Connect with us

Hi, what are you looking for?



Targeted Attacks on Industrial Sector Increasingly Common: Kaspersky

Kaspersky Lab’s recently launched ICS-CERT department has published a report detailing the industrial sector threat landscape based on data collected by the company in the second half of 2016.

Kaspersky Lab’s recently launched ICS-CERT department has published a report detailing the industrial sector threat landscape based on data collected by the company in the second half of 2016.

According to the security firm, its products have blocked attack attempts against more than 39 percent of protected industrial systems running Windows. This includes SCADA systems, data storage servers (i.e. historian), data gateways, engineer and operator workstations, and human-machine interfaces (HMI).

On average, the company detected attacks against roughly 20 percent of industrial computers every month in the second half of 2016. These devices were mainly attacked via the Internet (22%), removable media (11%) and email (8%).

Learn More at the 2017 Singapore ICS Cyber Security Conference

Kaspersky pointed out that while stationary workstations on the operational network (OT) don’t typically have an always-on Internet connection, the devices used by network administrators, developers and contractors can often freely connect to the Internet, and experts believe these machines are the most exposed.

In the case of email attacks, hackers leveraged common topics (e.g. banking, package delivery messages) to send malware hidden in VBS, JavaScript, Word, NSIS, AutoCAD, HTML, Java, BAT, PDF and Excel files.

The most targeted countries, relative to the total number of ICS they host, are Vietnam, Algeria, Morocco, Tunisia, Indonesia, Bangladesh, Kazakhstan, Iran, China, Peru, Chile, India, Egypt, Mexico and Turkey. The United States and Western European countries are far less targeted, according to Kaspersky data.

ICS attacks observed by Kaspersky

Kaspersky warned that targeted attacks aimed at organizations in industrial sectors are increasingly common. These campaigns involve both widely available malware and custom threats, including zero-day exploits.

Advertisement. Scroll to continue reading.

One of the spear phishing campaigns observed by the security firm targeted more than 500 companies in over 50 countries worldwide. The attack, which is still ongoing, has mainly targeted industrial companies in sectors such as metallurgical, electric, construction and engineering.

The operation relied on social engineering emails sent from corporate mail servers previously infected with spyware designed to steal account credentials. The delivered malware was common, but the samples had been packed using VB and MSIL packers modified specifically for this attack.

As for non-targeted attacks, Kaspersky identified roughly 20,000 malware variants across more than 2,000 families on industrial systems. While many of these threats are Trojans, researchers also spotted worms, viruses, exploits and ransomware.

“Remarkably, there is very little difference between the rankings of malware detected on industrial computers and those of malware detected on corporate computers. We believe that this demonstrates the absence of significant differences between computers on corporate networks and those on industrial networks in terms of the risk of chance infections. However, it is obvious that even a chance infection on an industrial network can lead to dangerous consequences,” Kaspersky said in its report.

Kaspersky experts have identified a significant number of vulnerabilities in ICS products in the past months. Last year, they reported finding 75 flaws, including 58 rated highly critical. Only 30 of these security holes have been addressed as of March 2017.

Kaspersky Lab will be hosting its annual Security Analyst Summit (SAS) next week in St. Maarten. The company will aslo be presenting an overview of the industrial sector threat landscape at SecurityWeek’s 2017 Singapore ICS Cyber Security Conference next month.

Related: Non-Targeted Malware Hits 3,000 Industrial Sites a Year

Related: Exploring Risks of IT Network Breaches to Industrial Control Systems

Related: What’s Ahead for ICS Cyber Security in 2017

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.