Kaspersky offers various services to organizations that have been targeted by cyberattackers, such as incident response, digital forensics, and malware analysis. In our annual incident response report, we share information about the attacks that we investigated during the reporting period. Data provided in this report comes from our daily interactions with organizations seeking assistance with full-blown incident response or complementary expert services for their internal incident response teams.

Download the full version of the report (PDF)

Kaspersky Incident Response in various regions and industries

In 2022, 45.9% of organizations that encountered cyberincidents were in Russia and the CIS region, followed by the Middle East (22.5%), the Americas (14.3%), and Europe (13.3%).

From an industry perspective, we offered help to government (19.39%), financial (18.37%), and industrial (17.35%) organizations most frequently.

Key trends in 2022: initial attack vectors and impact

In 2022, attackers most often penetrated organizations’ infrastructure by exploiting various vulnerabilities in public-facing applications (42.9%). However, compared to 2021, the share of this initial attack vector decreased by 10.7 pp, while the share of attacks involving compromised accounts (23.8%) grew. Malicious e-mail sharing among the initial attack vectors continued to go down and comprised 11.9% in 2022.

In 39.8% cases the reported incidents were related to ransomware attacks. Encrypted data remains the number-one problem that our customers are faced with. However, compared to 2021, the number of ransomware-related incidents dropped, and not every attack involving file encryption was aimed at extracting a ransom. In some of these incidents, ransomware was used to hide the initial traces of the attack and complicate the investigation.

Expert recommendations

To protect your organization against cyberattacks, Kaspersky experts recommend the following:

• Implement a robust password policy and enforce multifactor authentication
• Remove management ports from public access
• Establish a zero-tolerance policy for patch management or compensation measures for public-facing applications
• Make sure that your employees maintain a high level of security awareness
• Use a security toolstack with EDR-like telemetry
• Implement rules for detection of pervasive tools used by adversaries
• Continuously train your incident response and security operations teams to maintain their expertise and stay up to speed with the changing threat landscape
• Back up your data on a regular basis
• Work with an Incident Response Retainer partner to address incidents with fast SLAs

To learn more about incident response in 2022, including a MITRE ATT&CK tactics and techniques heatmap, and distribution of various incidents by region and industry, download the full version of the report (PDF).

For a deeper analysis of the vulnerabilities most commonly exploited by cyberattackers, download this appendix (PDF).

Kaspersky Managed Detection and Response (MDR) is a service for 24/7 monitoring and response to detected incidents based on technologies and expertise of Kaspersky Security Operations Center (SOC) team. MDR allows detecting threats at any stage of the attack – both before anything is compromised and after the attackers have penetrated the company’s infrastructure. This is achieved through preventive security systems and active threat hunting – the essential MDR components. MDR also features automatic and manual incident response and expert recommendations.

The annual Kaspersky Managed Detection and Response analytical report sums up the analysis of incidents detected by Kaspersky SOC team. The report presents information on the most common offensive tactics and techniques, the nature and causes of incidents and gives a breakdown by country and industry.

2022 incidents statistics

Security events

In 2022, Kaspersky MDR processed over 433,000 security events. 33% of those (over 141,000 events) were processed using machine learning technologies, and 67% (over 292,000) were analyzed manually by SOC analysts.

Over 33,000 security events were linked to 12,000 real incidents. Overall, 8.13% of detected incidents were of high, 71.82% of medium, and 20.05% of low severity.

Response efficiency

72% of 2022 incidents were detected based on a single security event, after which the attack was stopped right away. Of these, 4% were of high, 74% of medium, and 22% of low severity.

On average, in 2022, a high severity incident took the SOC team 43.8 minutes to detect. The 2022 figures for medium and low severity incidents are 30.9 and 34.2, respectively.

Geographical distribution, breakdown by industry

In 2022, 44% of incidents were detected in European organizations. Russia and CIS are in second place with a quarter of all detected incidents. Another 15% of incidents relate to organizations from the Asia-Pacific.

Industry-wise, industrial organizations suffered more incidents than any. Most of the critical incidents were detected in government agencies, industrial and financial organizations. It is worth noting though that a fair share of critical incidents across financial organizations was due to Red Teaming events.

Recommendations

For effective protection from cyberattacks, these are Kaspersky SOC team’s recommendations to organizations:

• Apart from the classic monitoring instruments, deploy the active threat hunting methods and tools allowing for early detection of incidents.
• Hold regular cyberdrills involving Red Teaming to train your teams to detect attacks and analyze the organization’s security.
• Practice the multilevel malware protection approach comprising various threat detection technologies – from signature analysis to machine learning.
• Use MITRE ATT&CK knowledge bases.

See the full version of the report (PDF) for more information on the incidents detected in 2022, main offensive tactics and techniques, MITRE ATT&CK classification of incidents, and detection methods. To download it, please, fill in the form below.

Year 2022 in numbers

Global threat statistics

In H2 2022, the percentage of ICS computers on which malicious objects were blocked increased by 3.5 percentage points compared to the previous six-month period, reaching 34.3%. This was higher than the percentages for 2021 and even 2020.

Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

In H2 2022 the percentage of ICS computers on which malicious objects were blocked increased in the automotive industry (+4.6 p.p.) and in the energy sector (+1 p.p.). In other industries tracked, the percentage decreased.

Percentage of ICS computers on which malicious objects were blocked in some industries, H2 2022

Geography

In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions.

Regions of the world ranked by percentage of ICS computers on which malicious objects were blocked, H2 2022

African and Central Asian countries were prevalent among the 15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked in H2 2022.

15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H2 2022

In the Top 10 ranking of countries with the lowest percentage of ICS computers on which malicious objects were blocked, all countries, with the exception of Israel, were European.

10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H2 2022

In H2 2022, the most significant increase among all countries in the percentage of ICS computers on which malicious objects were blocked was observed in Russia, where that percentage increased by 9 p.p.

Russia. Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

Variety of the malware detected

In H2 2022, Kaspersky security solutions blocked malware from 7,684 different families on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects from different categories was prevented, H2 2022

Main threat sources

The internet, removable devices and email clients remained the main sources of threats for computers in the operational technology infrastructure of organizations.

Percentage of ICS computers on which malicious objects from different sources were blocked, 2021 – 2022

In H2 2022, a very significant growth in the percentage of ICS computers on which internet threats were blocked – 12 p.p. and 7.8 p.p., respectively – was recorded in the regions of Russia and Central Asia.

Regions ranked by percentage of ICS computers on which internet threats were blocked, H2 2022

As per tradition, Africa topped the ranking of regions based on the percentage of ICS computers on which malware was blocked when removable devices were connected.

