Manufacturing was the most susceptible to cyber threats over the first half of this year, with industrial control systems (ICS) computers accounting for almost 33 percent of all attacks, a new report found.
The peak of attackers’ activity ended up registered in March, after which the proportion of computers attacked gradually declined from April to June, according to a Kaspersky Lab report entitled, “Threat Landscape for Industrial Automation Systems in H1 2017.”
Also during the first half of the year, Kaspersky Lab products blocked attack attempts on 37.6 percent of ICS computers from which the company received anonymized information, totaling several tens of thousands. This figure was almost unchanged compared to the previous period – it is 1.6 percent less than in the second half of 2016.
The majority of the cyber threats were in manufacturing companies that produce various materials, equipment and goods.
Other affected industries include engineering, education, and food & beverage. ICS computers in energy companies accounted for almost 5 percent of all attacks.
While the top three countries with attacked industrial computers — Vietnam (71 percent), Algeria (67.1 percent) and Morocco (65.4 percent) remained the same, researchers detected an increase in the percentage of systems attacked in China (57.1 percent), which came in fifth, according to Kaspersky Lab. Indonesia came in fourth at 58.7 percent.
Researchers also discovered the main source of threats was the Internet: Attempts to download malware or access known malicious or phishing web resources were blocked on 20.4 percent of ICS computers. The reason for the high statistics for this type of infection lies in the interfaces between corporate and industrial networks, availability of limited Internet access from industrial networks, and connection of computers on industrial networks to the Internet via mobile phone operators’ networks.
Kaspersky detected 18,000 different modifications of malware on industrial automation systems in the first six months, belonging to more than 2,500 different families.
In the first half of the year, the world has faced a ransomware epidemic, which also affected industrial companies. Based on the research from Kaspersky Lab ICS CERT, the number of unique ICS computers attacked by encryption Trojans increased significantly and tripled by June.
Overall, experts discovered encryption ransomware belonging to 33 different families. Most of the encryption Trojans went out via spam emails disguised as part of the business communication with either malicious attachments or links to malware downloaders.
The main ransomware findings in the report include:
• 0.5 percent of computers in the industrial infrastructure of organizations were attacked by encryption ransomware at least once.
• ICS computers in 63 countries across the globe faced numerous encryption ransomware attacks, the most well-known were the WannaCry and ExPetr campaigns.
• WannaCry epidemic ranked highest among encryption ransomware families, with 13.4 percent of all computers in industrial infrastructure attacked. The most affected organizations included healthcare institutions and the government sector.
• ExPetr was another encryption ransomware campaign from the first half of the year, with at least 50 percent of the companies attacked in the manufacturing and oil & gas industries.
• The Top 10 most widespread encryption Trojan families include other ransomware families, such as Locky and Cerber, operating since 2016 and since that time have earned the highest profit for cybercriminals.
“In the first half of the year we’ve seen how weakly protected industrial systems are – pretty much all of the affected industrial computers were infected accidentally and as the result of attacks targeted initially at home users and corporate networks,” said Evgeny Goncharov, head of critical infrastructure defense department at Kaspersky Lab. “In this sense, the WannaCry and ExPetr destructive ransomware attacks proved indicative, leading to the disruption of enterprise production cycles around the world, as well as logistical failures, and forced downtime in the work of medical institutions. The results of such attacks can provoke intruders into further actions. Since we are already late with preventive measures, companies should think about proactive protective measures now to avoid ‘firefighting’ in future.”
Kaspersky Lab ICS CERT recommended the following for a more secure environment:
• Take an inventory of running network services with special emphasis on services that provide remote access to file system objects.
• Audit ICS component access isolation, the network activity in the enterprise’s industrial network and at its boundaries, policies and practices related to using removable media and portable devices.
• Verify the security of remote access to the industrial network as a minimum, and reduce or completely eliminate the use of remote administration tools as a maximum.
• Keep endpoint security solutions up-to-date.
• Use advanced methods of protection: deploy tools that provide network traffic monitoring and the detection of cyberattacks on industrial networks.
Click here for more information on the report.
Click here for the full report.