Introduction

Andariel, a part of the notorious Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos and Ahnlab. Their campaign introduced several new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and, of course, DTrack.

While on an unrelated investigation recently, we stumbled upon this campaign and decided to dig a little bit deeper. We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.

From initial infection to fat fingers

Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server. Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that exploitation was closely followed by the DTrack backdoor being downloaded.

From this point on, things got rather interesting, as we were able to reproduce the commands the attackers executed. It quickly became clear that the commands were run by a human operator, and judging by the amount of mistakes and typos, likely an inexperienced one. For example:

Note how “Program” is misspelled as “Prorgam” . Another funny moment was when the operators realized they were in a system that used the Portuguese locale. This took surprisingly long: they only learned after executing cmd.еxe /c net localgroup as you can see below:

We were also able to identify the set of off-the-shelf tools Andariel that installed and ran during the command execution phase, and then used for further exploitation of the target. Below are some examples:

• Supremo remote desktop;
• 3Proxy;
• Powerline;
• Putty;
• Dumpert;
• NTDSDumpEx;
• ForkDump;
• And more which can be found in our private report.

Meet EarlyRat

We first noticed a version of EarlyRat in one of the aforementioned Log4j cases and assumed it was downloaded via Log4j. However, when we started hunting for more samples, we found phishing documents that ultimately dropped EarlyRat. The phishing document itself is not that advanced as can be seen below:

Once macros are enabled, the following command is executed:

Oddly enough, the VBA code pings a server associated with the HolyGhost / Maui ransomware campaign.

EarlyRat, just like many other RATs (remote access Trojans), collects system information upon starting and sends it to the C2 using the following template:

As can be seen above, there are two different parameters in the request: “id” and “query”. Next to those, the “rep0” and “page” parameters are also supported. They are used in the following cases:

• id: unique ID of the machine used as a cryptographic key to decrypt value from “query”
• query: the actual content. It is Base64 encoded and rolling XORed with the key specified in the “id” field.
• rep0: the value of the current directory
• page: the value of the internal state

In terms of functionality, EarlyRat is very simple. It is capable of executing commands, and that is about the most interesting thing it can do. There is a number of high-level similarities between EarlyRat and MagicRat. Both are written using a framework: QT is used for MagicRat and PureBasic, for EarlyRat. Also, the functionality of both RATs is very limited.

Conclusion

Despite being an APT group, Lazarus is known for performing typical cybercrime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated. Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware.

Focusing on TTPs as we did with Andariel helps to minimize attribution time and detect attacks in their early stages. This information can also help in taking proactive countermeasures to prevent incidents from happening.

Intelligence reports can help you to stay protected against these threats. If you want to keep up to date on the latest TTPs used by criminals, or if you have questions about our private reports, reach out to us at crimewareintel@kaspersky.com.

Year 2022 in numbers

Global threat statistics

In H2 2022, the percentage of ICS computers on which malicious objects were blocked increased by 3.5 percentage points compared to the previous six-month period, reaching 34.3%. This was higher than the percentages for 2021 and even 2020.

Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

In H2 2022 the percentage of ICS computers on which malicious objects were blocked increased in the automotive industry (+4.6 p.p.) and in the energy sector (+1 p.p.). In other industries tracked, the percentage decreased.

Percentage of ICS computers on which malicious objects were blocked in some industries, H2 2022

Geography

In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions.

Regions of the world ranked by percentage of ICS computers on which malicious objects were blocked, H2 2022

African and Central Asian countries were prevalent among the 15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked in H2 2022.

15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H2 2022

In the Top 10 ranking of countries with the lowest percentage of ICS computers on which malicious objects were blocked, all countries, with the exception of Israel, were European.

10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H2 2022

In H2 2022, the most significant increase among all countries in the percentage of ICS computers on which malicious objects were blocked was observed in Russia, where that percentage increased by 9 p.p.

Russia. Percentage of ICS computers on which malicious objects were blocked, 2020 – 2022

Variety of the malware detected

In H2 2022, Kaspersky security solutions blocked malware from 7,684 different families on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects from different categories was prevented, H2 2022

Main threat sources

The internet, removable devices and email clients remained the main sources of threats for computers in the operational technology infrastructure of organizations.

Percentage of ICS computers on which malicious objects from different sources were blocked, 2021 – 2022

In H2 2022, a very significant growth in the percentage of ICS computers on which internet threats were blocked – 12 p.p. and 7.8 p.p., respectively – was recorded in the regions of Russia and Central Asia.

Regions ranked by percentage of ICS computers on which internet threats were blocked, H2 2022

As per tradition, Africa topped the ranking of regions based on the percentage of ICS computers on which malware was blocked when removable devices were connected.

Regions ranked by percentage of ICS computers on which malware was blocked when removable devices were connected, H2 2022

Southern Europe topped the ranking of regions based on the percentage of ICS computers on which malicious email attachments and phishing links were blocked. Northern Europe was the only region in which the percentage increased (+0.3 p.p.) in H2 2022.

Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2022

The full report has been published on the Kaspersky ICS CERT website.

At this point, it has become cliché to say that nothing in 2022 turned out the way we expected. We left the COVID-19 crisis behind hoping for a long-awaited return to normality and were immediately plunged into the chaos and uncertainty of a twentieth-century-style military conflict that posed serious risks of spreading over the continent. While the broader geopolitical analysis of the war in Ukraine and its consequences are best left to experts, a number of cyberevents have taken place during the conflict, and our assessment is that they are very significant.

In this report, we propose to go over the various activities that were observed in cyberspace in relation to the conflict in Ukraine, understand their meaning in the context of the current conflict, and study their impact on the cybersecurity field as a whole.

Timeline of significant cyber-events predating Feb 24th

In the modern world, it has become very difficult to launch any kind of military campaign without intelligence support in the field. Most intelligence is gathered from various sources through methods such as HUMINT (human intelligence, gathered from persons located in the future conflict area), SIGINT (signals intelligence, gathered through the interception of signals), GEOINT (geospatial intelligence, such as maps from satellites), or ELINT (electronic intelligence, excluding text or voice), and so on.

For instance, according to the New York Times, in 2003, the United States made plans for a huge cyberattack to freeze billions of dollars in Saddam Hussein’s bank accounts and cripple his government before the invasion of Iraq. However, the plan was not approved because the government feared collateral damage. Instead, a more limited plan to cripple Iraq’s military and government communication systems was carried out during the early hours of the war in 2003. This operation included blowing up cellphone towers and communication grids as well as jamming and cyberattacks against Iraq’s telephone networks. According to the same article, another such attack took place in the late 1990s when the American military attacked a Serbian telecommunications network. Inadvertently, this also affected the Intelsat communications system for days, proving that the risk of collateral damage during cyberwarfare is pretty high.

The lessons learned from these events may allow predicting kinetic conflicts by monitoring new cyberattacks in potential areas of conflict. For instance, in late 2013 and January 2014, we observed higher-than-normal activity in Ukraine by the Turla APT group, as well as a spike in the number of BlackEnergy APT sightings. Similarly, at the beginning of February 2022, we noticed a huge spike in the amount of activity related to Gamaredon C&C servers. This activity reached hitherto-unseen levels, suggesting massive preparations for a major SIGINT gathering effort.

As shown by these cases, during modern conflicts, we can expect to see significant signs and spikes in cyberwarfare relating to both collection of intelligence and destructive attacks in the days and weeks preceding military attacks. Of course, we should note that the opposite is also possible: for instance, starting in June 2016, but most notably since September 2016 all the way to December 2016, the Turla group intensified their satellite-based C&C registrations tenfold compared to its 2015 average. This indicated unusually high activity by the Turla group, which signaled a never-before-seen mobilization of the group’s resources. At the same time, there was no ensuing military conflict that we know of.

