All statistics were obtained from Kaspersky Security Network – a complex distributed infrastructure that provides intelligently processing of cybersecurity-related data streams. Data is received from ICS computers protected by Kaspersky Lab solutions, from users who have voluntarily agreed to share this data with KSN by accepting the corresponding agreement. Data sent to Kaspersky Lab by users is not attributed to a specific individual and is anonymized wherever possible.
We define attacked computers are those on which Kaspersky Lab security solutions were triggered during the reporting period. When calculating percentages of machines attacked, we use the ratio of unique computers attacked to all ICS computers from which Kaspersky Lab ICS CERT received anonymized information during the reporting period.
The map shows the percentages of industrial automation systems attacked in each country to the total number of industrial automation systems in that country from which Kaspersky Lab ICS CERT received anonymized information during the reporting period.
Percentage of industrial automation systems attacked in each country to all industrial automation systems in that country from which Kaspersky Lab ICS CERT received anonymized information during the reporting period.
The calculations exclude countries from which we did not receive adequate statistics during the reporting period.
The data was received from ICS computers that are protected by Kaspersky Lab products and perform one or more of the following functions:
The statistics may also include data received from computers of industrial control system researchers, developers and integrators, as well as ICS computers used in test labs, classrooms and demonstration stands.
Kaspersky Lab products regularly block ICS machines from accessing infected and phishing internet resources, as well as Command&Control and hosting servers used by malware. Online infection remains the most common vector of attacks on industrial control systems in both mass and targeted attacks. Watering hole attack tactics and injection of malicious code into the sites of suppliers / partners / contractors can be used to implement targeted attacks (the supply chain attack vector).
According to our data, many ICS computers have access to the internet on a regular basis – for example, during scheduled maintenance and when configuring equipment, installing software updates, etc.
About 40% of ICS computers in our sample have internet access on a permanent basis or at least once a month.
Although, in some cases, internet access from ICS computers may be required by industrial processes, it is often the result of oversight and a negligent approach to security.
Malware infections can occur when connecting infected removable data media, such as USB flash drives, external hard drives or mobile phones, to a system.
This malware propagation method is used, among other cases, in targeted and APT attacks in order to bridge the “air gap” designed to isolate critical information systems of organizations.
The main source of email threats in electronic mail is malicious attachments and links to infected sites sent in messages. In most cases, such messages are sent as part of malicious spam or phishing email distribution.
Spear phishing (sending emails that were carefully crafted with specific potential victims in mind to selected targets) has been used in numerous cases as one of the initial steps in targeted attacks.
Services that provide access to file systems on remote computers, such as SMB/CIFS, are among the main sources of information security problems at enterprises. Vulnerabilities in these services have been exploited on many occasions to conduct targeted and APT attacks (such as Stuxnet), as well as large-scale malicious campaigns (such as WannaCry and ExPetr).
Malware uses network shares to spread within an organization or between organizations – usually by copying itself to remote network folders and/or infecting files that are already located in these folders. Planting a malicious object on shared resources provides attackers with additional capabilities related to compromising user credentials and subsequently escalating privileges to develop the attack further.
Обновление от 29 июня 2017 года После проведения детального анализа образцов ExPetr (Petya), использованных в данных атаках, эксперты «Лаборатории Касперского» полагают, что злоумышленники не смогут расшифровать данные — даже в тех случаях, когда пользователь заплатил выкуп. Пострадавшим стоит надеяться только на программы восстановления удалённых файлов и резервные копии