Security company Kaspersky announced its list of industrial cybersecurity threat challenges and predictions on what can be expected from cybercriminals active in the OT/ICS sector in 2021.
Infections will tend to be less random or have focused follow-ups, as cybercriminals have spent the past several years profiling randomly infected computers that are connected to industrial networks or have periodic access to them, Kaspersky said. For several years now, various groups have specialized in attacks against industrial enterprises with the express aim to steal money – through BEC schemes or advanced hacks to gain access to victims’ financial and accounting systems.
Business email compromise (BEC) schemes often involve the spoofing of a legitimate known email address or the use of a nearly identical email address to communicate with a victim to redirect legitimate payments to a bank account controlled by fraudsters.
Through years of criminal operations, these cybercriminals have come to understand the business processes of industrial enterprises and gained access to a large amount of technical information about network assets and operational technologies. “We expect to see new and unconventional scenarios of attacks on OT/ICS and field devices, coupled with ingenious monetization schemes. Cybercriminals have had more than enough time and opportunities to develop them,” wrote Evgeny Goncharov, head of Kaspersky ICS CERT, in a cybersecurity threat report.
The end of Microsoft support for Windows 7 and Windows Server 2008, which are currently deployed in ICS environments, and the leak of the source code of Windows XP, which is still very common on industrial networks, pose a significant cybersecurity threat to industrial enterprises. “There is a high chance that a WannaCry-like scenario will be repeated in the very near future. And industrial enterprises may be among the hardest hit,” Goncharov warned.
Ransomware is also becoming more technically advanced and sophisticated. Cybercriminals will continue to employ hacker and APT techniques, painstakingly exploring and probing the network of the target organization to locate the most valuable or vulnerable systems, hijack administrator accounts, and launch simultaneous blitz attacks using standard admin tools. Advanced persistent threat (APT) uses continuous, clandestine and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences.
Cybercriminals are increasingly targeting industrial companies, as they tend to pay ransom, according to Goncharov. There will be hybrid attacks involving document theft with the cybersecurity threat to publish the documents or sell them on the darknet in case of refusal to pay up.
Belden, the owners of Tripwire, faced a similar threat in November when attacks laid hands on employee data. It reported unauthorised access and copying of employee data. Forensics experts determined that Belden was the target of a sophisticated attack by an external party that gained access to a limited number of company file servers.
Cybercriminals will figure out that inside the OT perimeter secrets are not guarded as well as in office networks and that OT networks may be even easier to break into, since they have their own perimeter and attack surface, Goncharov said. The flat network topology and other access control issues in OT networks can make them an attractive entry point into the intimate recesses of the corporate network and a springboard into other related organizations and facilities.
“The desire of many countries for technological independence, alongside with global geopolitical and macroeconomic upheaval, means that attack targets will include not only traditional opponents, but also tactical and strategic partners – threats can come from any direction,” he added.
The number of APT groups will continue to grow with more and more new actors, including ones that attack various industrial sectors. The activity of these groups will correlate with local conflicts, including those in the hot phase, with cyberattacks on industrial enterprises and other facilities used as a warfare tool, alongside drones and media-driven misinformation, Goncharov said. In addition to data theft and other piecemeal operations, some groups are likely to get down to more serious business in 2021, perhaps in the vein of Stuxnet, Black Energy, Industroyer and Triton.
Against the backdrop of economic decline, lockdowns, slower growth and ruin for small businesses brought about by the COVID-19 pandemic, the number of cybercriminals will increase as skilled people seek alternative employment, and groups associated with national governments will strengthen as well, Goncharov pointed out.
The online presence of municipal services and utilities and the increased digitization of government and public services will make them more vulnerable to attacks of cybercriminals and create opportunities for cross-agency attacks and assaults on central and local government functions and the systems that support and implement them. Restrictions on on-site work, which prevented new equipment from being installed and configured, have slowed down the efforts of many industrial enterprises to beef up their perimeter security.
The safety of industrial facilities will largely depend on the performance of endpoint solutions and the security awareness of employees. At the same time, cyberattacks aimed at industrial companies are maturing. As a result, despite the currently observed drop in attacks on OT/ICS computers, the number of serious incidents is not going to decrease, Goncharov said. The reduction in on-site personnel who are able to promptly transfer systems and installations to manual control in the event of a successful cyberattack on the industrial network could facilitate the wider spread of malware and lead to more severe consequences.
Last month, Kaspersky’s Industrial Systems Emergency Response Team (ICS CERT) joined the Forum of Incident Response and Security Teams (FIRST) that aims to bring together incident response and security teams from government, commercial and educational organizations. As a non-commercial project, ICS CERT shares information and expertise to its members free of charge.