Key insights

• Today’s military campaigns follow gathering of supporting intelligence in the field; this includes SIGINT and ELINT among others
• Significant military campaigns, such as the 2003 invasion of Iraq, have been complemented by powerful cyberattacks designed to disable the enemy’s communication networks
• In February 2022, we noticed a huge spike in activity related to Gamaredon C&C servers; a similar spike was observed in Turla and BlackEnergy APT activity in late 2013 and early 2014
• We can expect to see significant signs and spikes in cyberwarfare in the days and weeks preceding military conflicts

Day one

On the very first day of the conflict (February 24, 2022), a massive wave of indiscriminate pseudo-ransomware and wiper attacks hit Ukrainian entities. We were not able to determine any form of consistency when it came to the targeting, which led us to believe that the main objective of these attacks may have been to cause chaos and confusion — as opposed to achieving precise tactical goals. Conversely, the tools leveraged in this phase were just as varied in nature:

• Ransomware (IsaacRansom);
• Fake ransomware (WhisperGate);
• Wipers (HermeticWiper, CaddyWiper, DoubleZero, IsaacWiper);
• ICS/OT wipers (AcidRain, Industroyer2).

Some of them were particularly sophisticated. As far as we know, HermeticWiper remains the most advanced wiper software discovered in the wild. Industroyer2 was discovered in the network of a Ukrainian energy provider, and it is very unlikely that the attacker would have been able to develop it without access to the same ICS equipment as used by the victim. That said, a number of those tools are very crude from a software engineering perspective and appear to have been developed hurriedly.

With the notable exception of AcidRain (see below), we believe that these various destructive attacks were both random and uncoordinated – and, we argue, of limited impact in the grand scheme of the war. Our assessment of the threat landscape in Ukraine in the first months of the war can be found on SecureList.

The volume of wiper and ransomware attacks quickly subsided after the initial wave, but a limited number of notable incidents were still reported. The Prestige ransomware affected companies in the transportation and logistics industries in Ukraine and Poland last October. One month later, a new strain named RansomBoggs again hit Ukrainian targets – both malware families were attributed to Sandworm. Other “ideologically motivated” groups involved in the original wave of attacks appear to be inactive now.

Key insights

• Low-level destructive capabilities can be bootstrapped in a matter of days.
• Based on the uncoordinated nature of these destructive attacks, we assess that some threat actors appear to be capable of recruiting isolated groups of hackers on short notice, to perform destabilizing tasks. We can only speculate as to whether those groups are internal resources reassigned to low-level cyberattacks or external entities that can be mobilized when the need arises.
• While the impact of these destructive cyber-attacks paled in comparison to the effects of the kinetic attacks taking place at the same time, it should be noted that this capability could in theory be directed against any country outside of the context of an armed conflict and under the pretense of traditional cybercrime activity.

The Viasat “cyberevent”

On the 24^th of February, Europeans who relied on the ViaSat-owned “KA-SAT” satellite faced major Internet access disruptions. This so-called “cyber-event” started around 4h UTC, less than two hours after the Russian Federation publicly announced the beginning of the “special military operation” in Ukraine. As could be read from government requests for proposals, the Ukrainian government and military are notable consumers of KA-SAT access, and were reportedly affected by the event. But the disruptions also triggered major consequences elsewhere, such as interrupting the operation of wind turbines in Germany.

ViaSat quickly suspected that disruptions could be the result of a cyberattack. It directly affected satellite modems firmwares, but was still to be understood as of mid-March. Kaspersky experts ran their own investigations and notably uncovered a likely intrusion path to a remote access point in a management network, while analyzing modem internals and a likely-involved wiper implant. The “AcidRain” wiper was first described later in March, while ViaSat published an official analysis of the cyber-attack. The latter confirmed that a threat actor got in through a remote-management network exploiting a poorly configured VPN, and ultimately delivered destructive payloads, affecting tens of thousands of KA-SAT modems. On May 10, the European Union attributed those malicious activities to the Russian Federation.

A lot of technical details about this attack are still unknown and may later be shared away from government eyes. Yet it is one of the most sophisticated attacks revealed to date in connection to the conflict in Ukraine. The malicious activities were likely conducted by a skilled and well-prepared threat actor, within an accurate timeframe which cannot be fortuitous. While the sabotage has likely failed to disrupt the Ukrainian defense badly enough, it had multiple effects beyond the battlefield: stimulating the US Senate to require a state of play on satellite cybersecurity, accelerating SpaceX Starlink deployment (and later, unexpected bills), as well as questioning the rules for dual-use infrastructure during armed conflicts.

Key insights

• The ViaSat sabotage once again demonstrates that cyberattacks are a basic building block for modern armed conflicts and may directly support key milestones in military operations.
• As it has been suspected for years, advanced threat actors likely preposition themselves in various strategic infrastructural assets in preparation for future disruptive actions.
• Cyberattacks against common communication infrastructures are highly likely during armed conflict, as belligerents might consider these to be of dual use. Due to the interlinked nature of the Internet, a cyberattack against this kind of infrastructure will likely have side-effects for parties that are not involved in the armed conflict. Protection and continuity planning are of utmost importance for this communications infrastructure.
• The cyberattack raises concerns about the cybersecurity of commercial satellite systems, which may support various applications, from selfie geolocation to military communications. While protective measures against kinetic combat in space are frequently discussed by military forces, and more datacenters are expecting to fly soon … ground-station management systems and operators still seem to be highly exposed to common cyberthreats.

Taking sides: professional ransomware groups, hacktivists, and DDoS attacks

As has always been the case, wartime has a very specific impact on the information landscape. It is especially true in 2022, now that humanity commands the most potent information spreading tools ever created: social networks and their well-documented amplification effect. Most real-world events related to the war (accounts of skirmishes, death tolls, prisoner of war testimonies) are shared and refuted online with varying degrees of good faith. Traditional news outlets are also affected by the broader context of information warfare.

DDoS attacks and, to a lesser extent, defacement of random websites have always been regarded as low-sophistication and low-impact attacks by the security community. DDoS attacks, in particular, require generating heavy network traffic that attackers typically cannot sustain for very long periods of time. As soon as the attack stops, the target website becomes available again. Barring temporary loss of revenue for e-commerce websites, the only value provided by DDoS attacks or defacement is the humiliation of the victim. Since non-specialized journalists may not know the difference between the various types of security incidents, their subsequent reporting shapes a perception of incompetence and inadequate security that may erode users’ confidence. The asymmetric nature of cyberattacks plays a key role in supporting a David vs. Goliath imagery, whereby symbolic wins in the cyberfield help convince ground troops that similar achievements are attainable on the real-life battlefield.

According to Kaspersky DDoS Protection, since the beginning of 2022 during 11 months the service registered ~1.65 more attacks than in the whole 2021. While this growth may be not too significant, the resources have been under attack 64 times longer compared to 2021. In 2021 the average attack lasted ~28 minutes, in 2022 – 18.5 hours, which is almost 40 times longer. The longest attack lasted 2 days in 2021, 28 days (or 2486505 seconds) in 2022.

Total duration of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

Since the start of the war, a number of (self-identified) hacktivist groups have emerged and started conducting activities to support either side. For instance, a stunt organized by the infamous collective Anonymous involved causing a traffic jam in Moscow by sending dozens of taxis to the same location.

Kaspersky DDoS protection also reflects this trend. Massive DDoS attacks were spread unevenly over the year with the most heated times being in spring and early summer.

Number of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022

The attackers peaked in February-early March, reflecting growth of hacktivism, which has died down by autumn. Currently we see a regular anticipated dynamic of attacks, though their quality has changed. In May-June we detected extremely long attacks. Now their length has stabilized, nevertheless, while typical attacks used to last a few minutes, now they last for hours.

