Kaspersky expects 2022 to be tougher on ICS, industrial enterprises

Cybercriminals have definitely made significant strides in 2021, as the list of high-profile ransomware attacks on industrial enterprises this year is probably longer than for all previous years combined, Kaspersky said in a report earlier this week.

In a report, titled, ‘Threats to ICS and industrial enterprises in 2022,’ Kaspersky expects 2022 to be tougher on industrial control systems (ICS) and industrial enterprises. APT campaigns targeting industrial organizations have also been keeping researchers very busy, it added.

“​​According to our telemetry and analysis of information found on the dark web, cybercriminals in 2021 compromised at least thousands of industrial organizations worldwide,” Evgeny Goncharov, head of Industrial Control Systems Cyber Emergency Response Team (ICS CERT) at Kaspersky, wrote in the report. “We think that their total number vastly exceeds the number of organizations hit by ransomware or targeted by APTs. Some of those compromised might get lucky and simply fall off the cybercriminal radar. But not all. And for some companies, the consequences of a security compromise in 2021 will catch up with them only in 2022,” he added.

Kaspersky also found signs of compromise in many organizations on computers directly related to ICS, so the damage in some cases may not be limited to encryption of IT systems and data theft in the office network.

Improved corporate cybersecurity and the introduction of ever more tools and protection measures are causing cyber threats to evolve, Kaspersky said. Industry must take notice of attackers adopting initiatives to reduce the number of targets per individual attack, decrease the life cycle of malware, minimize the use of malicious infrastructure, and realize that modern advanced persistent attacks (APTs) are more persistent than advanced in nature.

Attention must be brought to the reduction in the number of targets per individual attack. “For instance, we see a new trend emerging in the criminal ecosystem of spyware-based authentication data theft, with each individual attack being directed at a very small number of targets (from single digits to several dozen),” the report said.

The trend is snowballing so rapidly that in some regions of the world up to 20 percent of all ICS computers on which Kaspersky blocks spyware are attacked using this tactic. Such attacks are likely to comprise an even larger portion of the threat landscape next year, and the same tactic is likely to spread to other types of threats as well, the firm cautioned.

To counter detection, cybercriminals are adopting the strategy of frequently upgrading malware in their chosen family. They use malware at its peak effectiveness to break through the defenses of security solutions and then switch to a new build as soon as the current one becomes readily detectable, Kaspersky said. The evolution of modern malware-as-a-service (MaaS) platforms makes it much easier for malware operators globally to use this strategy.

“Next year we are sure to encounter it even more frequently in various threat scenarios. Combined with the downward trend in the number of victims per individual attack, the widespread use of this strategy will lead to an even greater variety of malware, thus posing a major challenge for security solution developers,” Goncharov said.

In the fight against protection tools, adversaries seek to reduce the detectable malicious footprint of their actions, which is reflected in attempts to minimize the use of malicious infrastructure, Kaspersky said. “For example, we observed how C&C servers in some APTs had a very short lifespan, operating for no more than a couple of hours during the attack phase for which they were intended. And sometimes attackers manage to refrain from using not only any malicious, but also suspicious and untrusted infrastructure,” the report added.

A popular tactic in spyware attacks is now to send phishing e-mails from compromised corporate mail accounts of a partner organization of the intended victim. In this case, well-crafted messages are practically indistinguishable from legitimate ones and virtually undetectable with automated tools, Kaspersky said.

In Kaspersky’s investigations of АPT-related incidents at industrial enterprises, the company has come across traces of how attackers, in parallel to the main thrust of the attack, have simultaneously tried to gain access from the infrastructure of a compromised industrial facility to other organizations or resources of the parent company, government agencies and the like; most likely in the hope that such attempts will go unnoticed. There is no doubt that the coming year will see more frequent use of such tactics by attackers in various categories, it added.

The Kaspersky report comes at the time when the U.S. government continues to focus on boosting the nation’s cybersecurity hygiene. The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said at the Palo Alto Networks’ Public Sector Ignite conference that visibility and modernization are the keys to improving the nation’s cybersecurity posture. She said those are two points she and CISA have been emphasizing in conversations with both Federal and public sector partners.

