According to Kaspersky ICS CERT, in the first six months of 2020, the share of computers attacked increased compared to the previous six months from 38% to almost 40% in building automation systems and from 36.3% to 37.8% in ICS in the oil and gas industry. The latter include control and data acquisition (SCADA) servers, storage servers, data gateways, stationary workstations for engineers and operators, mobile workstations for engineers and operators, computers used to administer technological networks, and computers used to develop software for systems. industrial automation.
In general, experts reported a global trend towards a decrease in the share of attacked ICS computers. In the first half of 2020, malware was blocked on a third (32.2%) of ICS computers in Russia, which almost coincided with the global average (32.6%). Compared to the previous six months, this indicator decreased by 6 and 11 percentage points for the world and Russia, respectively.
The growth in attacks on ICS computers in the oil and gas industry may be associated with the emergence of many new worm programs written in scripting languages, in particular Python and PowerShell. These malware can collect logins and passwords from the memory of system processes using different versions of the Mimikatz utility. From late March to mid-June 2020, experts found a large number of such worms, mainly in China and the Middle East.
Building automation systems are often connected to the corporate network and the Internet, making the attack surface larger than ICS systems. In addition, most often the devices belong to contractor companies and, accordingly, their security is less well controlled by the employees of the information security departments of the hiring company, which again makes it easier for attackers to access.
The increase in the percentage of computers attacked in these infrastructures was an exception against the background of the global trend towards a decrease in the number of attacked computers, both in the ICS and in the IT segment. One of its main reasons was the decrease in the number of large-scale attacks and their replacement with more targeted ones. As a result, threats become focused, and therefore more diverse and complex. There are noticeably more families of backdoors, spyware Trojans, exploits for Win32 and malware on the .NET platform.
In addition, in the first half of 2020, ransomware continued to attack ICS computers. The notorious incidents were related to a series of ransomware attacks on medical organizations and industrial companies around the world. Russia is in the middle of the world ranking in terms of the percentage of ICS computers attacked by ransomware, with 0.46%. This indicator has been increasing since January and reached its maximum in April, and in May-June it began to decline.
The researchers write that the pandemic did not have a noticeable effect on the statistics for half a year – with one exception. During this period, it became necessary for enterprises to perform many production tasks remotely. As a result, the number of ICS computers available remotely via the RDP protocol has grown. Experts note that from January to May, the percentage of ICS computers on which attempts to brute-force a password for RDP were recorded has also doubled. Another quite expected consequence of the pandemic was the exploitation of the COVID-19 topic in social engineering by attackers. According to experts, the technique turned out to be so versatile and effective that even well-known APT groups, including attacking industrial companies, use it.
“In most industries, the number of attacks on ICS computers has decreased, but there are still enough threats. The more complex the attacks, the more likely they are to cause serious damage, even if they happen less frequently. Due to the forced transition to remote operation, the attack surface has become larger. For industrial facilities, due to the absence of some employees on the ground, it has additionally become more difficult to quickly respond to an incident by, for example, transferring the attacked system to manual control. This means that the consequences of an attack can become more devastating. Since, as we can see, building automation systems and oil and gas companies are more likely to face cyber threats than before, we recommend that owners and operators of such systems take additional security measures, ”comments Kirill Kruglov, senior research and development developer at Kaspersky ICS CERT.