BLOG
Threat actor groups targeting critical infrastructure
Understanding threat actor groups, their methods, and the systems they target is crucial for protecting critical infrastructure. In this blog, we highlight the various threat actor groups targeting critical infrastructure, providing a brief overview of their associated activities, methods, and indicators of compromise. Understanding these parameters can better equip organisations in their defence strategies.
Why are threat actor groups dangerous?
In operational technology (OT) cyber security, a threat actor refers to individuals or groups that endanger OT environments, such as energy grids, water supplies, and transportation networks. These actors, often organised in threat actor groups, pursue objectives like financial gain, espionage, or political influence, posing significant risks to critical infrastructure. Threat actor groups are identified by their specific behaviours or tactics. Cyber security researchers use different naming conventions, such as “APT-23” (advanced persistent threat), with organisations like MITRE ATT&CK, Dragos, and CrowdStrike leading in identification.
Chernovite
Type: State-sponsored
First seen: 2021
Goals and objectives:
- Espionage
- Malware development targeting critical infrastructure (e.g. ICS)
OT-specific activity: Chernovite developed PIPEDREAM, malware aimed at ICS systems. Although it has yet to be deployed in real-world attacks, the group remains a serious threat. PIPEDREAM can manipulate industrial equipment, target ICS protocols (e.g. Modbus, OPC-UA), and perform denial-of-service (DoS) attacks on controllers.
Discovered by: Dragos
Chernovite’s focus on critical sectors like LNG (liquefied natural gas) and electric power underscores its intent to disrupt or destroy essential systems. Given the sophistication of its malware, Chernovite is state-sponsored and motivated by geopolitical aims, such as espionage and destabilisation of economies during conflicts. Proactive information sharing and collaboration are essential to defending against such complex threats.
Bentonite
Type: Opportunistic
First seen: Ongoing
Goals and objectives:
- Espionage
- Disruption across diverse industries
OT-specific activity: Bentonite targets internet-exposed systems, gaining entry to critical infrastructure. Its opportunistic attacks focus on weak security across various industries, such as maritime, oil, gas, and government.
Discovered by: Dragos
Bentonite exploits vulnerabilities in remote access assets and internet-exposed OT systems to infiltrate industrial networks. While not as targeted as state-sponsored groups, Bentonite poses a frequent threat due to its ability to capitalise on poorly defended systems. Its activity highlights the importance of securing remote access points in OT environments.
Voltzite
Type: State-sponsored
First seen: Ongoing
Goals and objectives:
- Long-term espionage and intelligence gathering
OT-specific activity: Associated with the Volt Typhoon, Voltzite focuses on strategic sectors like electric power and telecommunications. It uses sophisticated evasion techniques to maintain undetected access to critical systems and conduct intelligence-gathering operations.
Discovered by: MITRE ATT&CK, Dragos
Voltzite’s primary motive is geopolitical, focusing on weakening adversaries’ infrastructure over extended periods. Its ability to remain stealthy makes it particularly dangerous, as prolonged access can lead to sabotage or disruption of critical services.
Gananite
Type: Espionage
First seen: Ongoing
Goals and objectives:
- Intelligence gathering
OT-specific activity: Gananite exploits outdated systems and internet-facing vulnerabilities in Central Asia and CIS countries. While less sophisticated, they target poorly defended systems, emphasising the need for regular security updates.
Discovered by: Dragos
Gananite’s reliance on publicly available exploits to infiltrate OT systems makes it a persistent threat, especially to organisations with outdated security defences. While not as advanced as other groups, its focus on intelligence gathering still poses a significant risk.
Ransomware Groups (Lockbit, ALPHV, BlackBasta)
Type: Financially motivated
First seen: Ongoing
Goals and objectives:
- Financial gain through ransomware
OT-specific activity: These groups, particularly Lockbit, are prolific in targeting manufacturing systems. Lockbit accounts for 25% of all industrial ransomware attacks, and the manufacturing sector remains their primary target.
Discovered by: America’s Cyber Defence Agency
Their tactics include double extortion and threatening to leak sensitive data while encrypting systems. The strategic targeting of manufacturing highlights the significant operational and financial impact of these attacks.
Hacktivists (CyberAv3ngers, Anonymous Sudan)
Type: Politically motivated
First seen: Ongoing
Goals and objectives:
- Political disruption
- Raising awareness of causes
OT-specific activity: These groups have escalated their attacks on critical infrastructure, using tutorials and tools to disrupt services in sectors like water utilities. They frequently target politically symbolic sectors, causing widespread disruption to draw media attention.
Discovered by: MITRE ATT&CK, NetScout
Hacktivists like CyberAv3ngers and Anonymous Sudan have grown more sophisticated, leveraging accessible tools to attack internet-facing ICS assets. Their unpredictable motives, often politically driven, make them a unique challenge for OT security.
Threat actor summary table
Threat Actor Group |
Motivation |
Primary Target |
Key Methods |
Notable Activities |
| Chernovite | Espionage, Disruption | ICS, critical infrastructure | Malware (PIPEDREAM), ICS, protocol exploitation | Developing PIPEDREAM, LNG, and electric sectors |
| Bentonite | Financial, Espionage | Multiple sectors (oil, gas, government) | Vulnerability exploitation, remote access | Opportunistic attacks on poorly defended systems |
| Voltzite | Espionage, Geopolitical | Electric power, telecom, defence | Network persistence, stealth attacks | Long-term espionage in the USA, Africa, and Southeast Asia |
| Gananite | Espionage CIS | Central Asia | Outdated system exploits | Lower sophistication but persistent regional threat |
| Lockbit (Ransomware) | Financial gain | Manufacturing, industrial systems | Double extortion, encryption | 25% percent of all industrial ransomware attacks in 2023 |
| CyberAv3ngers (Hacktivists) | Political disruption | Water utilities, symbolic sectors | DDoS, ICS disruption | Attacks on politically significant infrastructure |
How can we protect against threat actor groups?
The wide range of threat actor groups – from state-sponsored espionage entities to opportunistic hackers and politically motivated hacktivists – poses a growing risk to critical infrastructure. Understanding these threat actor groups is crucial step for organisations to better prepare and implement effective cyber security strategies. By understanding these groups’ specific tactics, motivations, and objectives, organisations can leverage proactive measures such as including regular system updates, employee awareness training, collaboration with federal agencies, development of robust incident response plans, and conducting security assessments. These measures are all essential to safeguarding critical infrastructure against evolving cyber threats.
Secolve are the OT security specialists, partnering with organisations of all sizes to safeguard critical infrastructure from cyber threats. Our team of OT experts use a risk-based approach to tailor strategies to meet your unique needs and deliver world-class OT security awareness training to promote a cyber-safe culture from within. Ensure security now and for generations to come.