Mining, spying, self-replicating – energy sector under cyberthreat pressure
September 2019 by Kaspersky
Kaspersky solutions were triggered on almost half of industrial control system (ICS) computers in the energy sector globally in the first six months of 2019. The top three cyberthreats were worms, spyware, and cryptocurrency miners – together, they combined to make almost 14% of the share of targeted computers. These are among the main findings of the Kaspersky ICS CERT report on the industrial threat landscape in the first half of 2019.
Industrial cyber incidents are among the most dangerous as they may result in production downtime and tangible financial losses and are quite hard to overcome. This is especially the case when the incident occurs in critical, life-supporting sectors, such as energy. Statistics for H1 2019, automatically processed by Kaspersky security technologies, have shown that those who manage energy solutions should not let their guard down. Overall, during the observed period of time, Kaspersky products were triggered on 41.6% of ICS computers in the energy sector. A large number of conventional malware samples –not designed for ICS — were blocked.
Among the malicious programs which were blocked, the greatest danger was posed by cryptocurrency miners (2.9%), worms (7.1%), and a variety of versatile spyware (3.7%). Infection with such malware can negatively affect the availability and integrity of ICS and other systems that are part of the industrial network. Among these detected threats, some are of particular interest.
This includes AgentTesla, specialised Trojan Spy malware, designed to steal authentication data, screenshots, and data captured from the web camera and keyboard. In all of the analysed cases, the attackers sent data via compromised mailboxes at various companies. Aside from malware threat, Kaspersky products also identified and blocked cases of the Meterpreter backdoor which was being used to remotely control computers on the industrial networks of energy systems. Attacks that use the backdoor are targeted and stealthy and are often conducted in manual mode. The ability of the attackers to control infected ICS computers stealthily and remotely poses a huge threat to industrial systems. Last but not least, the company’s solutions detected and blocked Syswin, a new wiper worm written in Python and packed into the Windows executable format. This threat can have a significant impact on ICS computers due to its ability to self-propagate and destroy data.
The energy sector was not the only one to face malicious objects and activities. Other industries, analysed by Kaspersky experts, have also shown no reason for relief with automotive manufacturing (39.3%) and building automation (37.8%) taking the second and the third places in terms of percentage of the number of ICS computers on which malicious objects were blocked.
Other findings of the report include:
On average, ICS computers do not operate entirely inside a security perimeter typical of corporate environments, and are, to a large extent, protected from many threats, which are also relevant to home users, using their own measures and tools. In other words, tasks related to protecting the corporate segment and the ICS segment are to some extent unrelated.
In general, the level of malicious activity inside the ICS segment is connected with the ‘background’ malware activity in the country.
On average, in countries where the situation with the security of the ICS segment is favorable, the low levels of attacked ICS computers are attributable to protection measures and tools that are used rather than a generally low background level of malicious activity.
Self-propagating malicious programs are very active in some countries. In the cases analysed, these were worms (malicious Worm class objects) designed to infect removable media (USB flash drives, removable hard drives, mobile phones, etc.). It appears that infections with worms via removable media is the most common scenario that could happen to ICS computers.
“The collected statistics, as well as analysis into industrial cyberthreats, are a proven asset for assessing current trends and predicting what type of danger we should all prepare for. This report has identified that security experts should be particularly cautious about malicious software that aims to steal data, spy on critically important objects, penetrate the perimeter and destroy the data. All of these types of incident could cause lots of trouble for industry”, says Kirill Kruglov, security researcher at Kaspersky.
Kaspersky ICS CERT recommends implementing the following technical measures:
Regularly update operating systems, application software and security solutions on systems that are part of the enterprise’s industrial network.
Restrict network traffic on ports and protocols used on edge routers and inside the organisation’s OT networks.
Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.
Provide dedicated regular training and support for employees as well as partners and suppliers with access to your OT/ICS network.
Deploy dedicated endpoint protection solution such as Kaspersky Industrial CyberSecurity on ICS servers, workstations and HMIs to secure OT and industrial infrastructure from random cyberattacks; and network traffic monitoring, analysis and detection solutions for better protection from targeted attacks.