested that despite DarkSide shutting down, it has rebranded itself and continues its ransomware operations under the DarkMatter name. A real-life scenario of DarkSide perpetrating an attack on critical infrastructure would be the Colonial Pipeline attack.


• Colonial Pipeline is the biggest pipeline for fuel in the US which provides 45% of all fuel such as gasoline on the East Coast. In May 2021, Colonial Pipeline was the victim of a cyber incident that installed ransomware on their systems and stole confidential business data. While it is not known how initial access to Colonial Pipeline’s systems was granted, the ransomware infected their systems by encrypting all their data to become unusable and uploaded 100GB of their confidential data to DarkSide’s systems in case they were not willing to pay the ransom to restore their system. Once this process was complete, Darkside left a note on their systems stating they were the victim of a ransomware attack and had to pay $5 million to restore their systems and prevent their confidential data from leaking to the public. As a result of this incident, Colonial Pipeline took its systems offline to prevent the attack from spreading or doing more damage, which caused their pipeline infrastructure to be temporarily shut down. Due to the severity of the information that was stolen, Colonial Pipelines had agreed to pay the ransom of $5 million to restore their systems despite having backups of their systems available. Fortunately, the US Department of Justice was able to recover $4.4 million of the ransom Colonial Pipeline paid by gaining access to the private key used by DarkSide’s cryptocurrency wallet. The impact of this incident on the Colonial Pipeline includes increasing the cost of living due to shortage and demand for fuel, loss of revenue, disruption of work, loss of funds to pay the ransom, loss of customer and stakeholder trust, and the leak of confidential data which affected the personal data (including names, DOBs, contact information, IDs, etc) of 5,810 individuals.


Triton is a malicious program developed to turn off the safety features of target Triconex systems to cause harm or damage to individuals. While the malicious group behind Triton is not known, it is assumed that the malware was developed by a state actor based on the characteristics of the program which was developed sophisticatedly and was designed to cause damage or harm as opposed to financial gain or theft of intellectual property. Triconex Safety Instrumented System (SIS) is a system that is designed to improve the safety of facilities. Triconex accomplishes this by utilising various systems such as Emergency Shutdown Systems (ESS) which are designed to shut down a facility if harmful conditions are present to ensure the safety of employees working at the facility. Triton is a stealthy malware that injects itself within the memory (RAM) of the Triconex controller. Triton does this by utilising a zero-day vulnerability in the controller to replace the current firmware installed with custom-rewritten firmware to ensure the malware can exist within the memory of the controller while it operates normally without any errors or issues. Once this process is complete Triton stays in the memory of the controller and waits until a command has been issued. Through these commands, Triton can remotely reprogram the SIS by sending it various payloads and can additionally read the memory’s contents through its access to the memory. Triton can in theory potentially cause a facility to turn off its safety features thus running at unsafe conditions, or it can release harmful gases to harm or cause the death of people. A real scenario of Triton attacking a system would be the “Saudi Arabian petrochemical plant” attack.


• Saudi Arabian petrochemical plant is a chemical plant that produces various organic products such as plastic, natural gas, rubber, raw fibre, etc that are later used to create usable products like clothes, electronics & medical equipment. In 2017, the Petrochemical plant was a victim of a cyber incident that infected its Triconex Safety Instrumented system (SIS). This cyber incident potentially occurred due to a flaw in the Demilitarised Zone (DMS) which allowed a threat actor to exploit a machine in the petrochemical plant that could communicate with the SIS. Once they gained remote access to the machine, they found a total of six Triconex safety controllers in “program” mode. These controllers were set to “program” mode due to an error made by the staff who forgot to set them back to “Run” mode after programming them. As a result of these issues and flaws, the threat actor was able to load unauthorised configurations to the Triconex controllers through a remote connection. Through access to a windows system in the plant and an SIS, the threat actor could have in theory turned off the SIS, thus effectively removing the final safety function of the plant used as a last resort and allowing the plant to run regardless of the dangerous condition, utilising the valves to release harmful or poisonous gases such as Hydrogen Sulphide or attempting to cause physical damage or destruction of the plant by causing other systems to overload or overheat. Fortunately, before the threat actor could enact any of these potential attack theories, they accidentally alerted the staff by causing the plant to perform an emergency shutdown due to an issue they caused, which caused the staff to contact external incident responders to investigate and resolve their issues and flaws to prevent any further damages from being done. Therefore, in this scenario Triton couldn’t do much harm, however, the potential impact of a successful attack includes harming or causing the death of personnel or civilians due to explosions or exposure to dangerous gases or substances, loss of revenue due to the plant shutting down temporarily, loss of funds to repair damaged systems and potential legal issues, potential damage or explosion of the plant due to operating at unsafe conditions, and affecting the production and price of produces such as computers due to the lack of material supply. Many of these examples of malicious groups attacking critical infrastructures show that attacking critical infrastructures such as meat processing with ransomware (or other types of malware) can be seen as profitable to malicious groups if organisations affected by cyber-attacks pay the ransom or are unable to continue operating as normal due to a cyber-attack, thus may further motivate malicious groups to continue attacking organisations that fall under critical infrastructure.


Therefore, it is suggested that organisations should employ these recommendations:
• Implement a well-rehearsed Incident Management Plan and a Business Continuity Plan that defines critical business processes and states the impact on the business if they were to be unavailable to ensure business continuity during an incident.
• Regularly backing up, encrypting, and verifying data through hashes to ensure backed up data maintains confidentiality and hold’s it’s integrity.
• Utilising redundancy systems in the event of critical systems being unavailable to support operational requirements.
• Utilise well-tested data restoration practices to ensure data integrity is valid before restoring backups can be deployed in a timely manner, meets technical requirements, and does not corrupt the impacted system.
• Install and continuously update endpoint anti-malware solutions to all organisation systems to ensure systems can detect and contain most malicious programs.
• Utilise encryption on all critical systems and data to prevent unauthorised individuals from accessing confidential data or systems.
• Influence a heightened cyber security culture and ensure staff, contractors and supply-chain partners are trained to be aware of social engineering tactics (such as phishing) and understand how to report and manage social engineering attempts.
• Ensure a vulnerability management process in place that reports and resolves potential vulnerabilities related to systems or services that are utilised.
• Apply systems patches and updated security configurations in a timely manner to ensure systems are up-to-date and reduce the supporting infrastructure’s exposure to zero-day or known vulnerabilities.
• Ensure appropriate access control systems are implemented to ensure unauthenticated and unauthorised individuals are not able to access, modify, or delete files they don’t require.
• Ensure passwords used in business operations are updated regularly and is coupled with multifactor authentication is enabled where available.
• Utilise a network segmentation and segregation to filter unknown or untrusted network traffic in order contain malicious activity.


If these recommendations are implemented using a risked based approach, it could potentially reduce the impact of a cyber incident occurring within an organisation.


References available upon request.