“You know if you can’t see it, you can’t defend it,” Easterly said at the event. “We’re working to really centralize visibility to improve detection of incidents across Federal government networks. … I mean it’s a pretty easy concept to say, ‘If you can see, you can defend it,’ but it’s much harder to implement at the end of the day.”

Vendors agree that rather than targeting and scaling attacks on low-hanging fruit, 2022 will bring new strategies by ransomware operators, Marty Edwards, vice president for operational technology at Tenable, wrote in an emailed statement. “They will get more selective about their targets, aiming to strike a balance between making money and dodging a target on their back from law enforcement. In order to outsmart this equation, organizations must stop trying to prevent adversaries’ missions and instead prevent them from being worthwhile.”

Cybercriminals have definitely made significant strides in 2021, as the list of high-profile ransomware attacks on industrial enterprises this year is probably longer than for all previous years combined, Kaspersky said in a report earlier this week.

In a report, titled, ‘Threats to ICS and industrial enterprises in 2022,’ Kaspersky expects 2022 to be tougher on industrial control systems (ICS) and industrial enterprises. APT campaigns targeting industrial organizations have also been keeping researchers very busy, it added.

“​​According to our telemetry and analysis of information found on the dark web, cybercriminals in 2021 compromised at least thousands of industrial organizations worldwide,” Evgeny Goncharov, head of Industrial Control Systems Cyber Emergency Response Team (ICS CERT) at Kaspersky, wrote in the report. “We think that their total number vastly exceeds the number of organizations hit by ransomware or targeted by APTs. Some of those compromised might get lucky and simply fall off the cybercriminal radar. But not all. And for some companies, the consequences of a security compromise in 2021 will catch up with them only in 2022,” he added.

Kaspersky also found signs of compromise in many organizations on computers directly related to ICS, so the damage in some cases may not be limited to encryption of IT systems and data theft in the office network.

Improved corporate cybersecurity and the introduction of ever more tools and protection measures are causing cyber threats to evolve, Kaspersky said. Industry must take notice of attackers adopting initiatives to reduce the number of targets per individual attack, decrease the life cycle of malware, minimize the use of malicious infrastructure, and realize that modern advanced persistent attacks (APTs) are more persistent than advanced in nature.

Attention must be brought to the reduction in the number of targets per individual attack. “For instance, we see a new trend emerging in the criminal ecosystem of spyware-based authentication data theft, with each individual attack being directed at a very small number of targets (from single digits to several dozen),” the report said.

The trend is snowballing so rapidly that in some regions of the world up to 20 percent of all ICS computers on which Kaspersky blocks spyware are attacked using this tactic. Such attacks are likely to comprise an even larger portion of the threat landscape next year, and the same tactic is likely to spread to other types of threats as well, the firm cautioned.

To counter detection, cybercriminals are adopting the strategy of frequently upgrading malware in their chosen family. They use malware at its peak effectiveness to break through the defenses of security solutions and then switch to a new build as soon as the current one becomes readily detectable, Kaspersky said. The evolution of modern malware-as-a-service (MaaS) platforms makes it much easier for malware operators globally to use this strategy.

“Next year we are sure to encounter it even more frequently in various threat scenarios. Combined with the downward trend in the number of victims per individual attack, the widespread use of this strategy will lead to an even greater variety of malware, thus posing a major challenge for security solution developers,” Goncharov said.

In the fight against protection tools, adversaries seek to reduce the detectable malicious footprint of their actions, which is reflected in attempts to minimize the use of malicious infrastructure, Kaspersky said. “For example, we observed how C&C servers in some APTs had a very short lifespan, operating for no more than a couple of hours during the attack phase for which they were intended. And sometimes attackers manage to refrain from using not only any malicious, but also suspicious and untrusted infrastructure,” the report added.