On February 25, 2022, the infamous Conti ransomware group announced their “full support of Russian government”. The statement included a bold phrase: “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy“. The group followed up rather quickly with another post, clarifying their position in the conflict: “As a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world. We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression“.

Two days later, a Ukrainian security researcher leaked a large batch of internal private messages between Conti group members, covering over one year of activity starting in January 2021. This dump delivered a significant blow to the group who saw their inner activities exposed before the public, including Bitcoin wallet addresses related to many million of US dollars received in ransom. At the same time, another cybercriminal group called “CoomingProject” and specializing in data leaks, announced they would support the Russian Government if they saw attacks against Russia:

Other groups, such as Lockbit, preferred to stay neutral, claiming their “pentesters” were an international community, including Russians and Ukrainians, and it was “all business”, in a very apolitical manner:

On February 26, Mykhailo Fedorov, the Vice Prime Minister and Minister of Digital Transformation of Ukraine, announced the creation of a Telegram channel to “continue the fight on the cyber front”. The initial Telegram channel had a typo in the name (itarmyofurraine) so a second one was created.

IT ARMY of Ukraine Telegram channel

The channel operators constantly give tasks to the subscribers, such as DDoS’ing various business corporations, banks, or government websites:

List of DDoS targets posted by IT ARMY of Ukraine

Within a short time, the IT Army of Ukraine, composed of volunteers coordinating via Twitter and Telegram, reportedly defaced or otherwise DDoSed over 800 websites, including high-profile entities such, as the Moscow Stock Exchange^[1].

Parallel activity has also been observed by other groups, which have taken sides as the conflict was spilling over into neighboring countries. For instance, the Belarusian Cyber-Partisans claimed they had disrupted the operations of the Belarusian Railway by switching it to manual control. There goal was to slow the movement of Russian military forces through the country.

Belarusian Cyber-Partisans post

A limited and by far not exhaustive list of some of the ransomware or hacktivist groups that expressed their opinion about the conflict in Ukraine include:

Among the openly pro-Russian groups, Killnet, which was originally established as a response to the “IT Army of Ukraine”, is probably the most active. In late April, they attacked Romanian Government websites in response to statements by Marcel Ciolacu, president of the Romanian Chamber of Deputies, after he promised Ukrainian authorities “maximum assistance”. On May 15, Killnet published a video on their telegram channel declaring war on ten nations: the United States, the United Kingdom, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland, and Ukraine. Following these activities, the international hacking collective known as “Anonymous” declared cyber war against Killnet on May 23.

Killnet continued its activities throughout 2022, preceding their attacks with an announcement on their Telegram channel. In October, the group started attacking organizations in Japan, which they later stopped due to a lack of funds. It later attacked a US airport and governmental websites and businesses, often without significant success. On November 23, Killnet briefly took down the website of the European Union. Killnet also repeatedly targeted websites in Latvia, Lithuania, Norway, Italy, and Estonia. While Killnet’s methods are not sophisticated, they continually make headlines and drive attention to the group’s activities and stance.

Key insights

• The conflict in Ukraine has created a breeding ground for new cyberware activity by various parties including cybercriminals and hacktivists, who rushed to support their favorite sides
• We can expect the involvement of hacktivist groups in all major geopolitical conflicts from now on.
• The cyberware activities are spilling over into neighboring countries and affecting a large number of entities, including governmental institutions and private companies
• Some groups, such as the IT Army of Ukraine, have been officially backed by governments, and their Telegram channels include hundreds of thousands of subscribers
• The majority of attacks have relatively low complexity
• Most of the time, attacks conducted by these groups have a very limited impact on operations but may erroneously be reported as serious incidents and cause reputational damage.
• These activities may originate from genuine “grassroots” hacktivists, groups encouraged or supported by one of the belligerents, or from the belligerents themselves – and telling which is which may well prove impossible.

Hack and leak

On the more sophisticated end of attacks attempting to hijack media attention, hack-and-leak operations have been on the rise since the beginning of the conflict. The concept is simple: breaching into an organization and publishing its internal data online, often via a dedicated website. This is significantly more difficult than a simple defacing operation, since not all machines contain internal data worth releasing. Hack-and-leak operations, therefore, require more precise targeting, and will, in most cases, also demand more skill from attackers, as the information they are looking for is, more often than not, buried deep within in the victim’s network.

An example of such a campaign is the “doxing” of Ukrainian soldiers. Western entities were also targeted, such as the Polish government or many prominent pro-Brexit figures in the UK. In the latter cases, internal emails were published, leading to scrutiny by investigative journalists. In theory, these data leaks are subject to manipulation. The attackers have all the time they need to edit any released document or could just as well inject entirely forged ones.

It is important to note that it is absolutely unnecessary for the attacker to go to such lengths for the data leak to be damaging. The public availability of the data is proof itself that a serious security incident took place, and the legitimate, original content may already contain incriminating information.

Key insights

• In our 2023 APT predictions, we foresee that hack-and-leak operations will be on the rise next year, as they are very efficient against entities that already have high media exposure and corruption levels (i.e. politicians).
• Information warfare is not internal to a conflict, but instead directed at all onlookers. We expect that the vast majority of such attacks will not be directed at the belligerents, but rather at entities who are perceived as being too supportive (or not supportive enough) of either side.
• Whether it is hack-and-leak operations or DDoS, cyberattacks emerge as a non-kinetic means of diplomatic signaling between states.

Poisoned open-source repositories, weaponizing open-source software

Open-source software has many benefits. Firstly, it is often free to use, which means that businesses and individuals can save money on software costs. However, since anyone can contribute to the code and make improvements, this can also be abused and in turn, open security trapdoors. On the other hand, since the code can be publicly examined for any potential security vulnerabilities, it also means that given enough scrutiny, the risks of using open-source software can be mitigated to decent levels.

Back in March, RIAEvangelist, the developer behind the popular npm package “node-ipc”, published modified versions of the software that contained a special functionality if the running systems had a Russian or Belarusian IP address. On such systems, the code would overwrite all files with a heart emoji, additionally deploying the message, WITH-LOVE-FROM-AMERICA.txt, originating in another module created by the same developer. The node-ipc package is quite popular with over 800,000 users worldwide. As is often the case with open-source software, the effect of deploying these modified “node-ipc” versions was not restricted to direct users; other open-source packages, for instance “Vue.js”, which automatically include the latest node-ipc version, amplified the effect.

Packages aimed to be spread in the Russian market did not always lead to destruction of files, some of them contained hidden functionality such as adding a Ukrainian flag to a section of the website of software or political statements in support of the country. In certain cases the functionality of the package is removed and replaced with political notifications. It is worth noting that not all packages had this functionality hidden with some authors announcing the functionality in the package description.

One of the projects encourages to spread a file that once opened will start hitting various pages of the enlisted servers via JavaScript to overload the websites

Other repositories and software modules found on GitHub included those specifically created to DDoS Russian governmental, banking and media sites, network scanners specifically for gathering data about Russian infrastructure and activity and bots aimed at mass reporting of Telegram channels.

Key insights

• As the conflict drags on, popular open-source packages can be used as a protest or attack platform by developers or hackers alike
• The impact from such attacks can extend further that the open-source software itself, propagating to other packages that automatically rely on the trojanized code

Fragmentation

During the past years, most notably after 2014, this process began to expand to the IT Security world, with nation states passing laws banning each other’s products, services, and companies.

Following the start of the conflict in Ukraine in February 2022, we have seen a lot of western companies exiting the Russian market and leaving their users in a difficult position when it comes to receiving security updates or support. At the same time, some western nations have pushed laws banning the use of Russian software and services due to a potential risk of these being used to launch attacks.

