Threat landscape for industrial automation systems. Regions, Q3 2024

Main
Publications
Reports
Threat landscape for industrial automation systems. Regions, Q3 2024
Threat landscape for industrial automation systems. Regions, Q3 2024

Q3 overview

Percentage of ICS computers

In the third quarter of 2024, the global percentage of ICS computers on which malicious objects were blocked decreased by 1.5 pp from the previous quarter to 22%.

Regionally^[1], the percentage of ICS computers that blocked malicious objects during the quarter ranged from 9.7% in Northern Europe to 31.5% in Africa.

All regions ranked by percentage of ICS computers on which malicious objects were blocked in the third quarter can be divided into three groups:

Over 25%

Africa – 31.5%
South-East Asia – 30%
Middle East – 25.6%

In the regions within this group, OT computers are generally overexposed to cyberthreats. There is underinvestment in cybersecurity, both in terms of tools and measures, as well as in addressing the shortage of experts, fostering a strong cybersecurity culture, and raising awareness.

20–25%

Central Asia – 22.7%
Latin America – 22.7%
South Asia – 22.2%
Eastern Europe – 21.7%
East Asia – 21.4%

The regions within this group may face specific challenges in isolating their OT infrastructure from potential cyberthreats.

Up to 20%

Southern Europe – 19.7%
Russia – 17.6%
Australia and New Zealand – 16%
US and Canada – 11.3%
Western Europe – 11.7%
Northern Europe – 9.7%

The third group consists of regions that are the safest in terms of keeping their OT infrastructure isolated from cyberthreats.

Compared to the second quarter, the percentage of ICS computers on which malicious objects were blocked during the third quarter has increased in six regions.

Malicious object categories

Malicious objects used for initial infection

Malicious objects that are used for initial infection of ICS computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.

By the logic of cybercriminals, these malicious objects can spread easily. As a result, they are blocked by security solutions more often than anything else. This is reflected in our statistics.

Typical attacks blocked within an OT network are a multi-stage process, where each subsequent step of the attackers is aimed at increasing privileges and gaining access to other systems by exploiting vulnerabilities in OT systems and networks.

It is worth noting that during the attack, intruders often repeat the same steps (TTP), especially when they use malicious scripts and established communication channels with the management and control infrastructure (C2) to move horizontally within the network and advance the attack.

Globally and in almost all regions, denylisted internet resources and malicious scripts and phishing pages are the top categories of malicious objects in terms of the percentage of ICS computers on which these objects were blocked.

The sources of the majority of malicious objects used for initial infection are the internet and email.

In Q3 2024, Africa, South-East Asia, and the Middle East ranked as the top three regions by the percentage of ICS computers on which threats from internet were blocked.

The top three regions with the highest email threats rates were Southern Europe, Latin America, and the Middle East.

Denylisted internet resources

Africa, South-East Asia, and the Middle East ranked as the top three regions by the percentage of ICS computers on which denylisted internet resources were blocked.

The top three regions in terms of growth in the percentage of ICS computers on which denylisted internet resources were blocked were Africa, the Middle East, and South-East Asia.

Malicious scripts and phishing pages

The top three regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were Africa, Latin America, and Southern Europe.

The top three regions in terms of growth in the percentage of ICS computers on which malicious scripts and phishing pages were blocked were Africa, Latin America, and South-East Asia.

A significant increase in the percentage of malicious scripts and phishing pages in the majority of regions was driven by a series of widespread phishing attacks in August and September of 2024. In these attacks, threat actors used malicious scripts that execute in the browser, mimicking various windows with CAPTCHA-like interfaces, browser error messages, and similar pop-ups. These scripts are designed to trick users into following simple instructions on their computers, which ultimately trigger the download of next-stage malware – either the Lumma stealer or the Amadey Trojan.

The phishing lures were distributed through various channels, including phishing emails (e.g. fake vulnerability notifications claiming to be from GitHub), malicious links, and malvertising networks found on various resources (e.g. file sharing services). The instructions provided by the phishing scripts tricked users into executing malicious PowerShell commands to download additional spyware.

It’s important to note that both Lumma and Amadey are designed to steal credentials from browsers and password managers. In addition, Amadey has been observed using modules to steal credentials from various Virtual Network Computing (VNC) systems^[2].

The exposure of these credentials significantly increases the risk of subsequent attacks, such as ransomware, as threat actors can use the stolen data to access sensitive systems and escalate their attacks.

Malicious documents

Latin America, Southern Europe, and the Middle East ranked as the top three regions by the percentage of ICS computers on which malicious documents were blocked.

