Kaspersky research reveals that ICS computers face evolving cybersecurity threats in first half of 2023

Data released by researchers from the Kaspersky ICS CERT team revealed that in the first half of this year, the percentage of ICS (industrial control systems) computers on which malicious objects were blocked decreased globally from the second half of 2022, by just 0.3 pp to 34 percent. Furthermore, the percentage of attacked ICS computers decreased in the first quarter. However, it subsequently rose again in the second quarter, reaching the highest quarterly figure since 2022 at 26.8 percent. In spring (March through May), the percentage of ICS computers on which malicious objects were blocked remained higher than in the other three months.

“The percentage of ICS computers on which malicious objects were blocked varied across countries from 53.3% in Ethiopia to 7.4% in Luxembourg,” Kaspersky identified in research data published last week. “The percentage of computers on which malicious activity was prevented varied across regions from 40.3% in Africa to 14.7% in Northern Europe,” it added. 

“In H1 2023, the percentage of ICS computers on which malicious objects were blocked increased in engineering and ICS integration (by 2 pp), manufacture (by 1.9 pp) and energy (by 1.5 pp),” Kaspersky said. “Building automation is still the leader among the industries under review. Energy and oil and gas have seen opposite trends in the percentage of ICS computers on which malicious objects were blocked since 2021.”

Another interesting fact Kaspersky disclosed was that Australia and New Zealand, the U.S. and Canada, Western Europe, and Northern Europe historically have had the lowest percentages of ICS computers on which malicious objects are blocked. “In H1 2023, however, those were the very regions where the percentages of attacked ICS computers increased by the most percentage points. In Western Europe, the percentage of computers on which malicious objects were blocked declined in 2022 before spiking in H1 2023 to exceed the previous two years’ figures.”

Also, data also showed that Africa and the Asian regions where the percentage of ICS computers on which malicious objects are blocked historically have been high, showed a downward trend. It also identified that in the first half of this year, Kaspersky security solutions blocked 11,727 different malware families in industrial automation systems.

The researchers revealed that as for the half-year increase, these regions did top many lists in H1 2023. “Blocked denylisted internet resources, and malicious scripts and phishing pages were the biggest contributors to this increase in the historically safer regions. Both threat types spread via the internet, while malicious scripts and phishing pages also spread via email. The percentage of ICS computers on which threats from these two sources were blocked in the United States and Canada, and Western Europe also increased the most among all regions.”

Additionally, the researchers found that “these are not the only bad lists these regions topped. The United States and Canada, Northern Europe, and Australia and New Zealand saw the largest growth in the percentage of computers on which spyware was blocked. The percentage of ICS computers attacked by ransomware in H1 2023 increased in four regions including Australia and New Zealand, and the United States and Canada, by the relatively significant respective values of 0.19 pp and 0.13 pp, and in Northern Europe.” 

Kaspersky revealed that the percentages of computers on which viruses and worms were blocked were similarly unexpected. “The five regions where these figures increased the most were the United States and Canada, Northern Europe, Australia and New Zealand, and Western Europe. Australia and New Zealand saw an increase in the number of computers on which threats were blocked after removable devices were connected,” it added.

Research data indicates that in the first six months of this year, some threat actors reinvented an old phishing technique that was first seen back in 2010 to target organizations in Europe, including industrial ones. 

“The technique involves infecting a website with a malicious script that triggers a pop-up window resembling a Microsoft tech support window,” Kaspersky identified. “The pop-up does not contain any links, but instead presents a phishing message and a local phone number to call. When a user calls the number, a threat actor answers the call and communicates in the local language, manipulating the unsuspecting user to download and install a remote access tool or a piece of multifunctional spyware. This technique leverages social engineering tactics to deceive users and gain unauthorized access to their systems, posing a serious threat to organizations, including industrial ones.”

Kaspersky disclosed that most of the regions where the percentage of attacked computers increased in H1 2023 (Northern and Western Europe, the U.S. and Canada, and Australia and New Zealand) are usually at the bottom of the list. Africa and the Asian regions where the percentage of ICS computers on which malicious objects are blocked historically have been high, showed a downward trend. 

It also found that seven African, three Middle Eastern and three Central Asian countries were among the fifteen countries and territories in the first half of this year with the highest percentage of ICS computers on which malicious objects were blocked.

The research data detected that the percentage of ICS computers on which spyware is blocked continued to decline. Earlier, we saw the figure rise from 2020 through the first half of 2022. “Africa had the highest percentage of ICS computers on which spyware was blocked in H1 2023. The Middle East and Southeast Asia had similarly high percentages.”

Additionally, hackers spread malicious documents via phishing messages and use them in attacks which aim for primary infection, according to Kaspersky. “The global percentage of ICS computers on which threats in this category were blocked more than doubled in H1 2022 and had declined since. Yet in H1 2023, it remained higher than in 2020–2021.”

“The regions with the highest figures were Latin America and Southern Europe. These regions also had the highest percentages of ICS computers on which email threats were blocked,” according to the research data. “The United States and Canada saw the largest increase (by 0.72 pp) in the percentage of computers on which malicious documents were blocked. The countries with the highest percentage of ICS computers on which malicious documents were blocked were Algiers (16.7%) and Afghanistan (16.6%).”

Kaspersky disclosed that the percentage of ICS computers on which worms were blocked continued to decrease. “We believe this is an indirect indication of the systematic use of security solutions in OT environments, which eliminates infection hotspots and prevents the spread of self-propagating malware. Viruses and worms spread across ICS networks by means of removable media, shared folders, infected files, such as backups, and network attacks on outdated software, such as Radmin2.”

“Many viruses and worms still circulating are old, and their command-and-control servers have long been shut down,” the researchers said. “Besides undermining the security of infected systems, for example, by opening network ports and changing settings, these older worms and viruses can potentially cause software to quit unexpectedly or create denial-of-service conditions.”

Furthermore, newer worm varieties, which malicious actors use to spread spyware, ransomware and miners, can be found on ICS networks as well. “In most cases, these worms spread by exploiting vulnerabilities in network services (such as SMB and RDP) that have been fixed by vendors but are still unpatched on OT networks, using previously stolen authentication credentials or bruteforcing passwords,” they added. 

When it came to ransomware, East Asia and the Middle East were the regions with the highest percentage of ICS computers attacked by ransomware in the first six months of this year, Kaspersky said. “The percentage of ICS computers attacked by ransomware shrank in most regions of the world. It grew by 0.19 pp in Australia and New Zealand, by 0.13 pp in the United States and Canada, and slightly in Northern and Eastern Europe. Of all countries and territories, Yemen had by far the highest percentage of ICS computers on which ransomware was blocked in H1 2023.”

It added that one European country, Moldova, unexpectedly became one of the half-year’s 10 leaders.

Earlier this year, Kaspersky published a summary report of APT (advanced persistent threat) attacks on industrial organizations in the second half of 2022. They also released related activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.