Regions ranked by percentage of ICS computers on which malware was blocked when removable devices were connected, H2 2022

Southern Europe topped the ranking of regions based on the percentage of ICS computers on which malicious email attachments and phishing links were blocked. Northern Europe was the only region in which the percentage increased (+0.3 p.p.) in H2 2022.

Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2022

The full report has been published on the Kaspersky ICS CERT website.

At this point, it has become cliché to say that nothing in 2022 turned out the way we expected. We left the COVID-19 crisis behind hoping for a long-awaited return to normality and were immediately plunged into the chaos and uncertainty of a twentieth-century-style military conflict that posed serious risks of spreading over the continent. While the broader geopolitical analysis of the war in Ukraine and its consequences are best left to experts, a number of cyberevents have taken place during the conflict, and our assessment is that they are very significant.

In this report, we propose to go over the various activities that were observed in cyberspace in relation to the conflict in Ukraine, understand their meaning in the context of the current conflict, and study their impact on the cybersecurity field as a whole.

Timeline of significant cyber-events predating Feb 24th

In the modern world, it has become very difficult to launch any kind of military campaign without intelligence support in the field. Most intelligence is gathered from various sources through methods such as HUMINT (human intelligence, gathered from persons located in the future conflict area), SIGINT (signals intelligence, gathered through the interception of signals), GEOINT (geospatial intelligence, such as maps from satellites), or ELINT (electronic intelligence, excluding text or voice), and so on.

For instance, according to the New York Times, in 2003, the United States made plans for a huge cyberattack to freeze billions of dollars in Saddam Hussein’s bank accounts and cripple his government before the invasion of Iraq. However, the plan was not approved because the government feared collateral damage. Instead, a more limited plan to cripple Iraq’s military and government communication systems was carried out during the early hours of the war in 2003. This operation included blowing up cellphone towers and communication grids as well as jamming and cyberattacks against Iraq’s telephone networks. According to the same article, another such attack took place in the late 1990s when the American military attacked a Serbian telecommunications network. Inadvertently, this also affected the Intelsat communications system for days, proving that the risk of collateral damage during cyberwarfare is pretty high.

The lessons learned from these events may allow predicting kinetic conflicts by monitoring new cyberattacks in potential areas of conflict. For instance, in late 2013 and January 2014, we observed higher-than-normal activity in Ukraine by the Turla APT group, as well as a spike in the number of BlackEnergy APT sightings. Similarly, at the beginning of February 2022, we noticed a huge spike in the amount of activity related to Gamaredon C&C servers. This activity reached hitherto-unseen levels, suggesting massive preparations for a major SIGINT gathering effort.

As shown by these cases, during modern conflicts, we can expect to see significant signs and spikes in cyberwarfare relating to both collection of intelligence and destructive attacks in the days and weeks preceding military attacks. Of course, we should note that the opposite is also possible: for instance, starting in June 2016, but most notably since September 2016 all the way to December 2016, the Turla group intensified their satellite-based C&C registrations tenfold compared to its 2015 average. This indicated unusually high activity by the Turla group, which signaled a never-before-seen mobilization of the group’s resources. At the same time, there was no ensuing military conflict that we know of.

Key insights

• Today’s military campaigns follow gathering of supporting intelligence in the field; this includes SIGINT and ELINT among others
• Significant military campaigns, such as the 2003 invasion of Iraq, have been complemented by powerful cyberattacks designed to disable the enemy’s communication networks
• In February 2022, we noticed a huge spike in activity related to Gamaredon C&C servers; a similar spike was observed in Turla and BlackEnergy APT activity in late 2013 and early 2014
• We can expect to see significant signs and spikes in cyberwarfare in the days and weeks preceding military conflicts

Day one

On the very first day of the conflict (February 24, 2022), a massive wave of indiscriminate pseudo-ransomware and wiper attacks hit Ukrainian entities. We were not able to determine any form of consistency when it came to the targeting, which led us to believe that the main objective of these attacks may have been to cause chaos and confusion — as opposed to achieving precise tactical goals. Conversely, the tools leveraged in this phase were just as varied in nature:

• Ransomware (IsaacRansom);
• Fake ransomware (WhisperGate);
• Wipers (HermeticWiper, CaddyWiper, DoubleZero, IsaacWiper);
• ICS/OT wipers (AcidRain, Industroyer2).

Some of them were particularly sophisticated. As far as we know, HermeticWiper remains the most advanced wiper software discovered in the wild. Industroyer2 was discovered in the network of a Ukrainian energy provider, and it is very unlikely that the attacker would have been able to develop it without access to the same ICS equipment as used by the victim. That said, a number of those tools are very crude from a software engineering perspective and appear to have been developed hurriedly.

With the notable exception of AcidRain (see below), we believe that these various destructive attacks were both random and uncoordinated – and, we argue, of limited impact in the grand scheme of the war. Our assessment of the threat landscape in Ukraine in the first months of the war can be found on SecureList.

The volume of wiper and ransomware attacks quickly subsided after the initial wave, but a limited number of notable incidents were still reported. The Prestige ransomware affected companies in the transportation and logistics industries in Ukraine and Poland last October. One month later, a new strain named RansomBoggs again hit Ukrainian targets – both malware families were attributed to Sandworm. Other “ideologically motivated” groups involved in the original wave of attacks appear to be inactive now.

Key insights

• Low-level destructive capabilities can be bootstrapped in a matter of days.
• Based on the uncoordinated nature of these destructive attacks, we assess that some threat actors appear to be capable of recruiting isolated groups of hackers on short notice, to perform destabilizing tasks. We can only speculate as to whether those groups are internal resources reassigned to low-level cyberattacks or external entities that can be mobilized when the need arises.
• While the impact of these destructive cyber-attacks paled in comparison to the effects of the kinetic attacks taking place at the same time, it should be noted that this capability could in theory be directed against any country outside of the context of an armed conflict and under the pretense of traditional cybercrime activity.

The Viasat “cyberevent”

On the 24^th of February, Europeans who relied on the ViaSat-owned “KA-SAT” satellite faced major Internet access disruptions. This so-called “cyber-event” started around 4h UTC, less than two hours after the Russian Federation publicly announced the beginning of the “special military operation” in Ukraine. As could be read from government requests for proposals, the Ukrainian government and military are notable consumers of KA-SAT access, and were reportedly affected by the event. But the disruptions also triggered major consequences elsewhere, such as interrupting the operation of wind turbines in Germany.

ViaSat quickly suspected that disruptions could be the result of a cyberattack. It directly affected satellite modems firmwares, but was still to be understood as of mid-March. Kaspersky experts ran their own investigations and notably uncovered a likely intrusion path to a remote access point in a management network, while analyzing modem internals and a likely-involved wiper implant. The “AcidRain” wiper was first described later in March, while ViaSat published an official analysis of the cyber-attack. The latter confirmed that a threat actor got in through a remote-management network exploiting a poorly configured VPN, and ultimately delivered destructive payloads, affecting tens of thousands of KA-SAT modems. On May 10, the European Union attributed those malicious activities to the Russian Federation.

