Cyber threats for automated control systems and industrial enterprises in 2022

TECH KIWARI | Improving the state of security of organizations, the introduction of ever new tools and measures of protection are forcing cyber threats to evolve. Here are some of the directions of such evolution, which I would like to pay attention to.

Reducing the number of targets for each individual attack


Individual attacks within criminal campaigns are already targeting ever fewer victims. Thus, we see that a new direction has emerged in the criminal ecosystem of stealing authentication data using spyware: each individual attack is directed at a very small number of targets (from a few to several dozen). The trend is growing so fast that in some regions of the world, up to 20% of all ICS computers on which we block spyware are attacked using this tactic. It is likely that such attacks will make up an even larger part of the threat landscape next year. This tactic is likely to spread to other types of threats as well.

Reducing the Lifecycle of Malware

To bypass detection, more and more attackers follow the strategy of frequently updating the malware of a selected family: they use malware at the peak of its effectiveness after the next rebuild to “knock down the detection” of security solutions and switch to a new build as soon as the previous one begins to be reliably detected. For some types of threats (for example, for the same spyware), the lifetime of each build is reduced and in many cases does not exceed three or four weeks (and often even less). The development of modern MaaS platforms greatly simplifies this strategy for malware operators around the world. In the next year, we will certainly face even more frequent use of it for various types of threats. Together with the trend towards a decrease in the number of victims of each individual attack, the widespread use of this strategy will lead to an even greater variety of malware and thus pose a difficult task for developers of security solutions.

Modern APTs: often more persistent than advanced ones

A somewhat similar trend can be seen in the tactics of many APTs. The value of P (Persistent) in the abbreviation APT has become less and less dependent on the quality of A (Advanced). We have been observing for a long time how the persistence of the presence in the infrastructure of the victim is ensured rather by the persistence and accuracy of the actions of the operators, and the increase in the variety of tools and their regular updating become an alternative to the search for original technical solutions and the costly development of complex frameworks, designed to ensure that they will not be detected by anyone for a long time . Apparently, this strategy will be seen even more often in APT campaigns.

Minimize the use of malicious infrastructure

In the fight against security measures, attackers naturally often want their operations to leave as few traces as possible. In particular, this is reflected in attempts to minimize the use of malicious infrastructure. So, for example, we observed how in a number of cases the C&C of some APTs lived for a very short time, no more than a couple of hours, during the phase of the operation for which they were intended.

And sometimes attackers manage to completely refuse to use not only any malicious, but also any suspicious and untrusted infrastructure in their attacks. For example, a popular spying attack tactic has become the distribution of phishing emails from compromised corporate email accounts of an organization that is a partner of the next victim. Well-composed letters in this case no longer differ from legitimate ones by any special features, and they are practically impossible to detect by automatic means.

When investigating incidents related to APT attacks on industrial enterprises, we came across traces of how attackers, in addition to working according to the main attack plan, simultaneously tried to gain access to other organizations from the infrastructure of a compromised industrial facility (resources of the parent holding, government agencies, etc. ) - partly, probably in the hope that such attempts are more likely to go unnoticed.

No doubt, next year we will see more frequent use of such tactics in the operations of various categories of attackers.

Actions of various categories of intruders

Reasoning about which threats industrial organizations should be primarily wary of is often based on comparisons between APT and cybercrime. And plans to improve information security, the introduction of new means and measures of protection, one way or another, are repelled by the chosen model of the intruder. At the same time, it should be taken into account that ideas about the interests, capabilities and modus operandi of some categories of attackers may become outdated and therefore require constant updating. Let's talk about some important trends in this sense, which are likely to continue or intensify next year.

Techniques, tactics and even strategies used by cybercrime and APT are increasingly becoming the same and may require similar protection measures.

Indeed, in many cases, the actions of APT and cybercrime look similar and are sometimes difficult to distinguish even for experts. For instance:

Technically imperfect APTs and "advanced" criminal attacks have already ceased to surprise anyone. In particular, we have often seen quite clumsily composed phishing emails full of blunders visible to the naked eye in campaigns associated with the actions of well-known APTs. And more than once we have seen almost flawlessly crafted emails in targeted cybercrime campaigns.

In the same way, APTs masquerading as cybercriminals and attacks by cybercriminals trying to pretend to be APTs ceased to amaze.

Without a doubt, we will see more than once in the arsenal of APT not only the use of commercial tools, but also the use of infrastructure and MaaS delivery vehicles as a means of initial penetration.

The list of targets and potential victims of cybercrime and APT attacks can easily include the same organizations

Out of the many industrial companies, APT will likely focus on:

military-industrial complex and aerospace industry - most likely for the purpose of military and technological espionage;

energy, transport and housing and communal services - in an attempt to gain a foothold "just in case" and "for a rainy day" in the critical infrastructure of a "probable enemy" and to use this infrastructure in order to develop other attacks (see examples above);

science-intensive industries - primarily for the purpose of industrial espionage.