Obviously, one cannot totally rule out the possibility of political pressure being applied to weaponize products, technologies, and services of some minor market players. When it comes to global market leaders and respected vendors, however, we believe this to be extremely unlikely.

On the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors, whose secure development culture, as we have often found, is usually significantly inferior to that of global leaders, are likely to have “silly” security errors and zero-day vulnerabilities, rendering them easy prey for both cybercriminals and hacktivists.

Should the conflict continue to exacerbate, organizations based in countries where the political situation does not require addressing the above issues, should still consider the future risk factors that may affect everyone:

• The quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss of some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political pressure.
• The communication breakdowns between IS developers and researchers located on opposite sides of the new “iron curtain” or even on the same side (due to increased competition on local markets) will undoubtedly decrease the detection rates of security solutions that are currently being developed.
• Decreasing CTI quality: unfounded politically motivated cyberthreat attribution, exaggerated threats, lower statement validity criteria due to political pressure and in an attempt to utilize the government’s political narrative to earn additional profits.

Government attempts to consolidate information about incidents, threats, and vulnerabilities and to limit access to this information detract from overall awareness, since information may sometimes be kept under wraps without good reason.

Key insights

• Geopolitics are playing an important role and the process of fragmentation is likely going to expand
• Security updates are probably the top issue when vendors end support for products or leave the market
• Replacing established, global leaders with local products might open the doors to cybercriminals exploiting zero-day vulnerabilities

Did a cyberwar happen?

Ever since the beginning of the conflict, the cybersecurity community has debated whether or not what was going on in Ukraine qualifies as “cyberwar”. One indisputable fact, as documented throughout this report, is that significant cyberactivity did take place in conjunction with the start of the conflict in Ukraine. This may be the only criteria we need.

On the other hand, many observers had envisioned that in the case of a conflict, devastating preemptive cyberattacks would cripple the “special operation” party. With the notable exception of the Viasat incident, whose actual impact remains hard to evaluate, this simply did not take place. The conflict instead revealed an absence of coordination between cyber- and kinetic forces, and in many ways downgraded cyberoffense to a subordinate role. Ransomware attacks observed in the first weeks of the conflict qualify as distractions at best. Later, when the conflict escalated this November and the Ukrainian infrastructure (energy networks in particular) got explicitly targeted, it is very telling that the Russian military’s tool of choice for the job was missiles, not wipers^[2].

If you subscribe to the definition of cyberwar as any kinetic conflict supported through cyber-means, regardless of their tactical or strategic value, then a cyberwar did happen in February 2022. Otherwise, you may be more satisfied with Ciaran Martin‘s qualification of “cyberharassment”^[3].

Key insights

• There is a fundamental impracticality to cyberattacks; an impracticality that can only be justified when stealth matters. When it does not, physical destruction of computers appears to be easier, cheaper, and more reliable.
• Unless very significant cyberattacks have failed to reach public awareness, at the time of writing this, the relevance of cyberattacks in the context of open war has been vastly overestimated by our community.

Conclusion

The conflict in Ukraine will have a lasting effect on the cybersecurity industry and landscape as a whole. Whether the term “cyberwar” applies or not, there is no denying that the conflict will forever change everyone’s expectations about cyberactivity conducted in wartime, when a major power is involved. Unfortunately, there is a chance that established practice will become the de facto norm.

Before the war broke out, several ongoing multiparty processes (UN’s OEWG and GGE) attempted to establish a consensus on acceptable and responsible behavior in cyberspace. Given the extreme geopolitical tensions we are currently experiencing, it is doubtful that these already difficult discussions will bear fruit in the near future.

A promising initiative in the meantime is the ICRC’s “digital emblem” project: a proposed solution to clearly identify machines used for medical or humanitarian purposes, in the hopes that attackers will refrain from damaging them. Just like the real-life red cross and red crescent emblems cannot stop bullets, digital emblems will not prevent cyberattacks on a technical level – but they will at least make it obvious to everyone that medical infrastructure is not a legitimate target.

As it seems more and more likely that the conflict will drag on for years, and with the death toll already being high… we hope that everyone can at least agree on that.

^[1] The point of this section is not to evaluate the accuracy of those numbers, which are self-reported in many cases, but to study how these cyberattacks are used to shape narratives.

^[3] We recognize that information about ongoing cyberattacks and their impact isn’t exactly forthcoming. This assessment may be revised at a later date, when more data becomes available.

UMAS (Unified Messaging Application Services) is a proprietary Schneider Electric (SE) protocol used to configure and monitor Schneider Electric PLCs. Schneider Electric controllers that use UMAS include Modicon M580 CPU (part numbers BMEP* and BMEH*) and Modicon M340 CPU (part numbers BMXP34*). Controllers are configured and programmed using engineering software – EcoStruxure™ Control Expert (Unity Pro), EcoStruxure™ Process Expert, etc.

In 2020, CVE-2020-28212, a vulnerability affecting this software, was reported, which could be exploited by a remote unauthorized attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

It was established that the UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on SE controllers.

As of the middle of August 2022, Schneider Electric has released an update for the EcoStruxure™ Control Expert software, as well as for Modicon M340 which fixes the vulnerability. In March 2023, the vendor released an update for the Modicon M580 PLC.

This report describes:

• the implementation of the UMAS protocol that does not use the Application Password security mechanism;
• authentication bypass if Application Password is not enabled;
• the principles on which the Application Password security mechanism is based;
• mechanisms that can be used to exploit the CVE-2021-22779 vulnerability (authentication bypass where Application Password is configured);
• operating principles of the updated device reservation mechanism.

A detailed report on the research, Schneider Electric measures designed to fix the authentication bypass vulnerability, and Kaspersky ICS CERT recommendations can be found in the full version of the article published on the Kaspersky ICS CERT website.

Object of research

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers.

UMAS is based on a client-server architecture. During the research process, we used the EcoStruxure™ Control Expert PLC configuration software as the client part and a Modicon M340 CPU controller as the server part.

UMAS protocol

Network packet structure

UMAS is based on the Modbus/TCP protocol.

Structure of the UMAS protocol

Specifications of the Modbus/TCP protocol include reserved Function Code values that developers can use according to their needs. A complete list of reserved values can be found in the official documentation.

Schneider Electric uses Function Code 90 (0x5A) to define that the value in the Data field is UMAS compliant.

The network packet structure is shown below, using a request to read a memory block (pu_ReadMemoryBlock) on the PLC as an example:

• Red: Function Code 90 (0x5A)
• Blue: Session Key 0 (0x00)
• Green: UMAS Function 20 (0x20)
• Orange: Data

Network packet structure

Each function includes a certain set of information in the Data field, such as offset from the base memory address, size of the data sent, memory block number, etc. For more details on the functions and session key, see the full version of the article.

Network communication

UMAS also inherits the Modbus client-server architecture. A structural diagram of the communication between the client and the server is provided below.

Communication between the client (EcoStruxure™ Control Expert) and server (PLC)

In a UMAS network packet, Function Code 0x5A is immediately followed by the Session Key.

UMAS network packet structure

Let’s examine the communication between a client and a server (a PLC, also referred to as “device” below) by analyzing a real-world traffic fragment. The screenshot below shows a packet containing the function umas_QueryGetComInfo(0x01) sent from the client (EcoStruxure™ Control Expert) to the server (the PLC).

Structure of the function:
TCP DATA – Modbus Header – 0x5A – session – 01(UMAS function code) – 00(data).

Network packet containing the function umas_QueryGetComInfo(0x01)

The device should send a response to each request received. The screenshot below shows the device’s response to the client’s request:

Server response

The status code is the status of the device’s execution of the function sent to it by the client in the previous request. The value “fe” corresponds to successful execution of the function; “fd” indicates an error. The status code is present in each response sent by the device to thecontaining a function. It is always located immediately after the session key.

