State-linked hackers share their most dangerous tools

State-backed hackers are increasingly sharing their most dangerous cyber weapons with hacktivists who disregard the norms of digital warfare, according to a new report from Dragos.

Why it matters: Critical infrastructure organizations — such as utility operators and food manufacturers — are among the least prepared for cyberattacks due to limited budgets and a shortage of cybersecurity personnel.

• This growing collaboration between nation-state hackers and civilian hacking groups could escalate attacks aimed at shutting down essential services like water systems, rail transport and power grids.

Driving the news: Dragos, a cybersecurity firm specializing in critical infrastructure, released its annual report this morning, detailing new threat groups and emerging tactics.

• The report is considered a must-read for all critical infrastructure operators, and this year's findings include details about both new malware strains and hacker groups specifically targeting critical infrastructure.

The big picture: Geopolitical conflicts are increasingly fueling cyberattacks on civilian infrastructure, Dragos CEO Robert M. Lee told reporters during a press briefing.

• Many nation-state hacking teams and politically motivated civilian hackers tracked by Dragos have shown "interesting connections" over the past year, Lee said.
• Those connections could lead to foreign government hackers, who typically focus on low-frequency, high-impact cyberattacks, sharing their destructive cyber tools with civilian groups that launch far more attacks, the report notes.

What they're saying: "That's something, candidly speaking, most communities simply are not prepared for," Lee told reporters. "It requires a much different level of defense investment than we're currently seeing in the [operational technology] security space."

By the numbers: 70% of vulnerabilities affecting critical infrastructure organizations last year were "deep within the ICS network," meaning that the affected devices were closer to the operational process of running a critical service, according to the report.

• 39% of network vulnerabilities found in 2024 could also cause system operators "both a loss of view and a loss of control."

Zoom in: Dragos also warned about Bauxite, a newly identified hacking group aligned with Iranian interests — noting that it's likely to enhance its capabilities and launch more destructive cyberattacks globally this year.

• Since 2023, Bauxite has carried out at least four cyber campaigns targeting critical infrastructure organizations in the United States, Europe, Australia and West Africa, Dragos said.

• Its targets span key industries, including electricity, oil and gas, water, food and beverage, chemicals, and manufacturing.
• Bauxite members are known to lurk in online forums discussing critical infrastructure technology. They monitor security vulnerabilities in specific software to refine their attack methods.
• The group has exploited vulnerable Sophos firewalls and Unitronics equipment controllers and has scanned devices from Siemens, Cimon Automation and others for weaknesses.

Meanwhile, Dragos researchers identified two new malware strains — Fuxnet and FrostyGoop — deployed last year in attacks that reportedly shut off heat in more than 600 Ukrainian apartment buildings and disabled industrial sensors in Moscow.

Between the lines: Many of these attacks could have been prevented with basic cybersecurity practices, such as changing default administrator passwords and restricting system access.

• Dragos recommends that critical infrastructure organizations update their incident response plans, increase their visibility into their networks so they can better detect new threats, and focus on securing remote access to their most sensitive systems.