A lot of technical details about this attack are still unknown and may later be shared away from government eyes. Yet it is one of the most sophisticated attacks revealed to date in connection to the conflict in Ukraine. The malicious activities were likely conducted by a skilled and well-prepared threat actor, within an accurate timeframe which cannot be fortuitous. While the sabotage has likely failed to disrupt the Ukrainian defense badly enough, it had multiple effects beyond the battlefield: stimulating the US Senate to require a state of play on satellite cybersecurity, accelerating SpaceX Starlink deployment (and later, unexpected bills), as well as questioning the rules for dual-use infrastructure during armed conflicts.

Key insights

• The ViaSat sabotage once again demonstrates that cyberattacks are a basic building block for modern armed conflicts and may directly support key milestones in military operations.
• As it has been suspected for years, advanced threat actors likely preposition themselves in various strategic infrastructural assets in preparation for future disruptive actions.
• Cyberattacks against common communication infrastructures are highly likely during armed conflict, as belligerents might consider these to be of dual use. Due to the interlinked nature of the Internet, a cyberattack against this kind of infrastructure will likely have side-effects for parties that are not involved in the armed conflict. Protection and continuity planning are of utmost importance for this communications infrastructure.
• The cyberattack raises concerns about the cybersecurity of commercial satellite systems, which may support various applications, from selfie geolocation to military communications. While protective measures against kinetic combat in space are frequently discussed by military forces, and more datacenters are expecting to fly soon … ground-station management systems and operators still seem to be highly exposed to common cyberthreats.

Taking sides: professional ransomware groups, hacktivists, and DDoS attacks

As has always been the case, wartime has a very specific impact on the information landscape. It is especially true in 2022, now that humanity commands the most potent information spreading tools ever created: social networks and their well-documented amplification effect. Most real-world events related to the war (accounts of skirmishes, death tolls, prisoner of war testimonies) are shared and refuted online with varying degrees of good faith. Traditional news outlets are also affected by the broader context of information warfare.

DDoS attacks and, to a lesser extent, defacement of random websites have always been regarded as low-sophistication and low-impact attacks by the security community. DDoS attacks, in particular, require generating heavy network traffic that attackers typically cannot sustain for very long periods of time. As soon as the attack stops, the target website becomes available again. Barring temporary loss of revenue for e-commerce websites, the only value provided by DDoS attacks or defacement is the humiliation of the victim. Since non-specialized journalists may not know the difference between the various types of security incidents, their subsequent reporting shapes a perception of incompetence and inadequate security that may erode users’ confidence. The asymmetric nature of cyberattacks plays a key role in supporting a David vs. Goliath imagery, whereby symbolic wins in the cyberfield help convince ground troops that similar achievements are attainable on the real-life battlefield.

According to Kaspersky DDoS Protection, since the beginning of 2022 during 11 months the service registered ~1.65 more attacks than in the whole 2021. While this growth may be not too significant, the resources have been under attack 64 times longer compared to 2021. In 2021 the average attack lasted ~28 minutes, in 2022 – 18.5 hours, which is almost 40 times longer. The longest attack lasted 2 days in 2021, 28 days (or 2486505 seconds) in 2022.

Total duration of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

Since the start of the war, a number of (self-identified) hacktivist groups have emerged and started conducting activities to support either side. For instance, a stunt organized by the infamous collective Anonymous involved causing a traffic jam in Moscow by sending dozens of taxis to the same location.

Kaspersky DDoS protection also reflects this trend. Massive DDoS attacks were spread unevenly over the year with the most heated times being in spring and early summer.

Number of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

The attackers peaked in February-early March, reflecting growth of hacktivism, which has died down by autumn. Currently we see a regular anticipated dynamic of attacks, though their quality has changed. In May-June we detected extremely long attacks. Now their length has stabilized, nevertheless, while typical attacks used to last a few minutes, now they last for hours.

On February 25, 2022, the infamous Conti ransomware group announced their “full support of Russian government”. The statement included a bold phrase: “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy“. The group followed up rather quickly with another post, clarifying their position in the conflict: “As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression“.

Two days later, a Ukrainian security researcher leaked a large batch of internal private messages between Conti group members, covering over one year of activity starting in January 2021. This dump delivered a significant blow to the group who saw their inner activities exposed before the public, including Bitcoin wallet addresses related to many million of US dollars received in ransom. At the same time, another cybercriminal group called “CoomingProject” and specializing in data leaks, announced they would support the Russian Government if they saw attacks against Russia:

Other groups, such as Lockbit, preferred to stay neutral, claiming their “pentesters” were an international community, including Russians and Ukrainians, and it was “all business”, in a very apolitical manner:

On February 26, Mykhailo Fedorov, the Vice Prime Minister and Minister of Digital Transformation of Ukraine, announced the creation of a Telegram channel to “continue the fight on the cyber front”. The initial Telegram channel had a typo in the name (itarmyofurraine) so a second one was created.

IT ARMY of Ukraine Telegram channel

The channel operators constantly give tasks to the subscribers, such as DDoS’ing various business corporations, banks, or government websites:

List of DDoS targets posted by IT ARMY of Ukraine

Within a short time, the IT Army of Ukraine, composed of volunteers coordinating via Twitter and Telegram, reportedly defaced or otherwise DDoSed over 800 websites, including high-profile entities such, as the Moscow Stock Exchange^[1].

Parallel activity has also been observed by other groups, which have taken sides as the conflict was spilling over into neighboring countries. For instance, the Belarusian Cyber-Partisans claimed they had disrupted the operations of the Belarusian Railway by switching it to manual control. There goal was to slow the movement of Russian military forces through the country.

Belarusian Cyber-Partisans post

A limited and by far not exhaustive list of some of the ransomware or hacktivist groups that expressed their opinion about the conflict in Ukraine include:

Among the openly pro-Russian groups, Killnet, which was originally established as a response to the “IT Army of Ukraine”, is probably the most active. In late April, they attacked Romanian Government websites in response to statements by Marcel Ciolacu, president of the Romanian Chamber of Deputies, after he promised Ukrainian authorities “maximum assistance”. On May 15, Killnet published a video on their telegram channel declaring war on ten nations: the United States, the United Kingdom, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland, and Ukraine. Following these activities, the international hacking collective known as “Anonymous” declared cyber war against Killnet on May 23.

Killnet continued its activities throughout 2022, preceding their attacks with an announcement on their Telegram channel. In October, the group started attacking organizations in Japan, which they later stopped due to a lack of funds. It later attacked a US airport and governmental websites and businesses, often without significant success. On November 23, Killnet briefly took down the website of the European Union. Killnet also repeatedly targeted websites in Latvia, Lithuania, Norway, Italy, and Estonia. While Killnet’s methods are not sophisticated, they continually make headlines and drive attention to the group’s activities and stance.