Reservation procedure

A “reservation” procedure is required to make changes to a PLC. The procedure acts as authentication. Only one client (e.g., an engineering workstation) can reserve a device at any specific time for configuration or status monitoring. This is required to prevent changes from being made to a device in parallel without coordination.

The screenshot below shows a request from the engineering software to the PLC to perform the device reservation procedure in its basic variant that does not use the Application Password security mechanism.

Device reservation

The umas_QueryTakePLCReservation(0x10) function is used to reserve a device. The request containing this function includes the name of the client reserving the device and a value equal to the length of that name.

CVE-2020-28212: authentication bypass without Application Password

The main issue with the basic reservation mechanism that does not use Application Password is that an attacker can use the session key to send requests and change the device’s configuration.

In firmware versions prior to 2.7 for Modicon M340 devices, the session key has the same value each time the device is reserved, and is equal to “0x01”. This means that attackers can make changes on the device by calling the relevant functions after the device has been reserved by a legitimate user.

The attack workflow is shown in the diagram below:

Remote threat actor attack workflow. Modicon M340 firmware prior to version 2.7, device reserved by an engineer

If the device has not been reserved at the time of an attack, the attacker can use the umas_QueryTakePLCReservation(0x10) function to reserve the device in order to make changes to it.

With Modicon M340 firmware version 2.7 or later, the session key takes a random value after device reservation. However, the session key is one byte in length, which means there are only 256 possible session ID values. This enables a remote unauthorized attacker to brute-force an existing ID of a session between a legitimate user and the PLC.

To carry out this type of attack, a remote attacker needs to send a series of network requests on port 502/TCP of the PLC with different session ID values and look at responses returned by the PLC. If the correct session ID was sent, the attacker will get the status code 0xfe, which means the request was fulfilled successfully. Otherwise, the attacker will get the status code 0xfd.

The operations described above can be implemented using any programming language – an attacker does not have to use EcoStruxure™ Control Expert or any other dedicated software to communicate with the device.

Application Password

To mitigate the CVE-2020-28212 vulnerability, exploitation of which could allow a remote unauthorized attacker to gain control of the PLC with the privileges of an operator already authenticated on the PLC, Schneider Electric developed a new security mechanism that used cryptographic algorithms to compute the session ID and increased the session ID length. Schneider Electric believed implementing this security mechanism would prevent brute-force attacks that could be used to crack single-byte session IDs.

The new mechanism was introduced starting with firmware version 3.01 for Modicon M340 devices. To implement authentication between the client and the device, Application Password needs to be enabled in project settings (“Project & Controller Protection”). The mechanism is designed to provide protection against unauthorized access, unwanted changes, as well as unauthorized downloading or uploading of PLC strategies.

After activating the mechanism using EcoStruxure™ Control Expert, the client needs to enter the password when connecting to a device as part of the reservation procedure. Application Password also makes changes to the reservation mechanism itself.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism was, unfortunately, also flawed. Its main shortcoming is that during the authentication process, all computations are performed on the client side, i.e., on the side of EcoStruxure™ Control Expert engineering software. The vulnerability identified during research, CVE-2021-22779, could allow a remote attacker to bypass authentication and use functions that require reservation to make changes to the PLC.

For more details on the implementation of Application Password and on the security flaws identified by Kaspersky ICS CERT researchers, read the full version of the article published on the Kaspersky ICS CERT website. For more information, you can also contact us at ics-cert@kaspersky.com.

H1 2022 in numbers

Geography

• In H1 2022, malicious objects were blocked at least once on 31.8% of ICS computers globally.

  

  Percentage of ICS computers on which malicious objects were blocked

• For the first time in five years of observations, the lowest percentage in the ‎first half of the year was observed in March.‎ During the period from January to March, the percentage of attacked ICS computers decreased by 1.7 p.p.

  

  Percentage of ICS computers on which malicious objects were blocked, January – June 2020, 2021, and 2022

• Among regions, the highest percentage of ICS computers on which malicious objects were blocked was observed in Africa (41.5%). The lowest percentage (12.8%) was recorded in Northern Europe.

  

  Percentage of ICS computers on which malicious objects were blocked, in global regions

• Among countries, the highest percentage of ICS computers on which malicious objects were blocked was recorded in Ethiopia (54.8%) and the lowest (6.8%) in Luxembourg.

  

  15 countries and territories with the highest percentage of ICS computers on which malicious objects were blocked, H1 2022

  

  10 countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2022

Threat sources

• The main sources of threats to computers in the operational technology infrastructure of organizations are internet (16.5%), removable media (3.5%), and email (7.0%).

  

  Percentage of ICS computers on which malicious objects from different sources were blocked

Regions

• Among global regions, Africa ranked highest based on the percentage of ICS computers on which malware was blocked when removable media was connected.

  

  Regions ranked by percentage of ICS computers on which malware was blocked when removable media was connected, H1 2022

• Southern Europe leads the ranking of regions by percentage of ICS computers on which malicious email attachments and phishing links were blocked.

  

  Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H1 2022

Industry specifics

• In the Building Automation industry, the percentage of ICS computers on which malicious email attachments and phishing links were blocked (14.4%) was twice the average value for the entire world (7%).

  

  Percentage of ICS computers on which malicious email attachments and phishing links were blocked, in selected industries

• In the Oil and Gas industry, the percentage of ICS computers on which threats were blocked when removable media was connected (10.4%) was 3 times the average percentage for the entire world (3.5%).

  

  Percentage of ICS computers on which threats were blocked when removable media was connected

• In the Oil and Gas industry, the percentage of ICS computers on which malware was blocked in network folders (1.2%) was twice the world average (0.6%).

  

  Percentage of ICS computers on which threats were blocked in network folders

Diversity of malware

• Malware of different types from 7,219 families was blocked on ICS computers in H1 2022.

  

  Percentage of ICS computers on which the activity of malicious objects from different categories was prevented

Ransomware

• In H1 2022, ransomware was blocked on 0.65% of ICS computers. This is the highest percentage for any six-month reporting period since 2020.

  

  Percentage of ICS computers on which ransomware was blocked

• The highest percentage of ICS computers on which ransomware was blocked was recorded in February (0.27%) and the lowest in March (0.11%). The percentage observed in February was the highest in 2.5 years of observations.

  

  Percentage of ICS computers on which ransomware was blocked, January – June 2022

• East Asia (0.95%) and the Middle East (0.89%) lead the ransomware-based ranking of regions. In the Middle East, the percentage of ICS computers on which ransomware was blocked per six-month reporting period has increased by a factor of 2.5 since 2020.

  

  Regions ranked by percentage of ICS computers on which ransomware was blocked, H1 2022

• Building Automation leads the ranking of industries based on the percentage of ICS computers attacked by ransomware (1%).

  

  Percentage of ICS computers on which ransomware was blocked, in selected regions, H1 2022

Malicious documents

• Malicious documents (MSOffice+PDF) were blocked on 5.5% of ICS computers. This is 2.2 times the percentage recorded in H2 2021. Threat actors distribute malicious documents via phishing emails and actively use such emails as the vector of initial computer infections.

  

  Percentage of ICS computers on which malicious documents (MSOffice+PDF) were blocked

• In the Building Automation industry, the percentage of ICS computers on which malicious office documents were blocked (10.5%) is almost twice the global average.

  

  Percentage of ICS computers on which malicious office documents (MSOffice+PDF) were blocked, in selected industries

Spyware

• Spyware was blocked on 6% of ICS computers. This percentage has been growing since 2020.

  

  Percentage of ICS computers on which spyware was blocked

• Building Automation leads the ranking of industries based on the percentage of ICS computers on which spyware was blocked (12.9%).

  

  Percentage of ICS computers on which spyware was blocked, in selected industries

Malware for covert cryptocurrency mining

• The percentage of ICS computers on which malicious cryptocurrency miners were blocked continued to rise gradually.

