The first half of 2020 saw decreases in attacks on most ICS sectors, but oil/gas firms and building automation saw upticks.
Cyberattacks against the oil and gas industry inched up only slightly compared to the second half of 2019. Security experts say they are encouraged by the anemic growth, but at the same time are expressing concern that attacks are now becoming more potent, targeted and complex.
According to new research from Kaspersky, 37.8 percent of computers tied to the industrial control systems (ICS) segment suffered attacks in the first half of 2020, which represents only a 2 percentage increase.
Researchers found that ICS-related attacks on the oil and gas sector are one of the only increases found within the ICS sector. It also reported an almost-2 percent increase in attacked computers in the building automation space (39.9 percent of these weathered threats in the first half).
Threats in the form of computer worms were a particularly active area of development for oil-and-gas attackers. Researchers observed numerous new variants of standalone malware in the form of worms written in script languages, specifically Python and PowerShell, on computers used for design, maintain and automate industrial systems in that sector. The surge in these detections occurred from the end of March to mid-June 2020, mainly in China and the Middle East.
“All of the detected worm samples, both in Python and in PowerShell, are capable of collecting authentication credentials from the memory of system processes on the attacked machines in order to spread within the network,” according to the research. “In most cases, the malware uses different versions of Mimikatz to steal authentication credentials from memory. However, there were some PowerShell samples which used the comsvsc.dll system library (MS Windows) to save a memory dump of the system process in which the malware then searched for authentication credentials.”
Kaspersky also said that the slight increase in building-automation attacks in particular is cause for concern.
“Building-automation systems often belong to contractor organizations, and even when these systems have access to the client’s corporate network, they are not always controlled by the corporate information security team,” according to the report, issued Thursday. “Given that the decrease in mass attacks is offset by an increase in the number and complexity of targeted attacks where we see active utilization of various lateral movement tools, building automation systems might turn out to be even less secure than corporate systems within the same network.”
Overall though, the percentage of ICS computers that were attacked has decreased by 6.6 percentage points from the second half of 2019, to 32.6 percent, Kaspersky found. The volume of attacks varied by geography; Algeria still saw high numbers of them (58.1 percent), while Switzerland had just 12.7 percent of ICS computers in cyberattackers’ sights.
More Complex Attacks
Behind those positive numbers, Kaspersky identified a few key trends. For one, threats are becoming more targeted and more complex.
For instance, in March, the firm’s researchers discovered a previously unknown APT campaign called “WildPressure.” Targeting industrial firms and others, it used a trojan that was dubbed Milum. Milum has the capability to control devices remotely. It can download and execute commands and collect a variety of information from the target device. For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service.
“A code analysis of the new malware did not show any notable overlaps or similarities with any previously known APT campaign,” Kaspersky researchers noted.
Meanwhile, ransomware was almost a non-factor, found to target just 0.63 percent of ICS computers. However, when incidents happened, they were significant. For instance, Belgium’s Picanol Group, a large manufacturer of high-tech weaving machines, fell victim to a massive ransomware attack in January.
No information has been released on the ransomware itself, but “the attack seriously disrupted the operations of the company’s manufacturing plants in Belgium, Romania and China,” according to the report. “The attack was discovered during the night, when Picanol employees in China were unable to access the company’s IT systems. Similar issues also arose in Ypres in Belgium. The company’s operations were nearly completely paralyzed. Picanol’s 2,300 employees were out of work for over a week.”
Otherwise, “we are seeing noticeably more families of backdoors, spyware, Win32 exploits and malware built on the .Net platform,” according to the research. “The internet, removable media and email continue to be the main sources of threats in the ICS environment.”
The Kaspersky analysis also looked at the possible impact of COVID-19 and remote working on the cyberattack landscape for ICS, which it did by assessing the statistics of attacks on Remote Desktop Protocol on industrial computers.
Between February and May, there was a clear month-to-month growth (with a subsequent decrease in June) in the percentage of detected attempts to crack RDP passwords through brute-force attacks, according to the report.
“The increase in the percentage of attacked ICS computers on which attempts to brute force the RDP password were detected (and prevented) may seem insignificant, but it should be remembered that any such attack, if successful, would immediately have provided the attackers with remote access to engineering computers and ICS systems,” according to the report. “The danger posed by such attacks should not be underestimated.”
Otherwise, the firm was unable to identify any other abnormal surges in malicious activity that could be attributed to the pandemic’s consequences.
“We hope this was due to an actual absence of negative changes in the ICS threat landscape,” researchers said.