Key insights

• The conflict in Ukraine has created a breeding ground for new cyberware activity by various parties including cybercriminals and hacktivists, who rushed to support their favorite sides
• We can expect the involvement of hacktivist groups in all major geopolitical conflicts from now on.
• The cyberware activities are spilling over into neighboring countries and affecting a large number of entities, including governmental institutions and private companies
• Some groups, such as the IT Army of Ukraine, have been officially backed by governments, and their Telegram channels include hundreds of thousands of subscribers
• The majority of attacks have relatively low complexity
• Most of the time, attacks conducted by these groups have a very limited impact on operations but may erroneously be reported as serious incidents and cause reputational damage.
• These activities may originate from genuine “grassroots” hacktivists, groups encouraged or supported by one of the belligerents, or from the belligerents themselves – and telling which is which may well prove impossible.

Hack and leak

On the more sophisticated end of attacks attempting to hijack media attention, hack-and-leak operations have been on the rise since the beginning of the conflict. The concept is simple: breaching into an organization and publishing its internal data online, often via a dedicated website. This is significantly more difficult than a simple defacing operation, since not all machines contain internal data worth releasing. Hack-and-leak operations, therefore, require more precise targeting, and will, in most cases, also demand more skill from attackers, as the information they are looking for is, more often than not, buried deep within in the victim’s network.

An example of such a campaign is the “doxing” of Ukrainian soldiers. Western entities were also targeted, such as the Polish government or many prominent pro-Brexit figures in the UK. In the latter cases, internal emails were published, leading to scrutiny by investigative journalists. In theory, these data leaks are subject to manipulation. The attackers have all the time they need to edit any released document or could just as well inject entirely forged ones.

It is important to note that it is absolutely unnecessary for the attacker to go to such lengths for the data leak to be damaging. The public availability of the data is proof itself that a serious security incident took place, and the legitimate, original content may already contain incriminating information.

Key insights

• In our 2023 APT predictions, we foresee that hack-and-leak operations will be on the rise next year, as they are very efficient against entities that already have high media exposure and corruption levels (i.e. politicians).
• Information warfare is not internal to a conflict, but instead directed at all onlookers. We expect that the vast majority of such attacks will not be directed at the belligerents, but rather at entities who are perceived as being too supportive (or not supportive enough) of either side.
• Whether it is hack-and-leak operations or DDoS, cyberattacks emerge as a non-kinetic means of diplomatic signaling between states.

Poisoned open-source repositories, weaponizing open-source software

Open-source software has many benefits. Firstly, it is often free to use, which means that businesses and individuals can save money on software costs. However, since anyone can contribute to the code and make improvements, this can also be abused and in turn, open security trapdoors. On the other hand, since the code can be publicly examined for any potential security vulnerabilities, it also means that given enough scrutiny, the risks of using open-source software can be mitigated to decent levels.

Back in March, RIAEvangelist, the developer behind the popular npm package “node-ipc”, published modified versions of the software that contained a special functionality if the running systems had a Russian or Belarusian IP address. On such systems, the code would overwrite all files with a heart emoji, additionally deploying the message, WITH-LOVE-FROM-AMERICA.txt, originating in another module created by the same developer. The node-ipc package is quite popular with over 800,000 users worldwide. As is often the case with open-source software, the effect of deploying these modified “node-ipc” versions was not restricted to direct users; other open-source packages, for instance “Vue.js”, which automatically include the latest node-ipc version, amplified the effect.

Packages aimed to be spread in the Russian market did not always lead to destruction of files, some of them contained hidden functionality such as adding a Ukrainian flag to a section of the website of software or political statements in support of the country. In certain cases the functionality of the package is removed and replaced with political notifications. It is worth noting that not all packages had this functionality hidden with some authors announcing the functionality in the package description.

One of the projects encourages to spread a file that once opened will start hitting various pages of the enlisted servers via JavaScript to overload the websites

Other repositories and software modules found on GitHub included those specifically created to DDoS Russian governmental, banking and media sites, network scanners specifically for gathering data about Russian infrastructure and activity and bots aimed at mass reporting of Telegram channels.

Key insights

• As the conflict drags on, popular open-source packages can be used as a protest or attack platform by developers or hackers alike
• The impact from such attacks can extend further that the open-source software itself, propagating to other packages that automatically rely on the trojanized code

Fragmentation

During the past years, most notably after 2014, this process began to expand to the IT Security world, with nation states passing laws banning each other’s products, services, and companies.

Following the start of the conflict in Ukraine in February 2022, we have seen a lot of western companies exiting the Russian market and leaving their users in a difficult position when it comes to receiving security updates or support. At the same time, some western nations have pushed laws banning the use of Russian software and services due to a potential risk of these being used to launch attacks.

Obviously, one cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies, and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have “silly” security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Should the conflict continue to exacerbate, organizations based in countries where the political situation does not require addressing the above issues, should still consider the future risk factors that may affect everyone:

• The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
• The communication breakdowns between IS developers and researchers located on opposite sides of the new “iron curtain” or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
• Decreasing CTI quality: unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.

Government attempts to consolidate information about incidents, threats, and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reason.

Key insights

• Geopolitics are playing an important role and the process of fragmentation is likely going to expand
• Security updates are probably the top issue when vendors end support for products or leave the market
• Replacing established, global leaders with local products might open the doors to cybercriminals exploiting zero-day vulnerabilities

Did a cyberwar happen?

Ever since the beginning of the conflict, the cybersecurity community has debated whether or not what was going on in Ukraine qualifies as “cyberwar”. One indisputable fact, as documented throughout this report, is that significant cyberactivity did take place in conjunction with the start of the conflict in Ukraine. This may be the only criteria we need.

On the other hand, many observers had envisioned that in the case of a conflict, devastating preemptive cyberattacks would cripple the “special operation” party. With the notable exception of the Viasat incident, whose actual impact remains hard to evaluate, this simply did not take place. The conflict instead revealed an absence of coordination between cyber- and kinetic forces, and in many ways downgraded cyberoffense to a subordinate role. Ransomware attacks observed in the first weeks of the conflict qualify as distractions at best. Later, when the conflict escalated this November and the Ukrainian infrastructure (energy networks in particular) got explicitly targeted, it is very telling that the Russian military’s tool of choice for the job was missiles, not wipers^[2].

If you subscribe to the definition of cyberwar as any kinetic conflict supported through cyber-means, regardless of their tactical or strategic value, then a cyberwar did happen in February 2022. Otherwise, you may be more satisfied with Ciaran Martin‘s qualification of “cyberharassment”^[3].