  

  Percentage of ICS computers on which malicious cryptocurrency miners were blocked

• Building Automation also leads the ranking of selected industries by percentage of ICS computers on which malicious cryptocurrency miners were blocked.

  

  

  Percentage of ICS computers on which malicious cryptocurrency miners were blocked, in selected industries

The full text of the report has been published on the Kaspersky ICS CERT website.

In January 2022, Kaspersky ICS CERT experts detected a wave of targeted attacks on military industrial complex enterprises and public institutions in several countries. In the course of our research, we were able to identify over a dozen of attacked organizations. The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.

The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions.

An analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal of this series of attacks.

Initial infection

The attackers penetrated the enterprise network using carefully crafted phishing emails, some of which use information that is specific to the organization under attack and is not publicly available. This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees, or on other organizations or individuals associated with the victim organization).

Microsoft Word documents attached to the phishing emails contained malicious code that exploits the CVE-2017-11882 vulnerability. The vulnerability enables an attacker to execute arbitrary code (in the attacks analyzed, the main module of the PortDoor malware) without any additional user activity.

An earlier series of attacks in which the PortDoor malware was also used was described by Cybereason experts. A new version of PortDoor was identified in the course of our research.

Initial infection of a system

After being launched, PortDoor collects general information on the infected system and sends it to the malware command-and-control (CnC) server. In cases where an infected system is of interest to the attackers, they use the PortDoor functionality to control the system remotely and install additional malware.

Additional malware

The attackers used five different backdoors at the same time – probably to set up redundant communication channels with infected systems in case one of the malicious programs was detected and removed by a security solution. The backdoors used provide extensive functionality for controlling infected systems and collecting confidential data.

Of the six backdoors identified on infected systems, five (PortDoor, nccTrojan, Logtu, Cotx, and DNSep) have been used earlier in attacks attributed by other researchers to APT TA428. The sixth backdoor is new and has not been observed in other attacks.

Lateral movement

After gaining a foothold on the initial system, the attackers attempt to spread the malware to other computers on the enterprise network. To gain access to those computers, the attackers use network scanning results, as well as user credentials stolen earlier.

The Ladon hacking utility (which is popular in China) is used as the main lateral movement tool. It combines network scanning, vulnerability search and exploitation, password attack, and other functionality. The attackers also extensively use standard utilities that are part of the Microsoft Windows operating system.

The attack’s final stage involves hijacking the domain controller and gaining full control of all of the organization’s workstations and servers.

The attackers used DLL hijacking and process hollowing techniques extensively in the attack to prevent security software from detecting the malware.

Data theft

After gaining domain administrator privileges, the attackers searched for and exfiltrated documents and other files that contained the attacked organization’s sensitive data to their servers hosted in different countries. These servers were also used as stage one CnC servers.

The attackers compressed stolen files into encrypted and password-protected ZIP archives. After receiving the data collected, the stage one CnC servers forwarded the archives received to a stage two server located in China.

Transfer of stolen data from infected systems

Who is behind the attack?

Significant overlaps in tactics, techniques, and procedures (TTPs) have been observed with APT TA428 activity.

The research identified malware and CnC servers previously used in attacks attributed by other researchers to TA428 APT group.

Some indirect evidence also supports our conclusion.

We believe that the series of attacks that we have identified is highly likely to be an extension of a known campaign that has been described in Cybereason, DrWeb, and NTTSecurity research and has been attributed with a high degree of confidence to APT TA428 activity.

Conclusion

The findings of our research show that spear phishing remains one of the most relevant threats to industrial enterprises and public institutions. In the course of the attack, the attackers used mostly known backdoor malware, as well as standard lateral movement techniques and methods designed to evade detection by security solutions.

The attack series that we have identified is not the first in the campaign. Given that the attackers have had some success, we believe it is highly likely that similar attacks will occur again in the future. Industrial enterprises and public institutions should do a great deal of work to successfully thwart such attacks.

Technical details of the attacks, as well as recommendations and indicators of compromise, can be found in the full public version of the article on the Kaspersky ICS CERT website.

A private version of the article has been published on Kaspersky Threat Intelligence.

We are not wrapping up our investigation as yet and will release information on new findings as they appear. For more information, you can contact ics-cert@kaspersky.com.

2021 is the second year we have spent living and working in the pandemic. By 2021 everyone got used to pandemic limitations – industrial organization employees and IT security professionals and threat actors. If we compare the numbers from 2020 and 2021, we see that 2021 looks more stable, particularly in H2.

H2 2021 Report at a glance

The full report is available on the Kaspersky ICS CERT website.

Percentage of ICS computers on which malicious objects were blocked

The percentage of ICS computers on which malicious objects were blocked in 2021 increased by 1 percentage point from 2020 – from 38.6% to 39.6%.

In H2 2021 this percentage decreased by 1.4 p.p. for the first time in 1.5 years.

>Percentage of ICS computers on which malicious objects were blocked (download)

As we can see from the graph depicting the monthly dynamics of the percentage of attacked ICS computers, the numbers in H2 2021 were more stable than in H1 – the numbers were lower and there were no sharp fluctuations.

Percentage of ICS computers on which malicious objects were blocked, January – December 2018 – 2021 (download)

It is also worth noting that in 2021 the vectors of monthly fluctuations (increases and decreases) are the same as those in 2019 and, particularly, in 2018 more often than in 2020. Specifically, we can see decreases in July and August that we believe are due to the traditional vacation periods. However, compared to 2018 and 2019, the summer decrease in the percentage of ICS computers on which malicious objects were blocked was less pronounced in 2021.

Selected industries

Percentage of ICS computers on which malicious objects were blocked in selected industries (download)

Malicious objects

In H2 2021 Kaspersky security solutions blocked over 20,000 malware variants from 5,230 families on ICS computers.

Number of malware families blocked on ICS computers (download)

Number of malware variants blocked on ICS computers (download)

The results of our analysis revealed the following estimated percentages of ICS computers on which the activity of malicious objects from different categories had been prevented:

Percentage of ICS computers on which malicious objects from various categories were blocked (download)

Since H1 2020, we have seen increases in the percentages of ICS computers on which the following types of objects were blocked:

Spyware – by a factor of 1.4 — from 5.6% to 8.1%.

Percentage of ICS computers on which spyware was blocked (download)

Malicious scripts and phishing pages – by a factor of 1.4 – from 6.5% to 9.3%.

Percentage of ICS computers on which malicious scripts and phishing pages (JS and HTML) were blocked (download)

Cryptocurrency miners (Windows executable files) – more than doubled – from 0.9% to 2.1%.

Percentage of ICS computers on which cryptocurrency miners were blocked (download)

Ransomware

In H2 2021 ransomware was blocked on 0.50% of ICS computers.

Percentage of ICS computers on which ransomware was blocked (download)

The percentage of ICS computers attacked by ransomware increased in half of the world’s regions. The most significant increases were recorded in Southeast Asia, East Asia and Africa, which are thus the leaders in this ranking.

Regions ranked by percentage of ICS computers on which ransomware was blocked, H2 2021 (download)

Main threat sources

The internet, removable devices and email continue to be the main sources of threats for computers in the OT infrastructures of companies and organizations.

Percentage of ICS computers on which malicious objects from various sources were blocked (download)

Shared network folders are one of the minor threat sources. Only on 0.57% of attacked ICS computers malicious objects were blocked in network shares in H2 2021. However, this percentage is slowly growing and is over 1% in a few countries and territories.