The top three regions in terms of growth in the percentage of ICS computers on which malicious documents were blocked were Latin America, Australia and New Zealand, and Africa.

Next-stage malware

Malicious objects used to initially infect computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.

As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.

Spyware

Spyware (including Trojans, backdoors, and keyloggers) is typically the most frequently detected type of next-stage malware. It is either used as a toolset for intermediate steps in the kill chain (such as reconnaissance and lateral movement) or as a final-stage tool for stealing and exfiltrating confidential data.
When spyware is detected on an OT computer, it usually indicates that the initial infection vector was not prevented – whether through a user clicking on a malicious link, opening an attachment from a phishing email, or plugging in an infected USB drive. This suggests that OT perimeter protection measures (such as network security and enforcement of removable device policies) were either absent or ineffective.

In Q3 2024, Africa, the Middle East, and South-East Asia ranked as the top three regions by the percentage of ICS computers on which spyware was blocked.

As expected, these regions also ranked among the highest for one or more types of initial infection threats.

In almost all regions, spyware does not rank higher than third in the threat category rankings by percentage of ICS computers on which it was blocked, except in the following regions:

East Asia: in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked.
Central Asia: spyware is the second most prevalent threat in this region.

East Asia is also the only region in Q3 2024 in which spyware showed growth in terms of the percentage of ICS computers on which it was blocked.

Covert crypto-mining programs
Miners in the form of executable files for Windows

In the third quarter of 2024, similar to the previous quarter, a significant portion of Windows miners found on ICS computers consisted of archives with names mimicking legitimate software. These archives did not contain actual software but included a Windows LNK file, commonly known as a shortcut. However, the target (or path) that the LNK file points to is not a regular application, but rather a command capable of executing malicious code, such as a PowerShell script. Nowadays, threat actors are increasingly using PowerShell to execute malware, including cryptominers, by embedding malicious code directly into command-line arguments. This code runs entirely in memory, enabling fileless execution and minimizing detection.

Another common method of deploying miners on ICS computers involves using legitimate cryptocurrency mining software such as XMRig, NBMiner, OneZeroMiner, and others. While these miners are not inherently malicious, they are classified as RiskTools by security systems. Attackers exploit these miners by combining them with customized configuration files that enable the miner’s activity to be concealed from the user’s view.

The top three regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were Central Asia, Russia, and South Asia.

In the global ranking of threat categories by percentage of ICS computers on which they were blocked, miners in the form of Windows executable files are normally ranked seventh.

In the corresponding ranking in Russia, they remain in fourth place.
In Central Asia they remain fifth.

Central Asia was also the only region in Q3 2024 that showed growth in the percentage of ICS computers on which executable miners were blocked.

Covert crypto-mining programs
Web miners running in browsers

The three leading regions by percentage of ICS computers on which web miners running in browsers were blocked were: Middle East, Africa, and Eastern Europe.

In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up much higher regionally (eighth place globally) in Australia and New Zealand – fifth place in the regional ranking.

Russia and Central Asia were the only regions that experienced growth in the percentage of ICS computers on which web miners were blocked.

Ransomware

The top three regions with the highest percentage of ICS computers on which ransomware was blocked were the Middle East, Africa, and South Asia.

The top three regions in terms of growth in the percentage of ICS computers on which ransomware was blocked were Southern Europe, Africa, and East Asia.

Self-propagating malware. Worms and viruses

Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.

High rates of self-propagating malware and malware spreading via network folders at the industry, country, or regional level likely indicate the presence of unprotected OT infrastructure that lacks even basic endpoint protection.

Worms

The top three regions by percentage of ICS computers on which worms were blocked were Africa, Central Asia, the Middle East.

Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. In similar regional rankings, worms rank much higher in the following regions: Africa, Central Asia, South Asia – fourth place in the respective regional ranking.

South and Central Asia were the only regions in terms of growth in the percentage of ICS computers on which worms were blocked.

Africa and South Asia were also among the leading regions by percentage of ICS computers on which threats were blocked when connecting removable media.

Viruses

The top three regions by percentage of ICS computers on which viruses were blocked were South-East Asia, Africa, and East Asia.

In South-East Asia, viruses are in second place in the regional threat category ranking by percentage of ICS computers on which they were blocked.

The top three regions in terms of growth in the percentage of ICS computers on which viruses were blocked were South-East Asia, Northern Europe, and Latin America.

Note that there is an overlap between the leading regions in viruses and leaders by percentage of ICS computers on which network folder threats were blocked.

AutoCAD malware

This category of malware can spread in a variety of ways, so it does not belong to a specific group.

