Kaspersky highlights main issues around industrial APT attacks
According to Kaspersky, the key contributors to the success of the Advanced Persistent Threat (APT) operations inside their victims' networks include human factors, insufficient security measures, challenges with updates and configuration of cybersecurity solutions, and other factors.
While some of these reasons may appear trivial, they are frequently encountered by Kaspersky experts during their incident response activities, the company states.
To assist companies in mitigating related threats and ensuring the implementation of best practices, Kaspersky ICS CERT experts have compiled a list of the most prevalent issues.
Lack of OT network isolation
During incident investigations, Kaspersky experts witnessed cases when there were problems with keeping the Operational Technology (OT) network separate and secure. For example, there are machines such as engineering workstations connected to both the regular IT network and the OT network.
Evgeny Goncharov, Head of Industrial Control Systems Cyber Emergency Response Team at Kaspersky, comments, "In situations where the OT network's isolation solely relies on the configuration of networking equipment, experienced attackers can always reconfigure that equipment to their advantage.
"For instance, they can turn it into proxy servers to control malware traffic or even use it to store and deliver malware to networks that were believed to be isolated. We have witnessed such malicious activities on multiple occasions."
Human factor remains a driver of cyber criminal activities
When granting access to OT networks to employees or contractors, information security measures are often overlooked, Kaspersky finds. Remote administration utilities like TeamViewer or Anydesk, initially set up temporarily, may remain active unnoticed.
However, its crucial to remember that these channels are easily exploited by attackers. In 2023, Kaspersky investigated an incident where a contractor attempted sabotage, by taking advantage of remote access to the ICS network legitimately granted to them several years before.
This story demonstrates the importance of considering the human factor as any potentially dissatisfied employees may be driven by their work assessments, income, or political motivations, leading them to engage in cyber criminal actions, Kaspersky states.
A possible solution in such a situation can be zero trust - the concept assuming that neither the user, device, nor application within the system is trusted, according to the company
Insufficient protection of OT assets
During incident analysis, Kaspersky experts have discovered outdated security solution databases, missing license keys, user-initiated removal of keys, disabled security components, and excessive exclusions from scanning and protection all contributing to the spread of malware.
For example, if your databases are not up-to-date and a security solution cant be updated automatically, it can allow advanced threats to quickly and easily propagate as in APT attacks, where sophisticated threat actors are trying to avoid detection.
Insecure configurations of security solutions
Proper configurations of a security solution are crucial to prevent it from disabling or even abusing it a tactic often seen to be employed by APT groups/actors. They may steal information on the victims network stored in the security solution to get into other parts of the system, or move laterally, using professional infosec language. Kaspersky finds.
In 2022, Kaspersky ICS CERT noticed a new trend in APT tactics, which makes proper configurations even more vital. For instance, when searching for ways to move laterally, the attackers no longer stop at hijacking critical IT systems, like domain controller. They proceed for next target - the administration servers of security solutions. The goals may vary from putting the malware on a list of programs that won't be checked to using tools in the security system to spread it to other systems, even those that are supposed to be completely separate from the infected network.
The absence of cybersecurity protection in OT networks
On some OT networks, cybersecurity solutions are not installed on many endpoints at all, Kaspersky states. Even if the OT network is completely separated from other networks and not connected to the internet, attackers still have ways of gaining access to it. For example, they can create special versions of malware that are distributed via removable drives, such as USBs.
Workstations and servers security updates challenges
According to Kaspersky, industrial control systems have a unique way of functioning, where even simple tasks like installing security updates on workstations and servers need careful testing. This testing often happens during scheduled maintenance, causing updates to be infrequent. This gives threat actors plenty of time to exploit known weaknesses and carry out their attacks.
Goncharov says, "In some cases, updating the server's operating system may require updating specialized software (like the SCADA server), which in turn requires upgrading the equipment that all may be too expensive.
"Consequently, there are outdated systems found on industrial control system networks. Surprisingly, even internet-facing systems in industrial enterprises, which can be relatively easy to update, can remain vulnerable for a long time. This exposes the operational technology (OT) to attacks and serious risks, as real-world attack scenarios have shown."
To protect an organisation from relevant threats, Kaspersky experts recommend:
- If an enterprise has operational technology (OT) or critical infrastructure, make sure it is separated from corporate network or at least that there are no unauthorised connections.
- Conduct regular security audits of OT systems to identify and eliminate possible vulnerabilities.
- Establish continuous vulnerability assessment and vulnerability management process.
- Use ICS network traffic monitoring, analysis and detection solutions for better protection from attacks potentially threatening technological process and main enterprise assets.
- Make sure you protect industrial endpoints as well as corporate ones.
- To get a more realistic understanding of risks associated with vulnerabilities in OT solutions and to make informed decisions on mitigating them, get access to vulnerability intelligence, in the form of human-readable reports or a machine-readable data feed.
- Dedicated ICS security training for IT security teams and OT engineers is crucial to improve response to new and advanced malicious techniques.