Key insights

• There is a fundamental impracticality to cyberattacks; an impracticality that can only be justified when stealth matters. When it does not, physical destruction of computers appears to be easier, cheaper, and more reliable.
• Unless very significant cyberattacks have failed to reach public awareness, at the time of writing this, the relevance of cyberattacks in the context of open war has been vastly overestimated by our community.

Conclusion

The conflict in Ukraine will have a lasting effect on the cybersecurity industry and landscape as a whole. Whether the term “cyberwar” applies or not, there is no denying that the conflict will forever change everyone’s expectations about cyberactivity conducted in wartime, when a major power is involved. Unfortunately, there is a chance that established practice will become the de facto norm.

Before the war broke out, several ongoing multiparty processes (UN’s OEWG and GGE) attempted to establish a consensus on acceptable and responsible behavior in cyberspace. Given the extreme geopolitical tensions we are currently experiencing, it is doubtful that these already difficult discussions will bear fruit in the near future.

A promising initiative in the meantime is the ICRC’s “digital emblem” project: a proposed solution to clearly identify machines used for medical or humanitarian purposes, in the hopes that attackers will refrain from damaging them. Just like the real-life red cross and red crescent emblems cannot stop bullets, digital emblems will not prevent cyberattacks on a technical level – but they will at least make it obvious to everyone that medical infrastructure is not a legitimate target.

As it seems more and more likely that the conflict will drag on for years, and with the death toll already being high… we hope that everyone can at least agree on that.

^[1] The point of this section is not to evaluate the accuracy of those numbers, which are self-reported in many cases, but to study how these cyberattacks are used to shape narratives.

^[3] We recognize that information about ongoing cyberattacks and their impact isn’t exactly forthcoming. This assessment may be revised at a later date, when more data becomes available.

Cybersecurity incidents were plentiful in 2022, causing many problems for industrial infrastructure owners and operators. However, luckily, we did not see any sudden or catastrophic changes in the overall threat landscape – none that were difficult to handle, despite many colorful headlines in the media.

As we see it, the coming year looks to be much more complicated. Many people may be surprised by unexpected twists and turns, though we should already be examining these eventualities today. Below we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision.

As we analyze the events of 2022, we must profess that we have entered an era where the most significant changes in the threat landscape for industrial enterprises and OT infrastructures are mostly determined by geopolitical trends and the related macroeconomic factors.

Cybercriminals are naturally cosmopolitan; however, they do pay close attention to political and economic trends as they chase easy profits and ensure their personal safety.

APT activity, which is traditionally ascribed to intelligence agencies of various governments, always occurs in line with developments in foreign policy and the changing goalposts inside countries and inter-governmental blocks.

Developments in the APT world

Internal and external political changes will deliver new directions for APT activity.

Changes in attack geography

Attack geography will inevitably change following transformations of existing and the emergence of new tactical and strategic alliances. As alliances shift, we see cybersecurity tensions arise between countries where such tensions had never existed. Yesterday’s allies become today’s targets.

Changes in industry focus

We are going to see APT activity change the focus on specific industries very soon because the evolving geopolitical realities are closely intertwined with economic changes. Therefore, we should soon see attacks targeting the following sectors representing the real economy:

• Agriculture, manufacturing of fertilizers, agricultural machinery and food products – all as a result of upcoming food crises and shifting food markets;
• Logistics and transport (including transportation of energy resources) due to the on-going changes in global logistics chains;
• The energy sector, mining and processing of mineral resources, non-ferrous and ferrous metallurgy, chemical industry, shipbuilding, instrument and machine-tool manufacturing, as the availability of these companies’ products and technologies is part of the foundation for the economic security of both individual countries and political alliances;
• The alternative energy sector, specifically where it is on the geopolitical agenda;
• High-tech, pharmaceuticals and medical equipment producers, since these are integral for ensuring technological independence.

Continuing attacks on traditional targets

Naturally, we will still see APT attacks on traditional targets, with the main APT attack focus definitely including:

• enterprises in the military industrial complex, with geopolitical tensions, confrontations escalating to red alert status, along with the rising possibilities of military confrontations being the main drivers for the attackers;
• the government sector – we expect attacks to focus on information gathering regarding government initiatives and projects related to the growth of industrial sectors of the economy;
• critical infrastructure – attacks aiming to gain a foothold for future use, and sometimes, for instance when conflicts between specific countries are in the “hot” phase, the goal may even be to inflict immediate and direct damage.

Other changes in the threat landscape

Other important changes in the threat landscape which we already see and which we believe will increasingly contribute to the overall picture include the following:

• A rising number of hacktivists “working” to internal and external political agendas. These attacks will garner more results – quantity will begin to morph into quality.
• A growing risk of volunteer ideologically and politically motivated insiders, as well as insiders working with criminal (primarily ransomware) and APT groups – both at enterprises and among technology developers and vendors.
• Ransomware attacks on critical infrastructure will become more likely – under the auspices of hostile countries or in countries unable to respond effectively to attacks by attacking the adversary’s infrastructure and conducting a full-blown investigation leading to a court case.
• Cybercriminals’ hands will be untied by degrading communications between law enforcement agencies from different countries and international cooperation in cybersecurity grinding to a halt, enabling threat actors to freely attack targets in ‘hostile’ countries. This applies to all types of cyberthreats and is a danger for enterprises in all sectors and for all types of OT infrastructure.
• Criminal credential harvesting campaigns will increase in response to the growing demand for initial access to enterprise systems.

Risk factors due to geopolitical ebb and flow

The current situation forces industrial organizations into making an extremely complicated choice – which products and from which vendors should they be using and why.

On the one hand, we are seeing failing trust relationships in supply chains for both products and services (including OEM), which in turn increases the risks in using many of the products companies are used to:

• It becomes more difficult to deploy security updates when vendors end support for products or leave the market.
• This is equally applicable to degrading quality of security solutions when regular updates cease due to security vendors leaving the market.
• We cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have ‘silly’ security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Organizations based in countries where the political situation does not require addressing the above issues, should still consider the risk factors which affect everyone:

• The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
• The communication breakdowns between IS developers and researchers located on opposite sides of the new ‘iron curtain’ or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
• Decreasing CTI quality – unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.

• Government attempts to consolidate information about incidents, threats and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reasons.

  And at the same time, this results in an increased risk of confidential data leaks (example: PoC of an RCE published by mistake in a national vulnerability database). This issue could be addressed by building broad cybersecurity capacity in the public sector to ensure that responsible treatment of sensitive cybersecurity information and efficient coordinated vulnerability disclosure can always be guaranteed.

• Additional IS risks due to the growing role of governments in the operations of industrial enterprises, including connections to government clouds and services, which may sometimes be less protected than some of the best private ones.