Percentage of ICS computers on which malicious objects were blocked in shared network folders (download)

Countries and territories with the largest percentage of ICS computers on which malicious objects were blocked in shared network folders in H2 2021 (download)

2021 in numbers

For more information, visit the Kaspersky ICS CERT website

In June 2021, Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal. In 2020, the group used Manuscrypt in attacks on defense enterprises in different countries. These attacks are described in the report “Lazarus targets defense industry with ThreatNeedle“.

Curiously, the data exfiltration channel of the malware uses an implementation of the KCP protocol that has previously been seen in the wild only as part of the APT41 group’s toolset. We dubbed the newly-identified malware PseudoManuscrypt.

The PseudoManuscrypt loader makes its way onto user systems via a MaaS platform that distributes malware in pirated software installer archives. One specific case of the PseudoManuscrypt downloader’s distribution is its installation via the Glupteba botnet (whose main installer is also distributed via the pirated software installer distribution platform). This means that the malware distribution tactics used by the threat actor behind PseudoManuscrypt demonstrate no particular targeting.

During the period from January 20 to November 10, 2021, Kaspersky products blocked PseudoManuscrypt on more than 35,000 computers in 195 countries of the world. Such a large number of attacked systems is not characteristic of the Lazarus group or APT attacks as a whole.

Targets of PseudoManuscrypt attacks include a significant number of industrial and government organizations, including enterprises in the military-industrial complex and research laboratories.

According to our telemetry, at least 7.2% of all computers attacked by the PseudoManuscrypt malware are part of industrial control systems (ICS) used by organizations in various industries, including Engineering, Building Automation, Energy, Manufacturing, Construction, Utilities, and Water Management.

The main PseudoManuscrypt module has extensive and varied spying functionality. It includes stealing VPN connection data, logging keypresses, capturing screenshots and videos of the screen, recording sound with the microphone, stealing clipboard data and operating system event log data (which also makes stealing RDP authentication data possible), and much more. Essentially, the functionality of PseudoManuscrypt provides the attackers with virtually full control of the infected system.

More information on PseudoManuscrypt is available on the Kaspersky ICS CERT website.

The H1 2021 ICS threat report at a glance

Percentage of ICS computers attacked

1. During the first half of 2021 (H1 2021), the percentage of attacked ICS computers was 8%, which was 0.4 percentage points (p.p.) higher than that for H2 2020.

   Percentage of ICS computers on which malicious objects were blocked (download)

   Numbers per country varied from 58.4% in Algeria to 6.8% in Israel.

   Top 15 countries and territories with the largest percentages of ICS computers on which malicious objects were blocked in H1 2021 (download)

   Top 10 countries and territories with the lowest percentages of ICS computers on which malicious objects were blocked in H1 2021 (download)

   When we look at regional numbers, Africa led with 46.1%, followed by Southeast Asia at 44.1%, East Asia at 43.1% and Central Asia at 42.1%.

   Percentage of ICS computers on which malicious objects were blocked, by region (download)

2. The largest increases in the percentage of attacked ICS computers during H1 2021 were as follows:
   • Over 10 p.p. in Belarus (50.4%) and Ukraine (33.1%);
   • 7.4 p.p. in the Czech Republic (20.2%) and Slovakia (24.3%);
   • 6.5 p.p. in Hong Kong (20.8%);
   • 6 p.p. in Australia (23%) and Cameroon (45.2%).

   The internet was the main source of threats causing these increases.

3. The percentage of ICS computers on which threats were blocked decreased in all monitored industries. This was especially noticeable in the oil and gas (36.5%) and building automation (40.3%) sectors (-7.5 p.p. and -6.3 p.p., respectively).

Percentage of ICS computers on which malicious objects were blocked in selected industries (download)

Major threat sources

The internet, removable media and email continue to be the main sources of threats to computers in ICS environments.

Percentage of ICS computers on which malicious objects from various sources were blocked (download)

1. Threats from the internet were blocked on 18.2% of ICS computers
2. (+1.5 p.p.).

   In H1 2021, the largest increases in this indicator were observed in Belarus (+12.2 p.p.), Ukraine (+8 p.p.) and Russia (+6.7 p.p.)

   Russia led the regional rankings with 27.6%.

   Percentage of ICS computers on which malicious objects from the internet were blocked, by region (download)

   Belarus leads in the country rankings with 32.8%.

   Top 15 countries and territories with the highest percentages of ICS computers on which internet threats were blocked in H1 2021 (download)

3. Threats arriving via removable media were blocked on 5.2% of ICS computers (-0.2 p.p.), which continued a downward trend that began in H2 2019.
   Africa leads noticeably in the regional rankings with 15.6%. In H1 2021, the percentage of ICS computers on which threats were blocked when removable media were connected decreased in Asian regions.

   Regions ranked by percentage of ICS comuters on which malware was blocked when removable media was connected in H1 2021 (download)

   Algeria leads among individual countries with 24%.

   Fifteen countries and territories with the largest percentage of ICS computers on which malware was blocked when removable media was connected in H1 2021 (download)

5. Malicious email attachments were blocked on 3.4% of ICS computers (-0.6 p.p.).
   Southern Europe ranked the highest with 6.4%. The only region where the percentage increased was Australia and New Zealand (+1.3 p.p.).

   Regions ranked by percentage of ICS computers on which malicious email attachments were blocked in H1 2021 (download)

   Bangladesh led among individual countries with 8.8%.

   Top 15 countries with the highest percentages of ICS computers on which malicious email attachments were blocked in H1 2021 (download)

   The variety of malware detected

   In H1 2021, Kaspersky security solutions blocked more than 20.1 thousand malware variants from 5,150 families in ICS environments.

6. Denylisted internet resources were the main threat source and were blocked on 14% of ICS computers.
   Threat actors use malicious scripts on various media resources and sites hosting pirated content. These scripts redirect users to websites that spread spyware and/or cryptocurrency miners. The percentage of computers where this type of threats was blocked has grown since 2020.
7. Malicious scripts and redirects (JS and HTML) were blocked on 8.8% of ICS computers (+0.7 p.p.).
   Australia and New Zealand (+3.8 p.p.), as well as Russia (+4.4 p.p.) saw a noticeable growth in the percentage of computers where malicious scripts used for downloading spyware were blocked.
8. Spyware (backdoors, trojan spies and keyloggers) were blocked on 7.4% of ICS computers (+0.4 p.p.).
   This figure was highest in East Asia (14.3%), Africa (13.4%) and Southeast Asia (11.2%).
9. Ransomware was blocked on 0.40% of ICS computers (-0.1 p.p.)
   This figure was highest in East Asia with 0.82%.

   In the Middle East, we saw an increase in the percentage of computers on which worms (+0.4 p.p.) and ransomware (+0.3 p.p.) were blocked.

   Percentage of ICS computers on which malicious objects from various categories were blocked (download)

The full report is available on the Kaspersky ICS CERT website.
]]> https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2021/104017/feed/ 1 full large medium thumbnail https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/ https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/#comments Thu, 25 Mar 2021 10:00:27 +0000 https://kasperskycontenthub.com/securelist/?p=101299

Figures

Indicator	H1 2020	H2 2020	2020
Global percentage of attacked ICS computers	32.6%	33.42%	38.55%
Percentage of attacked ICS computers by region
Northern Europe	10.1%	11.5%	12.3%
Western Europe	15.1%	14.8%	17.6%
Australia	16.3%	17.0%	18.9%
United States and Canada	17.2%	16.5%	19.6%
Eastern Europe	26.4%	28.0%	30.5%
Southern Europe	27.6%	29.6%	33.1%
Latin America	33.6%	34.3%	38.8%
Russia	32.2%	34.6%	39.5%
Middle East	34.0%	34.6%	40.2%
South Asia	38.8%	41.3%	47.0%
East Asia	42.9%	41.8%	46.3%
Central Asia	43.7%	43.9%	48.8%
Africa	45.6%	46.4%	51.2%
Southeast Asia	49.8%	47.5%	53.9%
Main threat sources globally
Internet	16.7%	16.7%	20.5%
Removable media	5.8%	5.4%	7.0%
Email clients	3.4%	4.1%	4.4%

Traits

1. There is no longer a downward trend in the percentage of ICS computers on which malicious objects were blocked.
   Starting with the second half (H2) of 2019, we observed a decline in the percentages of ICS computers on which malicious objects were blocked. This was observed in industrial control systems (ICS) as well as in corporate and personal computing environments. This downward trend was not observed in the second half of 2020.
   • Globally, the percentage of attacked ICS computers in the second half of the year was 33.4%, which was 0.85 percentage points (p.p.) higher than the first half (H1) of the year.