Cybercrime will continue to attack everyone it can reach, and in the vast majority of cases, attacks will be monetized in the same well-established ways, such as:

direct theft of money by substituting bank details - using BEC tactics or access to the organization's financial systems;

blackmail and extortion from those who are able and willing to pay a ransom;

resale of stolen information to other attackers, victims' competitors and other interested persons and organizations.

The direct financial cost of cybercrime attacks is greater, but the cost of APT activities is harder to predict and may be more significant in the long term

If we judge by the events of the past year the amount of direct financial damage caused to industrial organizations as a result of various cyber attacks, then criminal attacks may seem much more dangerous for industrial organizations than APT. So, in 2021, we witnessed the shutdown of many productions and the payment of tens of millions of dollars to extortionists. At the same time, only one case of undeniably significant financial damage from APT is known for the entire year - and this happened when the attackers decided to disguise themselves as ransomware.

However, APT attacks can have a delayed negative effect that is very difficult to estimate in advance (for example, some foreign organization may use the results of the attack to create a new product in a few years).

Do not forget about cyberbullies and hacktivists

In 2021, hooligans and hacktivists managed to make themselves known to the whole world at least three times, demonstrating that the industrial infrastructure important for our lives can often still be easily accessible from the outside and not protected enough. The question of whether everything possible has been done to prevent in the next year cases like those mentioned above, we invite the reader to ask himself.


Regarding, perhaps, the main trend of the outgoing year, it is worth saying that, despite the loud statements of politicians and the active actions of state structures, the flywheel of extortion that has gained momentum cannot be stopped immediately. Attacks will continue, including on industrial enterprises. Attackers will become better protected and "insure" their risks. They will cover additional expenses, obviously, at the expense of their victims - the amount of ransom will grow.

Actual attack vectors

The following tactics and techniques of attackers will no doubt be actively used in the coming year.

Phishing is the No. 1 means of initial penetration as part of a targeted (and not so) attack. As the practice of the past year shows:

Even very bad phishing, as sad as it is to admit, works well. Train your employees in elementary attentiveness and a critical attitude towards incoming correspondence. Mistakes in spelling and grammar, incorrect use of words and inappropriate expressions, incorrect names of organizations and officials, strange choice of subject and unexpected twist in the text can all be signs of a poorly crafted phishing email. Every employee is able to recognize them, even without special knowledge and skills.

High-quality spear phishing works, unfortunately, “with a guarantee”. There is always someone in every organization who will open an attachment, follow a link or click a button, or even chat with an attacker, help resolve compatibility issues, and launch a malicious load on their system.

Cybercrime of various profiles has mastered spear phishing without the use of malicious infrastructure and phishing using only trusted infrastructure (much has been written about it above). The latter is the most difficult and dangerous tactic to detect. Unfortunately, she will no doubt find many victims in the coming year.

Known vulnerabilities in Internet-accessible hardware are also likely to remain a popular penetration vector. Keep your firewalls and VPN SSL gateways up to date.

Zero-day vulnerabilities in OS components and popular IT products will remain a relatively rare tool for advanced APTs, while unknown security holes in less common (and therefore, probably less tested) products will also be actively exploited by cybercriminals.

Compromise of domain registrars and certification authorities, attacks on providers

As for these “advanced” tactics, last year we again saw scenarios of attacks with compromise on domain registrars (at least access to the web control panel of the victim’s domain zone), and certification authorities, as well as new scenarios of attacks on providers. Such threats can remain undetected for a long time, guaranteeing the stability of the execution of operations for attackers. Undoubtedly, those of them who can afford these vectors will not refuse them.

So when planning measures and remedies for the coming year, do not forget to monitor the security of not only your own infrastructure, but also the external services that you use. When selecting product vendors for your IT and OT systems, broadcast your cybersecurity requirements to their products and to them. And when starting business partners, be aware of the threats that their information security weaknesses can pose to you.

Development of successful operations in 2021

In 2021, the attackers have certainly achieved significant success - the list of high-profile incidents related to ransomware attacks on industrial enterprises alone this year turned out to be probably longer than the cumulative list for all previous years. APT campaigns, including those aimed at industrial organizations, have also been studied a lot.

It should be remembered that many of the achievements of the attackers this year will be a good start for them next year.

Stolen data and compromised IT systems

Based on our telemetry and analysis of the information found on the darkweb, attackers managed to compromise at least thousands of industrial organizations around the world in 2021. We believe that their total number many times exceeds the number of organizations that have been extorted or targeted by APT as a result. Some of the compromised may be lucky, and they will simply be forgotten. But surely not everyone will be lucky. The consequences of a compromise in 2021 are likely to overtake some industrial companies as early as next year, 2022.

Industrial network threats

Another disturbing observation: signs of compromise in many organizations, unfortunately, were also found by us on computers that are directly related to automated control systems. So, the damage for someone may not be limited to encryption of IT systems and data theft in the office network.

Post a Comment