The same regions that lead in the virus ranking are also the leaders by percentage of ICS computers on which AutoCAD malware was blocked: South-East Asia, East Asia, and Africa.

Normally, AutoCAD malware is a minor threat and usually comes bottom of the malware category rankings by percentage of ICS computers on which it was blocked.

However, in Q3 2024, this category ranked higher than the corresponding global ranking (ninth place) in the following regions:

South-East Asia – fifth place in the regional ranking
East Asia – seventh place in the regional ranking

The top three regions in terms of growth in the percentage of ICS computers on which malware for AutoCAD was blocked were Latin America, Eastern Europe, and Central Asia.

Regions. Special considerations

To see the specific distinctions of regions, you can compare them to other regions and to the global average statistics.

In most regions as well as globally, first place in the rankings by percentage of ICS computers on which specific threat categories were blocked are occupied by spyware and by the malicious objects used for the initial infection of computers. The internet leads the ranking of top threat sources in all regions.

Some of the regional rankings have their own peculiarities and distinctions, which are noted below.

Africa

Current threats

Overall

First place in the global ranking by percentage of ICS computers on which malicious objects were blocked.

Of all regions, Africa traditionally has the highest percentage of ICS computers on which malicious objects were blocked. Therefore, it is not surprising that Africa leads in many rankings, in some cases by a huge margin.
The percentage of ICS computers on which malicious objects were blocked is higher than the global average.
The region exhibits a slight downward trend with fluctuations.
However, in Q3 2024, the region showed an increase in the percentage of ICS computers on which malicious objects were blocked.

Comparative analysis

Africa occupies leading positions among regions by percentage of ICS computers on which the following were blocked:

First place: denylisted internet resources, malicious scripts and phishing pages, spyware, worms, threats from internet and removable devices
Second place: web miners, ransomware, viruses

Threat categories

Compared to global figures, the region has a higher percentage of ICS computers on which threats were blocked across all threat categories.

The region has a significantly higher percentage than the respective global average percentages of ICS computers on which the following were blocked:
- Worms, 3.1 times higher
- Viruses, 2.4 times higher
  
  Worms and viruses outpace malicious documents in the threat category ranking by percentage of ICS computers on which they were blocked. Worms are in fourth place (sixth place globally). As noted earlier, high rates of self-propagating malware on a large scale indicate that a significant portion of the OT infrastructure lacks even basic endpoint protection, making it a source of malware infection attempts.
- Ransomware, 1.8 times higher
- Spyware, 1.7 times higher
- Denylisted internet resources, 1.6 times higher
- Web miners, 1.4 times higher
- Malicious scripts and phishing pages, 1.4 times higher
- Malware for AutoCAD, 1.4 times higher

Threat sources

The region ranked first in the world both by percentage of ICS computers on which threats from internet and removable devices were blocked, exceeding the global average by 1.4 times and 4.6 times respectively.

With regard to threats from the email clients, the region ranked second in the world, exceeding the global average by 1.3 times.

Quarterly changes and trends

Threat categories

The largest proportional increase in Q3 2024 was in the percentage of ICS computers on which the following were blocked:
- Denylisted internet resources – by 1.5 times
- Malicious scripts and phishing pages – by 1.4 times
- Malicious documents – by 1.2 times
- Ransomware – by 1.1 times

The top threat categories exhibit various quarterly dynamics:

The heatmap below illustrates changes in the ranking of threat categories in the region since the beginning of 2022. Denylisted internet resources have been the leading threat category in the region since early 2023. Malicious scripts and phishing moved back from third to second place in Q3 2024, while spyware dropped back to the third place.

Threat sources

In Q3 2024, the internet as a threat source exhibited a steep increase, in contrast to the global trend.

Email client threats continued to increase in Africa in Q3 2024, while the global trend showed a decline.

Threats from removable devices continued to decrease which corresponds to the global trend. In Q3 2024, the rate of ICS computers on which threats from removable devices were blocked finally became lower than the rate of threats from email clients.

Industries

The most affected industry in the region, as selected for this report, is construction.
Compared to the global averages, the following industries had a significantly higher percentage of ICS computers with blocked malicious objects compared to the respective global averages:
- Construction – 1.7 times higher
- Manufacturing – 1.6 times higher
- Engineering & ICS Integration – 1.5 times higher
- Oil & Gas – 1.4 times higher
- Electric Power – 1.4 times higher

In Q3 2024, all selected sectors in the region, except oil & gas, exhibited an increase in the percentage of ICS computers on which malicious objects were blocked.

The selected sectors show positive dynamics in their long-term trends with occasional major fluctuations: