Threat landscape for industrial automation systems. Regions, Q4 2024

Main
Publications
Reports
Threat landscape for industrial automation systems. Regions, Q4 2024
Threat landscape for industrial automation systems. Regions, Q4 2024

Q4 overview

Percentage of ICS computers

In the fourth quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%.

Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 10.6% in Northern Europe to 31% in Africa.

All regions ranked by percentage of ICS computers on which malicious objects were blocked in the fourth quarter can be divided into three groups:

Over 25%

Africa – 31.0%
South-East Asia – 30.1%
Middle East – 25.7%

In the regions within this group, OT computers are generally overexposed to cyberthreats. There is underinvestment in cybersecurity, both in terms of tools and measures, as well as in addressing the shortage of experts, fostering a strong cybersecurity culture, and raising awareness.

20–25%

Central Asia – 23.5%
East Asia – 22.7%
Eastern Europe – 21.8%
Latin America – 21.5%
Southern Europe – 20.7%
South Asia – 20.7%

The regions within this group may face specific challenges in isolating their OT infrastructure from potential cyberthreats.

Менее 20%

Russia – 18.3%
Australia and New Zealand — 13,9%
Western Europe – 11.6%
Northern Europe – 10.6%

The third group consists of regions that are the safest in terms of keeping their OT infrastructure isolated from cyberthreats.

Compared to the third quarter, the percentage of ICS computers on which malicious objects were blocked during the fourth quarter has increased in eight regions.

Malicious object categories

Malicious objects used for initial infection

Malicious objects that are used for initial infection of ICS computers include dangerous internet resources that are added to denylists, malicious scripts and phishing pages, and malicious documents.

By the logic of cybercriminals, these malicious objects can spread easily. As a result, they are blocked by security solutions more often than anything else. This is reflected in our statistics.

Typical attacks blocked within an OT network are a multi-stage process, where each subsequent step of the attackers is aimed at increasing privileges and gaining access to other systems by exploiting vulnerabilities in OT systems and networks.

It is worth noting that during the attack, intruders often repeat the same steps (TTP), especially when they use malicious scripts and established communication channels with the management and control infrastructure (C2) to move horizontally within the network and advance the attack.

Globally and in almost all regions, denylisted internet resources and malicious scripts and phishing pages are the top categories of malicious objects in terms of the percentage of ICS computers on which these objects were blocked.

The sources of the majority of malicious objects used for initial infection are the internet and email.

In Q4 2024, Africa, South-East Asia, and the Middle East ranked as the top three regions by the percentage of ICS computers on which threats from the internet were blocked.

The top three regions with the highest email threat rates were Southern Europe, the Middle East, and Latin America.

Denylisted internet resources

Africa, South-East Asia, and Central Asia ranked as the top three regions by the percentage of ICS computers on which denylisted internet resources were blocked.

All regions, except East Asia, saw a decrease in the percentage of ICS computers on which denylisted internet resources were blocked.

As previously noted in the Q3 2024 report, the increase in blocked denylisted internet resources was primarily driven by an increase in the number of newly created domain names and IP addresses used by cybercriminals as command and control (C2) infrastructure for distributing malware and phishing attacks.

The decline in the percentage of denylisted internet resources in November-December 2024 was likely influenced not only by proactive threat mitigation measures at various levels – from resource owners and hosting providers to ISPs and law enforcement agencies. Another contributing factor was the tendency of attackers to frequently change domains and IP addresses to evade detection in the initial stages, based on lists of known malicious resources.

In practice, this means that until a malicious web resource is identified and added to a denylist, it may not immediately appear in threat statistics, leading to an apparent decrease in the percentage of ICS computers on which such resources were blocked.

However, in Q4, we also saw a rise in the percentage of the next steps in the attack chain – malicious scripts and phishing pages, spyware, and ransomware.

Malicious scripts and phishing pages

The top three regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were Africa, Southern Europe, and Latin America.

The top three regions in terms of growth in the percentage of ICS computers on which malicious scripts and phishing pages were blocked were Africa, Southern Europe, and the Middle East.

Malicious documents

Southern Europe, Latin America, and the Middle East ranked as the top three regions by the percentage of ICS computers on which malicious documents were blocked.

The only three regions in terms of growth in the percentage of ICS computers on which malicious documents were blocked were Southern Europe, the Middle East, and Central Asia.

Next-stage malware

Malicious objects used to initially infect computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.

As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.