A popular tactic in spyware attacks is now to send phishing e-mails from compromised corporate mail accounts of a partner organization of the intended victim. In this case, well-crafted messages are practically indistinguishable from legitimate ones and virtually undetectable with automated tools, Kaspersky said.

In Kaspersky’s investigations of АPT-related incidents at industrial enterprises, the company has come across traces of how attackers, in parallel to the main thrust of the attack, have simultaneously tried to gain access from the infrastructure of a compromised industrial facility to other organizations or resources of the parent company, government agencies and the like; most likely in the hope that such attempts will go unnoticed. There is no doubt that the coming year will see more frequent use of such tactics by attackers in various categories, it added.

The Kaspersky report comes at the time when the U.S. government continues to focus on boosting the nation’s cybersecurity hygiene. The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said at the Palo Alto Networks’ Public Sector Ignite conference that visibility and modernization are the keys to improving the nation’s cybersecurity posture. She said those are two points she and CISA have been emphasizing in conversations with both Federal and public sector partners.

“You know if you can’t see it, you can’t defend it,” Easterly said at the event. “We’re working to really centralize visibility to improve detection of incidents across Federal government networks. … I mean it’s a pretty easy concept to say, ‘If you can see, you can defend it,’ but it’s much harder to implement at the end of the day.”

Vendors agree that rather than targeting and scaling attacks on low-hanging fruit, 2022 will bring new strategies by ransomware operators, Marty Edwards, vice president for operational technology at Tenable, wrote in an emailed statement. “They will get more selective about their targets, aiming to strike a balance between making money and dodging a target on their back from law enforcement. In order to outsmart this equation, organizations must stop trying to prevent adversaries’ missions and instead prevent them from being worthwhile.”

Cybercriminals have definitely made significant strides in 2021, as the list of high-profile ransomware attacks on industrial enterprises this year is probably longer than for all previous years combined, Kaspersky said in a report earlier this week.

In a report, titled, ‘Threats to ICS and industrial enterprises in 2022,’ Kaspersky expects 2022 to be tougher on industrial control systems (ICS) and industrial enterprises. APT campaigns targeting industrial organizations have also been keeping researchers very busy, it added.

“​​According to our telemetry and analysis of information found on the dark web, cybercriminals in 2021 compromised at least thousands of industrial organizations worldwide,” Evgeny Goncharov, head of Industrial Control Systems Cyber Emergency Response Team (ICS CERT) at Kaspersky, wrote in the report. “We think that their total number vastly exceeds the number of organizations hit by ransomware or targeted by APTs. Some of those compromised might get lucky and simply fall off the cybercriminal radar. But not all. And for some companies, the consequences of a security compromise in 2021 will catch up with them only in 2022,” he added.

Kaspersky also found signs of compromise in many organizations on computers directly related to ICS, so the damage in some cases may not be limited to encryption of IT systems and data theft in the office network.

Improved corporate cybersecurity and the introduction of ever more tools and protection measures are causing cyber threats to evolve, Kaspersky said. Industry must take notice of attackers adopting initiatives to reduce the number of targets per individual attack, decrease the life cycle of malware, minimize the use of malicious infrastructure, and realize that modern advanced persistent attacks (APTs) are more persistent than advanced in nature.

Attention must be brought to the reduction in the number of targets per individual attack. “For instance, we see a new trend emerging in the criminal ecosystem of spyware-based authentication data theft, with each individual attack being directed at a very small number of targets (from single digits to several dozen),” the report said.

The trend is snowballing so rapidly that in some regions of the world up to 20 percent of all ICS computers on which Kaspersky blocks spyware are attacked using this tactic. Such attacks are likely to comprise an even larger portion of the threat landscape next year, and the same tactic is likely to spread to other types of threats as well, the firm cautioned.

To counter detection, cybercriminals are adopting the strategy of frequently upgrading malware in their chosen family. They use malware at its peak effectiveness to break through the defenses of security solutions and then switch to a new build as soon as the current one becomes readily detectable, Kaspersky said. The evolution of modern malware-as-a-service (MaaS) platforms makes it much easier for malware operators globally to use this strategy.