Additional technical and technological risk factors

• Digitalization in a race for higher efficiency – IIoT and SmartXXX (including predictive maintenance systems and digital twin technology) leads to significantly increased attack surfaces. This is confirmed by the attack statistics on CMMS (Computerized Maintenance Management Systems).

  Top 10 countries ranked by the percentage of CMMS attacked in H1 2022:

  It is significant that in this Top 10 ranking by the percentage of attacked CMMS in H1 2022 we see the traditionally ‘secure’ countries which are not seen in rankings based on the overall percentage of OT computers attacked in the country or based on the percentage of attacked OT computers by sector.

• Rising energy carrier prices and the resulting rises in hardware prices, on the one hand, will force many enterprises to abandon plans to deploy on premise infrastructure in favor of cloud services from third party vendors (which increases IS risks). In addition, this will negatively impact budgets allocated for IT/OT security.
• The deployment of various unmanned vehicles and units (trucks, drones, agricultural equipment and so forth), which can be abused as either targets or tools for attacks.

Most noteworthy techniques and tactics in future attacks

Let’s not indulge in any fantastic suppositions about tactics and techniques used by the most advanced attackers, such as APTs connected to intelligence agencies in leading countries, as we can then be waylaid by unexpected twists and turns. Let’s also not discuss the tactics and techniques used by the numerous threat actors at the other end of the spectrum – the least qualified ones, since it is unlikely that they will come up with something interesting or new, and the security solutions already in place at most organizations can effectively block their attacks.

Let’s focus instead on the middle of the spectrum – the techniques and tactics used by the more active APT groups, whose activity is usually ascribed as being in line with the interests of countries in the Middle East and the Far East, as well as being used by more advanced cybercriminals, such as ransomware gangs.

Based on our experience of investigating such attacks and the related incidents, we believe that ICS cybersecurity specialists need to focus on the following tactics and techniques:

• Phishing pages and scripts embedded on legitimate sites.
• The use of Trojanized “cracked” distribution packages, “patches” and key generators for commonly used and specialist software (this will be stimulated by rising license costs and the departure of vendors from certain markets due to political pressure).
• Phishing emails about current events with especially dramatic subjects, including events the root causes of which are political in nature.
• Documents stolen in previous attacks on related or partner organizations being used as bait in phishing emails.
• The distribution of phishing emails disguised as legitimate work correspondence via compromised mailboxes.
• N-day vulnerabilities – these will be closed even more slowly as security updates for some solutions will become less accessible.
• Exploiting foolish configuration errors (such as failing to change default passwords) and zero-day vulnerabilities in products from ‘new’ vendors, including local ones. Mass rollouts of such products are inevitable, despite the serious doubts about the developers’ security maturity.

For instance, recommendations such as “enter password xyz in the password field” can be found in installation instructions and user manuals in a surprising number of products from small ‘local’ vendors. Furthermore, you will rarely find information about vulnerabilities inherited from common components and OEM technologies on such vendors’ websites.

• Exploiting inherent security flaws in cloud services from ‘local’ service providers and government information systems (see above).
• Exploiting configuration errors in security solutions. This includes the possibility of disabling an antivirus product without entering an administrator password (antivirus is almost useless if an attacker can easily disable it). Another instance would be the weak security of the IS solution centralized management systems. In this case, IS solutions are not only easy to bypass, but they can also be used to move laterally – for instance to deliver malware or to gain access to ‘isolated’ network segments and to bypass access control rules.
• Using popular cloud services as CnC – even after an attack is identified, the victim might still be unable to block it because important business processes could depend on the cloud.
• Exploiting vulnerabilities in legitimate software, for instance, using DLL Hijacking and BYOVD (Bring Your Own Vulnerable Driver) to bypass endpoint security solutions.
• Distributing malware via removable media to overcome air gaps, in those instances where air gaps actually do exist.

Some final thoughts

When writing about potential future issues, we did not aim to describe a full set of potential threats. Instead, we attempted to convey the impression of a global character of upcoming developments and to encourage our readers to assess those issues (including similar ones not mentioned specifically in this paper) which are most relevant to their organization.

We included only those developments and described only those risks which we believe to be most widespread and generally applicable to many organizations in many countries. Therefore, we kept the predictions less specific on purpose.

Only you can determine which threats are relevant for you. Naturally, if you need some assistance with this rather complicated task, we are always ready to help.

Our predictions are the sum of the opinions of our entire team based on our collective experience in researching vulnerabilities and attacks and investigating incidents, as well as our personal vision of the main vectors driving changes in the threat landscape. We will be very glad if any of our negative predictions do not come true in 2023.

We are always happy to discuss our ideas and we welcome your questions at ics-cert@kaspersky.com.

UMAS (Unified Messaging Application Services) is a proprietary Schneider Electric (SE) protocol used to configure and monitor Schneider Electric PLCs. Schneider Electric controllers that use UMAS include Modicon M580 CPU (part numbers BMEP* and BMEH*) and Modicon M340 CPU (part numbers BMXP34*). Controllers are configured and programmed using engineering software – EcoStruxure™ Control Expert (Unity Pro), EcoStruxure™ Process Expert, etc.

In 2020, CVE-2020-28212, a vulnerability affecting this software, was reported, which could be exploited by a remote unauthorized attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

It was established that the UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on SE controllers.

As of the middle of August 2022, Schneider Electric has released an update for the EcoStruxure™ Control Expert software, as well as for Modicon M340 which fixes the vulnerability. In March 2023, the vendor released an update for the Modicon M580 PLC.

This report describes:

• the implementation of the UMAS protocol that does not use the Application Password security mechanism;
• authentication bypass if Application Password is not enabled;
• the principles on which the Application Password security mechanism is based;
• mechanisms that can be used to exploit the CVE-2021-22779 vulnerability (authentication bypass where Application Password is configured);
• operating principles of the updated device reservation mechanism.

A detailed report on the research, Schneider Electric measures designed to fix the authentication bypass vulnerability, and Kaspersky ICS CERT recommendations can be found in the full version of the article published on the Kaspersky ICS CERT website.

Object of research

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers.

UMAS is based on a client-server architecture. During the research process, we used the EcoStruxure™ Control Expert PLC configuration software as the client part and a Modicon M340 CPU controller as the server part.

UMAS protocol

Network packet structure

UMAS is based on the Modbus/TCP protocol.

Structure of the UMAS protocol

Specifications of the Modbus/TCP protocol include reserved Function Code values that developers can use according to their needs. A complete list of reserved values can be found in the official documentation.

Schneider Electric uses Function Code 90 (0x5A) to define that the value in the Data field is UMAS compliant.