     Percentage of ICS computers on which malicious objects were blocked, by half-year, 2017 – 2020 (download)

   • The percentage of attacked ICS computers increased in 62% of countries.
     In H2 2020, the percentage of ICS computers on which malicious objects were blocked increased in relation to H1 in 62% of countries. In comparison, this trend was observed in 7% of countries in 2019, and the same was seen in H1 2020 compared to H2 2019.

     Change in the percentage of attacked computers in countries of the world (p.p.) in H2 compared to H1, 2019 vs 2020 (download 1, 2)

     The maximum growth of this indicator in a country was 8.2 p.p. (in Saudi Arabia), while most countries observed no more than a 4 p.p. increase. Therefore, the global average change over the half-year was insignificant.

2. The seasonal fluctuations typical of past years were not observed this year
   In previous years, the percentage of ICS computers on which malicious objects were blocked was at its maximum in March/April and October, while this indicator sagged between those months.In 2020, this indicator behaved differently. It reached its maximum in February and dropped almost to its minimum in May. In the first two months of summer, it grew to its near-maximum in July. In October, the percentage of attacked ICS computers was one of the lowest.

   Percentage of ICS computers on which malicious objects were blocked, by month, 2018 – 2020 (download)

3. The percentage of ICS computers on which malicious email attachments were blocked increased
   • Globally, in H2 2020, the percentage of ICS computers on which malicious email attachments were blocked increased by 0.7 p.p. compared to H1.

     Percentage of ICS computers on which malicious email attachments were blocked (download)

   • This indicator increased in all regions except East Asia, the US and Canada, Western Europe, and Russia.
   • In 73.4% of all countries in H2 2020, the percentage of ICS computers on which malicious email attachments were blocked increased compared to H1 2020.This is three times larger than the equivalent indicator for 2019 (23.6%).
     

     Change in the percentage of ICS computers (p.p.) on which malicious email attachments were blocked in H2 compared to H1, countries and territories, 2019 vs 2020 (download 1, 2)

4. There was a rise in the percentage of ICS computers on which threats distributed over the internet and email, and spyware and miners were blocked
   • Malicious objects from the internet – web resources involved in the distribution or management of malware (+2.5 p.p.), and malicious scripts and redirects on web resources (JS and HTML) (+1.6 p.p.).
   • Typical threats distributed by email (+1.2 p.p.). – malicious MS Office and PDF documents (+1.2 p.p.).
   • Spyware (+1.4 p.p.) – Trojans, backdoors, and keyloggers.
   • Miners (+0.7 p.p.) – executable files for Windows.

   For all these threats, the indicators of H2 2020 exceeded the equivalent results of not only H1 2020 but also H2 2019.

   Percentage of ICS computers on which various types of malicious objects were blocked, H2 2019 – H2 2020 (download)

5. In developed countries, the percentage of ICS computers attacked by ransomware increased
   Globally, the percentage of ICS computers on which ransomware was blocked decreased from 0.63% in H1 to 0.49% in H2.At the same time, this indicator increased in regions with developed countries:
   • +0.25 p.p. in the US and Canada
   • +0.23 p.p. in Australia
   • +0.13 p.p. in Western Europe

   Change in the percentage of ICS computers (p.p.) on which ransomware was blocked in H2 2020 compared to H1 (download)

Impact of the COVID-19 pandemic

In our H1 2020 report, we wrote about the impact of the COVID-19 pandemic on the changes that we observed in the attack surface and threat landscape for industrial enterprises and industrial automation systems. In H2 2020, we continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances.

Changes in seasonal fluctuations in the percentage of attacked computers

It can be seen in the ‘Percentage of ICS computers on which malicious objects were blocked’ diagram that in the past years the percentage of attacked ICS computers significantly decreased in summer months and in December. It is likely that this decrease was associated with traditional vacation periods: an infected USB drive cannot transfer malware from one computer to another all by itself, nor can an engineering workstation click on a link leading to a phishing website when the engineer is not there.

However, there was a noticeable change in the situation in 2020: we saw no significant seasonal fluctuations in the percentage of attacked computers. It is likely that this was due to changes in employee vacation schedules, since many people decided to go without vacations in the time of lockdown, travel restrictions, and closed borders.

Attacks on RDP remote connection services

Another effect of the pandemic was a noticeable increase in the percentage of ICS computers that could be accessed remotely via the RDP protocol.

Percentage of ICS computers accessible via RDP, by months of 2020 (download)

It can be seen in the diagram above that the percentage grew continuously from January to April – the time when many organizations were dealing with the challenges of organizing work under an impending and actual lockdown. Then, after some fluctuations, the percentage decreased somewhat and stabilized at a slightly higher level than before the pandemic.

We do not have sufficient data to make conclusions as to what proportion of these computers could only be accessed from the industrial network of the enterprise, what part could be accessed from the corporate segment of the network and what percentage was available even outside the organization’s perimeter. However, we can state with confidence that the increase in the availability of ICS computers certainly affected the attack surface. Threat actors clearly took advantage of that – this is obvious from the following diagram, which shows the percentages of ICS computers on which brute force attacks on credentials used to access the RDP service were detected and blocked:

Percentage of ICS computers on which attempts to brute force RDP passwords were detected, by months of 2020 (download)

It is easy to notice a certain synchronism in the changes occurring in these two parameters: the percentage of attacked RDP connections follows the percentage of UCS computers available via RDP almost all through the year (from January to October) with a delay of approximately one month, catching up (i.e., the changes are synchronized) in October and November.

Percentage of ICS computers on which brute force attacks on RDP passwords were detected and percentage of ICS computers available via RDP (download)

We can only guess whether the one-month ‘delay’ in changes occurring in the percentage of attacked computers had to do with the speed with which attacks propagated on the enterprise network or the speed with which threat actors responded to changes in the opportunity landscape (attack surface).

Changes in ransomware priorities

One more potential consequence of the pandemic can be identified by analyzing the dynamics of ransomware attacks on industrial enterprises in different regions, which can be indirectly assessed based on the percentage of ICS computers attacked by ransomware. It can be seen in the ‘Change in the percentage of ICS computers (p.p.) on which ransomware was blocked’ diagram, as well as the diagram below that this percentage decreased in H2 2020 in all regions of the world except North America, Western Europe and Australia, where it did not just fail to decrease but increased several times over!

Percentage of ICS computers on which ransomware was blocked, H2 2019 – H2 2020 (download)

We believe that these curious dynamics could indicate the response of threat actors to the economic consequences of the pandemic. In those countries where the ‘creditworthiness’ of organizations decreased as a result of the pandemic, the number of attacks on industrial enterprises also fell (and so did the percentage of attacked ICS computers). At the same time, in countries where industrial organizations were generally more financially stable and were still able to pay ransom, the activity of attackers increased (and the percentage of attacked ICS computers surged). It can be hypothesized that the changes that we observed were due, among other things, to a shift in some groups’ focus when choosing victims towards organizations in more economically stable countries.

The full report is available on Kaspersky ICS CERT.

]]> https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/feed/ 2 full large medium thumbnail