“Next year we are sure to encounter it even more frequently in various threat scenarios. Combined with the downward trend in the number of victims per individual attack, the widespread use of this strategy will lead to an even greater variety of malware, thus posing a major challenge for security solution developers,” Goncharov said.

In the fight against protection tools, adversaries seek to reduce the detectable malicious footprint of their actions, which is reflected in attempts to minimize the use of malicious infrastructure, Kaspersky said. “For example, we observed how C&C servers in some APTs had a very short lifespan, operating for no more than a couple of hours during the attack phase for which they were intended. And sometimes attackers manage to refrain from using not only any malicious, but also suspicious and untrusted infrastructure,” the report added.

A popular tactic in spyware attacks is now to send phishing e-mails from compromised corporate mail accounts of a partner organization of the intended victim. In this case, well-crafted messages are practically indistinguishable from legitimate ones and virtually undetectable with automated tools, Kaspersky said.

In Kaspersky’s investigations of АPT-related incidents at industrial enterprises, the company has come across traces of how attackers, in parallel to the main thrust of the attack, have simultaneously tried to gain access from the infrastructure of a compromised industrial facility to other organizations or resources of the parent company, government agencies and the like; most likely in the hope that such attempts will go unnoticed. There is no doubt that the coming year will see more frequent use of such tactics by attackers in various categories, it added.

The Kaspersky report comes at the time when the U.S. government continues to focus on boosting the nation’s cybersecurity hygiene. The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said at the Palo Alto Networks’ Public Sector Ignite conference that visibility and modernization are the keys to improving the nation’s cybersecurity posture. She said those are two points she and CISA have been emphasizing in conversations with both Federal and public sector partners.

“You know if you can’t see it, you can’t defend it,” Easterly said at the event. “We’re working to really centralize visibility to improve detection of incidents across Federal government networks. … I mean it’s a pretty easy concept to say, ‘If you can see, you can defend it,’ but it’s much harder to implement at the end of the day.”

Vendors agree that rather than targeting and scaling attacks on low-hanging fruit, 2022 will bring new strategies by ransomware operators, Marty Edwards, vice president for operational technology at Tenable, wrote in an emailed statement. “They will get more selective about their targets, aiming to strike a balance between making money and dodging a target on their back from law enforcement. In order to outsmart this equation, organizations must stop trying to prevent adversaries’ missions and instead prevent them from being worthwhile.”

Cybercriminals have definitely made significant strides in 2021, as the list of high-profile ransomware attacks on industrial enterprises this year is probably longer than for all previous years combined, Kaspersky said in a report earlier this week.

In a report, titled, ‘Threats to ICS and industrial enterprises in 2022,’ Kaspersky expects 2022 to be tougher on industrial control systems (ICS) and industrial enterprises. APT campaigns targeting industrial organizations have also been keeping researchers very busy, it added.

“​​According to our telemetry and analysis of information found on the dark web, cybercriminals in 2021 compromised at least thousands of industrial organizations worldwide,” Evgeny Goncharov, head of Industrial Control Systems Cyber Emergency Response Team (ICS CERT) at Kaspersky, wrote in the report. “We think that their total number vastly exceeds the number of organizations hit by ransomware or targeted by APTs. Some of those compromised might get lucky and simply fall off the cybercriminal radar. But not all. And for some companies, the consequences of a security compromise in 2021 will catch up with them only in 2022,” he added.

Kaspersky also found signs of compromise in many organizations on computers directly related to ICS, so the damage in some cases may not be limited to encryption of IT systems and data theft in the office network.

Improved corporate cybersecurity and the introduction of ever more tools and protection measures are causing cyber threats to evolve, Kaspersky said. Industry must take notice of attackers adopting initiatives to reduce the number of targets per individual attack, decrease the life cycle of malware, minimize the use of malicious infrastructure, and realize that modern advanced persistent attacks (APTs) are more persistent than advanced in nature.

