In the first six months of 2020, the percentage of systems attacked in the oil & gas and building automation industries increased when compared to 2019.
This growth occurred as the percent of industrial control system (ICS) computers attacked in most industries declined as cybercriminals shifted their focus to distributing more targeted and focused threats. Attacks against industrial organisations always carry the potential to be particularly devastating, both in terms of disruption to production and financial losses.
In addition, attacks against industrial enterprises have become more targeted, organised by sophisticated threat actors with extensive resources whose goals may not just be financial gain but also cyber espionage.
For the first six months of this year the industries most prone to attacks were building automation and oil & gas. Attacks against the latter have the potential to be particularly devastating given the massive financial losses already incurred as a result of the recent pandemic.
The percentage of ICS computers on which malicious objects were blocked grew from 38% in H2 2019 to 39,9% in H1 2020 in the building automation industry and 36,3% to 37,8% in the oil & gas industry.
Building automation systems, in general, tend to be more often exposed to attacks. They often have a larger attack surface than traditional ICS computers because they are frequently connected to corporate networks and the Internet. At the same time, because they traditionally belong to contractor organisations, these systems are not always managed by the organisation’s corporate information security team – making them an easier target.
The growth in the percent of ICS computers attacked in the oil & gas industry can be traced back to the development of a variety of worms (malicious programs that self-replicate on the infected device) written in script languages, specifically Python and PowerShell.
These worms are able to gather authentication credentials from the memory of system processes using different versions of the Mimikatz utility. From the end of March to mid-June 2020, a large number of these worms were detected, primarily in China and the Middle East.
The increase in the percent of ICS systems attacked in the oil & gas and building automation industries was the exception for the first half of 2020: the percent of systems attacked in most other industries declined.
This occurred as attackers appeared to shift their focus from mass attacks to distributing more focused and targeted threats, including backdoors (dangerous Trojans that gain remote control over the infected device), spyware (malicious programs designed to steal data) and ransomware attacks (which tend to target specific enterprises).
In fact, there were noticeably more families of backdoors and spyware built on the .NET platform that were detected and blocked on ICS computers.
The percent of ICS computers affected by ransomware grew slightly in H1 2020 when compared to H2 2019 across all industries, with a series of attacks witnessed against medical facilities and industrial companies.
Industrial companies were also the victim of sophisticated campaigns by advanced persistent threat (APT) actors.
“The percent of ICS computers attacked across most industries is declining,” comments Evgeny Goncharov, security expert at Kaspersky. “However, there are still threats to contend with.
“The more targeted and sophisticated attacks are, the greater potential they have to cause significant damage – even if they occur less frequently.
“What’s more, with many enterprises forced to work remotely and sign into corporate systems from home, ICS have naturally become more exposed to cyberthreats.
“And, with fewer on-sight personnel, there are fewer people available to respond and mitigate an attack, meaning the consequences may be far more devastating.
“Given that the oil & gas and building automation infrastructures appear to be a popular target among attackers, it’s crucial that these system owners and operators take extra security precautions.”