Spyware

Spyware (including Trojans, backdoors, and keyloggers) is typically the most frequently detected type of next-stage malware. It is either used as a toolset for intermediate steps in the kill chain (such as reconnaissance and lateral movement) or as a final-stage tool for stealing and exfiltrating confidential data.

When spyware is detected on an OT computer, it usually indicates that the initial infection vector was not prevented – whether through a user clicking on a malicious link, opening an attachment from a phishing email, or plugging in an infected USB drive. This suggests that OT perimeter protection measures (such as network security and enforcement of removable device policies) were either absent or ineffective.

In Q4 2024, Africa, the Middle East, and Southern Europe ranked as the top three regions by the percentage of ICS computers on which spyware was blocked.

These regions also ranked among the highest for one or more types of initial infection threats.

In almost all regions, spyware does not rank higher than third in the threat category rankings by percentage of ICS computers on which it was blocked, except in the following regions:

East Asia: in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked.
The Middle East, Southern Europe, and Central Asia: spyware is the second most prevalent threat in these regions.

The top three regions in terms of growth in the percentage of ICS computers on which spyware was blocked were Southern Europe, Russia, and Central Asia.

Covert cryptomining programs
Miners in the form of executable files for Windows

In the fourth quarter of 2024, similar to the previous quarter, a significant portion of Windows miners found on ICS computers consisted of archives with names mimicking legitimate software. These archives did not contain actual software but included a Windows LNK file, commonly known as a shortcut. However, the target (or path) that the LNK file points to is not a regular application, but rather a command capable of executing malicious code, such as a PowerShell script. Nowadays, threat actors are increasingly using PowerShell to execute malware, including cryptominers, by embedding malicious code directly into command-line arguments. This code runs entirely in memory, enabling fileless execution and minimizing detection.

Another common method of deploying miners on ICS computers involves using legitimate cryptocurrency mining software such as XMRig, NBMiner, OneZeroMiner, and others. While these miners are not inherently malicious, they are classified as RiskTools by security systems. Attackers exploit these miners by combining them with customized configuration files that enable the miner’s activity to be concealed from the user’s view.

The top three regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were Central Asia, Russia, and Eastern Europe.

In the global ranking of threat categories by percentage of ICS computers on which they were blocked, miners in the form of Windows executable files are normally ranked seventh.

In the corresponding rankings in Russia, and Australia and New Zealand, they ranked fifth.

The top regions in terms of growth in the percentage of ICS computers on which miners in the form of Windows executable files were blocked were Russia, East Asia, Southern Europe, and Western Europe.

Covert cryptomining programs
Web miners running in browsers

The three leading regions by percentage of ICS computers on which web miners running in browsers were blocked were: the Middle East, Africa, and Eastern Europe.

In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up much higher regionally (eighth place globally) in Australia and New Zealand and Western Europe – sixth place in the respective regional rankings.

Southern Europe, Western Europe, Northern Europe, and East Asia were the only regions that experienced growth in the percentage of ICS computers on which web miners were blocked.

Ransomware

The top three regions with the highest percentage of ICS computers on which ransomware was blocked were the Middle East, Africa, and South Asia.

The top three regions in terms of growth in the percentage of ICS computers on which ransomware was blocked were Australia and New Zealand, East Asia, and Western Europe.

Self-propagating malware. Worms and viruses

Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software.

High rates of self-propagating malware and malware spreading via network folders at the industry, country, or regional level likely indicate the presence of unprotected OT infrastructure that lacks even basic endpoint protection.

Worms

The top three regions by percentage of ICS computers on which worms were blocked were Africa, Central Asia, and the Middle East.

Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. In similar regional rankings, worms rank much higher in the following regions: Russia, Central Asia – fourth place in the respective regional ranking.

The top three regions in terms of growth in the percentage of ICS computers on which worms were blocked were Eastern Europe, Russia, and Central Asia.

Viruses

The top three regions by percentage of ICS computers on which viruses were blocked remained South-East Asia, Africa, and East Asia.

In South-East Asia, viruses are in second place in the regional threat category ranking by percentage of ICS computers on which they were blocked.

The top three regions in terms of growth in the percentage of ICS computers on which viruses were blocked were South-East Asia, Africa, and the Middle East.

Note that there is an overlap between the leading regions in viruses and leaders by percentage of ICS computers on which network folder threats were blocked.

AutoCAD malware

This category of malware can spread in a variety of ways, so it does not belong to a specific group.