Attention must be brought to the reduction in the number of targets per individual attack. “For instance, we see a new trend emerging in the criminal ecosystem of spyware-based authentication data theft, with each individual attack being directed at a very small number of targets (from single digits to several dozen),” the report said.

The trend is snowballing so rapidly that in some regions of the world up to 20 percent of all ICS computers on which Kaspersky blocks spyware are attacked using this tactic. Such attacks are likely to comprise an even larger portion of the threat landscape next year, and the same tactic is likely to spread to other types of threats as well, the firm cautioned.

To counter detection, cybercriminals are adopting the strategy of frequently upgrading malware in their chosen family. They use malware at its peak effectiveness to break through the defenses of security solutions and then switch to a new build as soon as the current one becomes readily detectable, Kaspersky said. The evolution of modern malware-as-a-service (MaaS) platforms makes it much easier for malware operators globally to use this strategy.

“Next year we are sure to encounter it even more frequently in various threat scenarios. Combined with the downward trend in the number of victims per individual attack, the widespread use of this strategy will lead to an even greater variety of malware, thus posing a major challenge for security solution developers,” Goncharov said.

In the fight against protection tools, adversaries seek to reduce the detectable malicious footprint of their actions, which is reflected in attempts to minimize the use of malicious infrastructure, Kaspersky said. “For example, we observed how C&C servers in some APTs had a very short lifespan, operating for no more than a couple of hours during the attack phase for which they were intended. And sometimes attackers manage to refrain from using not only any malicious, but also suspicious and untrusted infrastructure,” the report added.

A popular tactic in spyware attacks is now to send phishing e-mails from compromised corporate mail accounts of a partner organization of the intended victim. In this case, well-crafted messages are practically indistinguishable from legitimate ones and virtually undetectable with automated tools, Kaspersky said.

In Kaspersky’s investigations of АPT-related incidents at industrial enterprises, the company has come across traces of how attackers, in parallel to the main thrust of the attack, have simultaneously tried to gain access from the infrastructure of a compromised industrial facility to other organizations or resources of the parent company, government agencies and the like; most likely in the hope that such attempts will go unnoticed. There is no doubt that the coming year will see more frequent use of such tactics by attackers in various categories, it added.

The Kaspersky report comes at the time when the U.S. government continues to focus on boosting the nation’s cybersecurity hygiene. The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said at the Palo Alto Networks’ Public Sector Ignite conference that visibility and modernization are the keys to improving the nation’s cybersecurity posture. She said those are two points she and CISA have been emphasizing in conversations with both Federal and public sector partners.

“You know if you can’t see it, you can’t defend it,” Easterly said at the event. “We’re working to really centralize visibility to improve detection of incidents across Federal government networks. … I mean it’s a pretty easy concept to say, ‘If you can see, you can defend it,’ but it’s much harder to implement at the end of the day.”

Vendors agree that rather than targeting and scaling attacks on low-hanging fruit, 2022 will bring new strategies by ransomware operators, Marty Edwards, vice president for operational technology at Tenable, wrote in an emailed statement. “They will get more selective about their targets, aiming to strike a balance between making money and dodging a target on their back from law enforcement. In order to outsmart this equation, organizations must stop trying to prevent adversaries’ missions and instead prevent them from being worthwhile.”

Cybercriminals have definitely made significant strides in 2021, as the list of high-profile ransomware attacks on industrial enterprises this year is probably longer than for all previous years combined, Kaspersky said in a report earlier this week.

In a report, titled, ‘Threats to ICS and industrial enterprises in 2022,’ Kaspersky expects 2022 to be tougher on industrial control systems (ICS) and industrial enterprises. APT campaigns targeting industrial organizations have also been keeping researchers very busy, it added.

“​​According to our telemetry and analysis of information found on the dark web, cybercriminals in 2021 compromised at least thousands of industrial organizations worldwide,” Evgeny Goncharov, head of Industrial Control Systems Cyber Emergency Response Team (ICS CERT) at Kaspersky, wrote in the report. “We think that their total number vastly exceeds the number of organizations hit by ransomware or targeted by APTs. Some of those compromised might get lucky and simply fall off the cybercriminal radar. But not all. And for some companies, the consequences of a security compromise in 2021 will catch up with them only in 2022,” he added.