The network packet structure is shown below, using a request to read a memory block (pu_ReadMemoryBlock) on the PLC as an example:

• Red: Function Code 90 (0x5A)
• Blue: Session Key 0 (0x00)
• Green: UMAS Function 20 (0x20)
• Orange: Data

Network packet structure

Each function includes a certain set of information in the Data field, such as offset from the base memory address, size of the data sent, memory block number, etc. For more details on the functions and session key, see the full version of the article.

Network communication

UMAS also inherits the Modbus client-server architecture. A structural diagram of the communication between the client and the server is provided below.

Communication between the client (EcoStruxure™ Control Expert) and server (PLC)

In a UMAS network packet, Function Code 0x5A is immediately followed by the Session Key.

UMAS network packet structure

Let’s examine the communication between a client and a server (a PLC, also referred to as “device” below) by analyzing a real-world traffic fragment. The screenshot below shows a packet containing the function umas_QueryGetComInfo(0x01) sent from the client (EcoStruxure™ Control Expert) to the server (the PLC).

Structure of the function:
TCP DATA – Modbus Header – 0x5A – session – 01(UMAS function code) – 00(data).

Network packet containing the function umas_QueryGetComInfo(0x01)

The device should send a response to each request received. The screenshot below shows the device’s response to the client’s request:

Server response

The status code is the status of the device’s execution of the function sent to it by the client in the previous request. The value “fe” corresponds to successful execution of the function; “fd” indicates an error. The status code is present in each response sent by the device to thecontaining a function. It is always located immediately after the session key.

Reservation procedure

A “reservation” procedure is required to make changes to a PLC. The procedure acts as authentication. Only one client (e.g., an engineering workstation) can reserve a device at any specific time for configuration or status monitoring. This is required to prevent changes from being made to a device in parallel without coordination.

The screenshot below shows a request from the engineering software to the PLC to perform the device reservation procedure in its basic variant that does not use the Application Password security mechanism.

Device reservation

The umas_QueryTakePLCReservation(0x10) function is used to reserve a device. The request containing this function includes the name of the client reserving the device and a value equal to the length of that name.

CVE-2020-28212: authentication bypass without Application Password

The main issue with the basic reservation mechanism that does not use Application Password is that an attacker can use the session key to send requests and change the device’s configuration.

In firmware versions prior to 2.7 for Modicon M340 devices, the session key has the same value each time the device is reserved, and is equal to “0x01”. This means that attackers can make changes on the device by calling the relevant functions after the device has been reserved by a legitimate user.

The attack workflow is shown in the diagram below:

Remote threat actor attack workflow. Modicon M340 firmware prior to version 2.7, device reserved by an engineer

If the device has not been reserved at the time of an attack, the attacker can use the umas_QueryTakePLCReservation(0x10) function to reserve the device in order to make changes to it.

With Modicon M340 firmware version 2.7 or later, the session key takes a random value after device reservation. However, the session key is one byte in length, which means there are only 256 possible session ID values. This enables a remote unauthorized attacker to brute-force an existing ID of a session between a legitimate user and the PLC.

To carry out this type of attack, a remote attacker needs to send a series of network requests on port 502/TCP of the PLC with different session ID values and look at responses returned by the PLC. If the correct session ID was sent, the attacker will get the status code 0xfe, which means the request was fulfilled successfully. Otherwise, the attacker will get the status code 0xfd.

The operations described above can be implemented using any programming language – an attacker does not have to use EcoStruxure™ Control Expert or any other dedicated software to communicate with the device.

Application Password

To mitigate the CVE-2020-28212 vulnerability, exploitation of which could allow a remote unauthorized attacker to gain control of the PLC with the privileges of an operator already authenticated on the PLC, Schneider Electric developed a new security mechanism that used cryptographic algorithms to compute the session ID and increased the session ID length. Schneider Electric believed implementing this security mechanism would prevent brute-force attacks that could be used to crack single-byte session IDs.

The new mechanism was introduced starting with firmware version 3.01 for Modicon M340 devices. To implement authentication between the client and the device, Application Password needs to be enabled in project settings (“Project & Controller Protection”). The mechanism is designed to provide protection against unauthorized access, unwanted changes, as well as unauthorized downloading or uploading of PLC strategies.

After activating the mechanism using EcoStruxure™ Control Expert, the client needs to enter the password when connecting to a device as part of the reservation procedure. Application Password also makes changes to the reservation mechanism itself.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism was, unfortunately, also flawed. Its main shortcoming is that during the authentication process, all computations are performed on the client side, i.e., on the side of EcoStruxure™ Control Expert engineering software. The vulnerability identified during research, CVE-2021-22779, could allow a remote attacker to bypass authentication and use functions that require reservation to make changes to the PLC.

For more details on the implementation of Application Password and on the security flaws identified by Kaspersky ICS CERT researchers, read the full version of the article published on the Kaspersky ICS CERT website. For more information, you can also contact us at ics-cert@kaspersky.com.

H1 2022 in numbers

Geography

• In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.

  

  Percentage of ICS computers on which malicious objects were blocked

• For the first time in five years of observations, the lowest percentage in the ‎first half of the year was observed in March.‎ During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.

  

  Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022

• Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.

  

  Percentage of ICS computers on which malicious objects were blocked, in global regions

• Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.

  

  15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 2022

  

  10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022

Threat sources

• The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).

  

  Percentage of ICS computers on which malicious objects from different sources were blocked

Regions

• Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.

  

  Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022

• Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.

  

  Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022

Industry specifics

• In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).

  

  Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries

• In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).

  

  Percentage of ICS computers on which threats were blocked when removable media was connected

• In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).

  

  Percentage of ICS computers on which threats were blocked in network folders

Diversity of malware

• Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.

  

  Percentage of ICS computers on which the activity of malicious objects from different categories was prevented

Ransomware

• In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.

  

  Percentage of ICS computers on which ransomware was blocked

• The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.

  

  Percentage of ICS computers on which ransomware was blocked, January – June 2022

• East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.

  

  Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022

• Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).

  

  Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022

Malicious documents

• Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.

  

  Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked

• In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.

  

  Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries

Spyware

• Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.

  

  Percentage of ICS computers on which spyware was blocked

• Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).

  

  Percentage of ICS computers on which spyware was blocked, in selected industries

Malware for covert cryptocurrency mining

• The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.

  

  Percentage of ICS computers on which malicious cryptocurrency miners were blocked

• Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.

  

  

  Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries

The full text of the report has been published on the Kaspersky ICS CERT website.

In January 2022, Kaspersky ICS CERT experts detected a wave of targeted attacks on military industrial complex enterprises and public institutions in several countries. In the course of our research, we were able to identify over a dozen of attacked organizations. The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.

The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions.

An analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal of this series of attacks.

Initial infection

The attackers penetrated the enterprise network using carefully crafted phishing emails, some of which use information that is specific to the organization under attack and is not publicly available. This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees, or on other organizations or individuals associated with the victim organization).

