Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations

New data released by researchers from the Kaspersky ICS CERT team provides details on cybercriminal and hacktivist attacks on industrial organizations, with a separate report dedicated to APT attacks. Some links to corporate website pages containing incident information are broken, but the team chose to retain them based on the victim’s company statements. The overview focuses on incidents confirmed by affected organizations or government officials, excluding reports solely from cybercriminal groups. 

While the number of incidents remains consistent with the previous six months, the severity of consequences has increased. Material impacts, such as production denial and product shipment suspensions, have doubled compared to the previous period. Financial losses were reported, with a maximum of US$356 million by U.S. chemical products manufacturer Clorox. Notably, some attacks led to significant business repercussions, including job losses and infrastructural effects. 

Kaspersky reported that the number of cybercriminal and hacktivist attacks on industrial organizations was comparable to that for the previous six months, but on average the consequences of the attacks have become more severe (or at least more of the victims reported severe consequences). “Material consequences, such as denial of production or suspension of product shipments, were reported twice as often as in the previous six months (37.5% of incidents in H2 2023 vs. 18% in H1 2023).”

The report also identified that in one case, a cyberattack virtually killed a business (or at least that’s what the company’s management claimed – ‘It blocked the company’s ability to secure additional investment and funding).’ 

Most of the employees of one of Britain’s oldest transportation companies, KNP Logistics, lost their jobs, with just one subsidiary surviving by being sold. 

“Some of the cases have almost involved infrastructural effects. The attack on DP World Australia, for example, stranded 30,000 containers in four major Australian ports,” the researchers detailed in their report. “An attack on China’s Yanfeng, the world’s largest OEM manufacturer of automotive interior parts, caused another automotive giant, Stellantis, to halt its assembly lines.”

In three cases, the team disclosed that attackers were able to gain access to automated control systems and use them to cause physical damage. “One attack by a pro-Israeli group shut down up to 70% of Iran’s gas stations. An attack on Israeli-made Unitronics PLCs used in utilities in several countries around the world left 160 homes in Ireland temporarily without water. The third high-profile case – an attack on a Ukrainian energy company – was described in our review on APT attacks on industrial enterprises (listing the results of the technical investigations that have been published by experts for public access in H2 2023),” they added.

“Among the cases that we believe may be of particular interest for various reasons, we would like to highlight the attack on ORBCOMM – the US service provider and IIoT and M2M device vendor,” Kaspersky added in its report. “The attack affected their FleetManager platform and stopped their Blue Tree products from working – those used to log the activities of truck drivers, as required by local regulations.” 

The team detailed that the attack is of particular interest because it may foreshadow the development of a new attack vector for cybercriminals – attacking the onboard equipment and telemetry systems installed in various vehicles and vessels, which could open up the possibility of locking the vehicle or vessel itself.

Earlier this year, Kaspersky identified that it does not expect rapid changes in the industrial cyber threat landscape this year in its ICS (industrial control system) and OT (operational technology) threat predictions. Most of the trends have been observed before, many for some years, such as ransomware. However, some of them have reached a critical mass of creeping changes, which could lead to a qualitative shift in the threat landscape as early as next year.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.