The same regions that lead in the virus ranking are also the leaders by percentage of ICS computers on which AutoCAD malware was blocked: South-East Asia, East Asia, and Africa.

Normally, AutoCAD malware is a minor threat and usually comes bottom of the malware category rankings by percentage of ICS computers on which it was blocked.

However, in Q4 2024, this category ranked higher than the corresponding global ranking (ninth place) in the following regions:

South-East Asia – fifth place in the regional ranking
East Asia – seventh place in the regional ranking

The only three regions with growth in the percentage of ICS computers on which malware for AutoCAD was blocked were South-East Asia, South Asia, and Central Asia.

Regions. Special considerations

To see the specific distinctions of regions, you can compare them to other regions and to the global average statistics.

In most regions as well as globally, first place in the rankings by percentage of ICS computers on which specific threat categories were blocked are occupied by spyware and by the malicious objects used for the initial infection of computers. The internet leads the ranking of top threat sources in all regions.

Some of the regional rankings have their own peculiarities and distinctions, which are noted below.

Africa

Current threats

Overall

First place in the global ranking by percentage of ICS computers on which malicious objects were blocked.
Of all regions, Africa traditionally has the highest percentage of ICS computers on which malicious objects were blocked.
The percentage of ICS computers on which malicious objects were blocked is higher than the global average. In Q4 2024, the value was 1.4 times higher than the global average.
The region exhibits a slight downward trend with fluctuations.
In Q4 2024, the region showed a decrease in the percentage of ICS computers on which malicious objects were blocked.

Comparative analysis

Threat categories

Compared to the global figures, the region has a higher percentage of ICS computers on which threats were blocked across most threat categories.

The region has a significantly higher percentage than the respective global average percentages of ICS computers on which the following were blocked:
- Worms: 2.9 times higher, ranks first by value globally.
- Viruses: 2.5 times higher (surpassing Q3 2024 levels), ranks second by value globally.

Worms and viruses outpace malicious documents in the threat category ranking by percentage of ICS computers on which they were blocked. Worms are in fourth place (sixth place globally). High rates of self-propagating malware on a large scale indicate that a significant portion of the OT infrastructure lacks even basic endpoint protection, making it a source of malware infection attempts.
- Spyware: 1.7 times higher, ranks first by value globally.
- Denylisted internet resources: 1.5 times higher, ranks first by value globally.
- Malicious scripts and phishing pages: 1.5 times higher (surpassing Q3 2024 levels), ranks first by value globally.
- Malware for AutoCAD: 1.4 times higher, ranks third by value globally.
- Web miners: 1.3 times higher, ranks second by value globally.
- Ransomware: 1.2 times higher, ranks second by value globally.
- Malicious documents: 1.2 times higher (surpassing Q3 2024 levels).

Threat sources

The region ranked first in the world both by percentage of ICS computers on which threats from the internet and removable devices were blocked:
- Removable devices: 4.8 times higher (surpassing Q3 2024 levels).
- Internet: 1.4 times higher.

With regard to threats from email clients, the region exceeded the global average by 1.4 times (surpassing Q3 2024 levels).

Quarterly changes and trends

Threat categories

The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked:
Malicious scripts and phishing pages: by 1.3 times, first in the world in terms of growth.

Spyware: by 1.1 times.

Viruses: by 1.1 times, second in the world in terms of growth.

The heatmap below illustrates changes in the ranking of threat categories in the region since the beginning of 2022. Malicious scripts and phishing moved from second to first place in Q4 2024. Viruses moved from fifth to fourth place in Q4 2024.

Threat sources

In Q4 2024, all threat sources exhibited a decrease in the percentage of ICS computers on which malicious objects from them were blocked.

Industries

In Q4 2024, construction remained the most affected industry in the region, as selected for this report.
Compared to the global averages, the following industries had a significantly higher percentage of ICS computers with blocked malicious objects compared to the respective global averages:
- Construction – 1.7 times higher.
- Manufacturing – 1.7 times higher.
- Oil & Gas – 1.7 times higher.
- Engineering & ICS Integration – 1.5 times higher.
- Electric Power – 1.4 times higher.

In Q4 2024, the oil and gas sector in the region exhibited a notable increase in the percentage of ICS computers on which malicious objects were blocked – by 1.2 times compared to the previous quarter.

Overall, the selected sectors show positive dynamics in their long-term trends with occasional major fluctuations.