One of the most attacked sectors in our time is energy. So, for the first six months of 2019, Kaspersky Lab solutions blocked malicious activity on 41.6% of computers in automation systems of enterprises in this sector. In Russia, this indicator amounted to 58.1%.
The vast majority of recorded threats were not developed specifically for the automation system of energy facilities. Nevertheless, as the practical experience and research of Kaspersky ICS CERT experts shows, many types of blocked malware, even if their influence on the operation of IT systems is insignificant, can cause problems of accessibility and integrity of automation systems inside the technological circuit. So, miners (blocked on 2.9% of ICS computers), relatively harmless in the office network, in the process of their work and distribution can lead to denial of service of some components of ICS.
Malicious worms (blocked on 7.1% of ACS computers) pose a great danger to IT systems, but the consequences of their actions in the technological network can be much more significant. For example, the Syswin worm, blocked on many ACS computers in the energy sector, spreads through network folders and removable media independently, destroying data on the infected device. In some cases, this can not only cause a denial of service for monitoring and telecontrol systems, but also lead to an emergency.
Multifunctional spyware was blocked on 3.7% of ACS computers – as a rule, they can not only steal confidential information, download and execute other malware, but also provide attackers with the possibility of unauthorized remote control of an infected device. On many computers in the energy sector, the dangerous AgentTesla Trojan was detected, which is often used in malicious campaigns, including targeting businesses that are interested in malicious industries.
In addition, Kaspersky Lab’s products have repeatedly blocked, possibly even more dangerous software, the Meterpreter backdoor, which has extensive capabilities for organizing covert remote data collection and management. This tool is used by experts in conducting penetration tests and many attackers in the implementation of targeted attacks. Meterpreter does not leave marks on the hard drive, which is why the attack may go unnoticed if the computer is not protected by a modern protective solution.
Of course, the energy sector was by no means the only one faced with a large number of cyber threats. Kaspersky ICS CERT experts also recorded a high level of malicious activity in many other industries, among which automobile manufacturing and building automation unexpectedly turned out to be – here Kaspersky Lab solutions blocked malicious activity on 39.3% and 37.8% of ICS computers, respectively.
“The technology for obtaining and analyzing telemetry data for industrial automation systems is an important tool that allows us to identify threats relevant to such systems. It makes it possible to detect specific security problems of automated control systems, analyze possible ways of developing cyber threats and develop technologies for their prevention. We share our experience, knowledge and expertise with a community of researchers, security developers and information security practitioners. This information is available both in the form of specialized reports useful for strategic and tactical planning of further actions to protect the enterprise, as well as in the form of a stream of constantly updated indicators of compromise to quickly detect all those threats that have blocked our products on ICS computers around the world, ” said Kirill Kruglov, a leading threat researcher at Kaspersky ICS CERT.