Microsoft Word documents attached to the phishing emails contained malicious code that exploits the CVE-2017-11882 vulnerability. The vulnerability enables an attacker to execute arbitrary code (in the attacks analyzed, the main module of the PortDoor malware) without any additional user activity.

An earlier series of attacks in which the PortDoor malware was also used was described by Cybereason experts. A new version of PortDoor was identified in the course of our research.

Initial infection of a system

After being launched, PortDoor collects general information on the infected system and sends it to the malware command-and-control (CnC) server. In cases where an infected system is of interest to the attackers, they use the PortDoor functionality to control the system remotely and install additional malware.

Additional malware

The attackers used five different backdoors at the same time – probably to set up redundant communication channels with infected systems in case one of the malicious programs was detected and removed by a security solution. The backdoors used provide extensive functionality for controlling infected systems and collecting confidential data.

Of the six backdoors identified on infected systems, five (PortDoor, nccTrojan, Logtu, Cotx, and DNSep) have been used earlier in attacks attributed by other researchers to APT TA428. The sixth backdoor is new and has not been observed in other attacks.

Lateral movement

After gaining a foothold on the initial system, the attackers attempt to spread the malware to other computers on the enterprise network. To gain access to those computers, the attackers use network scanning results, as well as user credentials stolen earlier.

The Ladon hacking utility (which is popular in China) is used as the main lateral movement tool. It combines network scanning, vulnerability search and exploitation, password attack, and other functionality. The attackers also extensively use standard utilities that are part of the Microsoft Windows operating system.

The attack’s final stage involves hijacking the domain controller and gaining full control of all of the organization’s workstations and servers.

The attackers used DLL hijacking and process hollowing techniques extensively in the attack to prevent security software from detecting the malware.

Data theft

After gaining domain administrator privileges, the attackers searched for and exfiltrated documents and other files that contained the attacked organization’s sensitive data to their servers hosted in different countries. These servers were also used as stage one CnC servers.

The attackers compressed stolen files into encrypted and password-protected ZIP archives. After receiving the data collected, the stage one CnC servers forwarded the archives received to a stage two server located in China.

Transfer of stolen data from infected systems

Who is behind the attack?

Significant overlaps in tactics, techniques, and procedures (TTPs) have been observed with APT TA428 activity.

The research identified malware and CnC servers previously used in attacks attributed by other researchers to TA428 APT group.

Some indirect evidence also supports our conclusion.

We believe that the series of attacks that we have identified is highly likely to be an extension of a known campaign that has been described in Cybereason, DrWeb, and NTTSecurity research and has been attributed with a high degree of confidence to APT TA428 activity.

Conclusion

The findings of our research show that spear phishing remains one of the most relevant threats to industrial enterprises and public institutions. In the course of the attack, the attackers used mostly known backdoor malware, as well as standard lateral movement techniques and methods designed to evade detection by security solutions.

The attack series that we have identified is not the first in the campaign. Given that the attackers have had some success, we believe it is highly likely that similar attacks will occur again in the future. Industrial enterprises and public institutions should do a great deal of work to successfully thwart such attacks.

Technical details of the attacks, as well as recommendations and indicators of compromise, can be found in the full public version of the article on the Kaspersky ICS CERT website.

A private version of the article has been published on Kaspersky Threat Intelligence.

We are not wrapping up our investigation as yet and will release information on new findings as they appear. For more information, you can contact ics-cert@kaspersky.com.

Kaspersky Managed Detection and Response (MDR) helps organizations to complement existing detection capabilities or to expand limited in-house resources to protect their infrastructure from the growing number and complexity of threats in real time. We collect telemetry from clients’ networks and analyze it using machine learning and artificial intelligence, plus human threat-hunting analysts. Kaspersky SOC investigates alerts and notifies the client if there is something bad going on, providing response actions and recommendations.

MDR in 2021 in numbers

In 2021:

• Kaspersky MDR received 414K alerts.
• 63.74% of received alerts were processed by SOC analysts, 6.67% of which were related to real incidents reported to customers via the MDR portal
• 77.4% of all incidents are related to only one alert
• 14% of incidents were high-severity, 66% medium-severity, and 20% low-severity
• The average identification time of high-severity incidents was 41.4 minutes
• 40.7% of high-severity incidents were targeted attacks; 18% were ethical offensive exercises (penetration testing, red teaming etc.)
• Most incidents were detected at the initial access (27.3%) and lateral movement (16.3%) stages
• Most often high-severity incidents were detected in IT (39%), industrial (30.2%), and financial (29.1%) organizations
• The LOL binaries most often used by attackers were cmd.exe, powershell.exe, and rundll.exe

Download the full Kaspersky Managed Detection and Response 2021 report.

In early 2020, we notified the Rockwell Automation Product Security Incident Response Team (RA PSIRT) of several vulnerabilities we had identified in the ISaGRAF Runtime execution environment.

According to public sources of information, ISaGRAF Runtime is used as an automation framework in multiple products in various industries across the globe and its use is not limited to ICS. ISaGRAF Runtime are also used in transportation, power & energy, and other sectors.

This report includes an analysis of the ISaGRAF framework, its architecture, the IXL and SNCP protocols that are used to program and control ISaGRAF-based devices and to communicate with them.

Our research has uncovered multiple vulnerabilities in ISaGRAF Runtime. The following potential vectors of attacks on ISaGRAF-based devices have been identified:

• A remote unauthenticated attacker could execute privileged commands of the IXL service on devices with ISaGRAF Runtime versions released before 2010.
• A remote attacker could easily implement a password brute force attack in ISaGRAF Runtime.
• An attacker that can carry out a MitM attack will be able to overwrite tag statuses, the program being downloaded to the device, or authentication data. Since authentication data is encrypted with a preset symmetric key, the attacker could decrypt an intercepted target (device) password.
• An attacker could exploit the vulnerabilities identified to gain remote access to a device with ISaGRAF Runtime and execute arbitrary malicious code inside the ISaGRAF Runtime virtual machine.
• An attacker could exploit the vulnerabilities to escape the ISaGRAF Runtime sandbox, ensure the malicious code’s persistence on the device, and hide it from future detection.

Detailed descriptions of the vulnerabilities identified are provided, along with an analysis of the impact that their potential abuse could have and recommendations on additional risk mitigation measures.

By the end of 2021, all of the vulnerabilities identified had been fixed by the technology vendor, or mitigations were suggested by the vendor, CISA, or Kaspersky ICS CERT.

As of March 2022, the following vendors had reported ISaGRAF Runtime vulnerabilities in their products: Rockwell Automation, Schneider Electric, Xylem, GE, and Moxa.

More information is available on the Kaspersky ICS CERT website.