Kaspersky also found signs of compromise in many organizations on computers directly related to ICS, so the damage in some cases may not be limited to encryption of IT systems and data theft in the office network.

Improved corporate cybersecurity and the introduction of ever more tools and protection measures are causing cyber threats to evolve, Kaspersky said. Industry must take notice of attackers adopting initiatives to reduce the number of targets per individual attack, decrease the life cycle of malware, minimize the use of malicious infrastructure, and realize that modern advanced persistent attacks (APTs) are more persistent than advanced in nature.

Attention must be brought to the reduction in the number of targets per individual attack. “For instance, we see a new trend emerging in the criminal ecosystem of spyware-based authentication data theft, with each individual attack being directed at a very small number of targets (from single digits to several dozen),” the report said.

The trend is snowballing so rapidly that in some regions of the world up to 20 percent of all ICS computers on which Kaspersky blocks spyware are attacked using this tactic. Such attacks are likely to comprise an even larger portion of the threat landscape next year, and the same tactic is likely to spread to other types of threats as well, the firm cautioned.

To counter detection, cybercriminals are adopting the strategy of frequently upgrading malware in their chosen family. They use malware at its peak effectiveness to break through the defenses of security solutions and then switch to a new build as soon as the current one becomes readily detectable, Kaspersky said. The evolution of modern malware-as-a-service (MaaS) platforms makes it much easier for malware operators globally to use this strategy.

“Next year we are sure to encounter it even more frequently in various threat scenarios. Combined with the downward trend in the number of victims per individual attack, the widespread use of this strategy will lead to an even greater variety of malware, thus posing a major challenge for security solution developers,” Goncharov said.

In the fight against protection tools, adversaries seek to reduce the detectable malicious footprint of their actions, which is reflected in attempts to minimize the use of malicious infrastructure, Kaspersky said. “For example, we observed how C&C servers in some APTs had a very short lifespan, operating for no more than a couple of hours during the attack phase for which they were intended. And sometimes attackers manage to refrain from using not only any malicious, but also suspicious and untrusted infrastructure,” the report added.

A popular tactic in spyware attacks is now to send phishing e-mails from compromised corporate mail accounts of a partner organization of the intended victim. In this case, well-crafted messages are practically indistinguishable from legitimate ones and virtually undetectable with automated tools, Kaspersky said.

In Kaspersky’s investigations of АPT-related incidents at industrial enterprises, the company has come across traces of how attackers, in parallel to the main thrust of the attack, have simultaneously tried to gain access from the infrastructure of a compromised industrial facility to other organizations or resources of the parent company, government agencies and the like; most likely in the hope that such attempts will go unnoticed. There is no doubt that the coming year will see more frequent use of such tactics by attackers in various categories, it added.

The Kaspersky report comes at the time when the U.S. government continues to focus on boosting the nation’s cybersecurity hygiene. The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said at the Palo Alto Networks’ Public Sector Ignite conference that visibility and modernization are the keys to improving the nation’s cybersecurity posture. She said those are two points she and CISA have been emphasizing in conversations with both Federal and public sector partners.

“You know if you can’t see it, you can’t defend it,” Easterly said at the event. “We’re working to really centralize visibility to improve detection of incidents across Federal government networks. … I mean it’s a pretty easy concept to say, ‘If you can see, you can defend it,’ but it’s much harder to implement at the end of the day.”

Vendors agree that rather than targeting and scaling attacks on low-hanging fruit, 2022 will bring new strategies by ransomware operators, Marty Edwards, vice president for operational technology at Tenable, wrote in an emailed statement. “They will get more selective about their targets, aiming to strike a balance between making money and dodging a target on their back from law enforcement. In order to outsmart this equation, organizations must stop trying to prevent adversaries’ missions and instead prevent them from being worthwhile.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.