Two in five computers around the globe related to the technological infrastructure of industrial enterprises faced cyberattacks in the second half of 2016, according to cybersecurity company Kaspersky Lab.
Research from Kaspersky released on Tuesday showed that the percentage of industrial computers under attack grew from over 17% in July 2016 to more than 24% in December 2016. A press release from Kaspersky noted that the top three sources of infection were the Internet, removable storage devices and malicious email attachments and scripts embedded in the body of emails.
The results, published in a report titled Industrial automation systems threat landscape in the second half of 2016, examined the cyberthreat landscape faced by Internet connection sharing (ICS) systems. Kaspersky experts discovered that during the second half of 2016, malware downloads and access to phishing webpages were blocked on more than 22% of industrial computers. “This means that almost every fifth machine faced the risk of infection or credential compromise via the Internet at least once,” Kaspersky said in the release.
Other key findings from the report included:
Every fourth targeted attack detected by Kaspersky in 2016 was aimed at industrial targets;
About 20,000 different malware samples were revealed in industrial automation systems belonging to over 2,000 different malware families;
75 vulnerabilities were revealed by Kaspersky in 2016. Fifty-eight of them were marked as maximum critical vulnerabilities; and
The top three countries that experienced industrial computer attacks were Vietnam (more than 66%), Algeria (over 65%) and Morocco (60%).
Kaspersky noted in the release that the desktop computers of engineers and operators working directly with ICS do not usually have direct access to the Internet due to the limitations of the technology network in which they are located. However, there are other users that have simultaneous access to the Internet and ICS. According to Kaspersky research, these computers – presumably used by system and network administrators, developers and integrators of industrial automation systems, as well as third party contractors who connect to technology networks directly or remotely – can freely connect to the Internet because they are not tied to only one industrial network with its inherent limitations.
But the Internet is not the only thing that threatens the cybersecurity of ICS systems – the danger of infected removable storage devices is another threat spotted by the company’s researchers. During the period of research, 10.9% of computers with ICS software installed (or connected to those that have this software) showed traces of malware when a removable device was connected to them.
Malicious email attachments and scripts embedded in the body of emails were blocked on 8.1% of industrial computers, taking third place, Kaspersky said in the release. In most cases, attackers use phishing emails to attract the user’s attention and disguise malicious files.
“Malware was most often distributed in the format of office documents such as [Microsoft] Office and PDF files,” the release said. “Using various techniques, the criminals made sure that people downloaded and ran malware on the industrial organization’s computers.”
Malware, which includes spyware, backdoors, keyloggers, financial malware, ransomware and wipers, “can completely paralyze the organization’s control over its ICS or can be used for targeted attacks respectively,” Kaspersky reported. The latter is possible because of inherent functions that provide an attacker with lots of possibilities for remote control.
“Our analysis shows us that blind faith in technology networks’ isolation from the Internet doesn’t work anymore,” concluded Evgeny Goncharov, head of the critical infrastructure defense department at Kaspersky. “The rise of cyberthreats to critical infrastructure indicates that ICS should be properly secured from malware both inside and outside the perimeter. It is also important to note that according to our observations, the attacks almost always start with the weakest link in any protection – people.”