The top three cyberthreats were worms, spyware, and cryptocurrency miners – together, they combined to make almost 14% of the share of targeted computers. These are among the main findings of the Kaspersky ICS CERT report on the industrial threat landscape in the first half of 2019.
Industrial cyber incidents are among the most dangerous as they may result in production downtime and tangible financial losses and are quite hard to overcome. This is especially the case when the incident occurs in critical, life-supporting sectors, such as energy. Statistics for H1 2019, automatically processed by Kaspersky security technologies, have shown that those who manage energy solutions should not let their guard down. Overall, during the observed period of time, Kaspersky products were triggered on 41.6% of ICS computers in the energy sector. A large number of conventional malware samples –– not designed for ICS — were blocked.
Among the malicious programmes which were blocked, the greatest danger was posed by cryptocurrency miners (2.9%), worms (7.1%), and a variety of versatile spyware (3.7%). Infection with such malware can negatively affect the availability and integrity of ICS and other systems that are part of the industrial network. Among these detected threats, some are of particular interest.
This includes AgentTesla, specialised Trojan Spy malware, designed to steal authentication data, screenshots, and data captured from the web camera and keyboard. In all of the analysed cases, the attackers sent data via compromised mailboxes at various companies. Aside from malware threat, Kaspersky products also identified and blocked cases of the Meterpreter backdoor which was being used to remotely control computers on the industrial networks of energy systems. Attacks that use the backdoor are targeted and stealthy and are often conducted in manual mode. The ability of the attackers to control infected ICS computers stealthily and remotely poses a huge threat to industrial systems. Last but not least, the company’s solutions detected and blocked Syswin, a new wiper worm written in Python and packed into the Windows executable format. This threat can have a significant impact on ICS computers due to its ability to self-propagate and destroy data.
The energy sector was not the only one to face malicious objects and activities. Other industries, analysed by Kaspersky experts, have also shown no reason for relief with automotive manufacturing (39.3%) and building automation (37.8%) taking the second and the third places in terms of percentage of the number of ICS computers on which malicious objects were blocked.
Other findings of the report include:
- On average, ICS computers do not operate entirely inside a security perimeter typical of corporate environments, and are, to a large extent, protected from many threats, which are also relevant to home users, using their own measures and tools. In other words, tasks related to protecting the corporate segment and the ICS segment are to some extent unrelated.
- In general, the level of malicious activity inside the ICS segment is connected with the ‘background’ malware activity in the country.
- On average, in countries where the situation with the security of the ICS segment is favorable, the low levels of attacked ICS computers are attributable to protection measures and tools that are used rather than a generally low background level of malicious activity.
- Self-propagating malicious programmes are very active in some countries. In the cases analysed, these were worms (malicious Worm class objects) designed to infect removable media (USB flash drives, removable hard drives, mobile phones, etc.). It appears that infections with worms via removable media is the most common scenario that could happen to ICS computers.
Kirill Kruglov, security researcher at Kaspersky, says: “The collected statistics, as well as analysis into industrial cyberthreats, are a proven asset for assessing current trends and predicting what type of danger we should all prepare for. This report has identified that security experts should be particularly cautious about malicious software that aims to steal data, spy on critically important objects, penetrate the perimeter and destroy the data. All of these types of incident could cause lots of trouble for industry.”
Kaspersky ICS CERT recommends implementing the following technical measures:
- Regularly update operating systems, application software and security solutions on systems that are part of the enterprise’s industrial network.
- Restrict network traffic on ports and protocols used on edge routers and inside the organisation’s OT networks.
- Audit access control for ICS components in the enterprise’s industrial network and at its boundaries.
- Provide dedicated regular training and support for employees as well as partners and suppliers with access to your OT/ICS network.
- Deploy dedicated endpoint protection solution such asKaspersky Industrial CyberSecurity on ICS servers, workstations and HMIs to secure OT and industrial infrastructure from random cyberattacks; and network traffic monitoring, analysis and detection solutions for better protection from targeted attacks.
Read the full version on Kaspersky ICS CERT.
Did an earthquake take out SA Internet?
Seabed avalanches caused by an earthquake could have cut several undersea cables, leading to one of South Africa’s biggest Internet outages yet, writes ARTHUR GOLDSTUCK.
There is still no official explanation for freak breaks 11 days ago in two separate undersea cables that provide international access to South Africa’s Internet users. However, as reported in the Sunday Times yesterday, the most common causes of such breaks are damage by ship anchors and earthquakes at sea.
However, the freak occurrence of two separate cables being cut simultaneously far out at sea, as happened on the morning of 16 January, can only be explained by sea-bed activity. One of the cables was cut in two places, and it is widely believed that a third major cable was also cut.
The cable damage mostly occurred in or near an area called the Congo Canyon, which starts inland and extends 220km into the sea. It is known for having the world’s strongest “turbidity currents”, underwater sediment avalanches over hundreds of kilometers, which are known to destroy undersea cables.
The most likely culprit is a 5.6 magnitude earthquake that struck the Atlantic Ocean near Ascension Island shortly before the cables were cut on the morning of 16 January. The earthquake occurred just before 8am South African time, and local ISPs reported losing international access from just before 10am. The epicentre of the earthquake was more than a thousand kilometres off the coast of Africa, but disturbances caused by seismic activity at sea become more powerful as they approach the coast. Combined with turbidity currents, this could well have taken out all cables in the area.
The West Africa Cable System (WACS) was cut in two places, and the South Atlantic 3 (SAT3) cable in one location. Industry insiders believe that the Africa Coast to Europe (ACE) cable was also cut, but it has not been publicly confirmed.
South Africa is connected to the global Internet via seven such cables, with a total capacity of 42.3 terabits per second (tbps). These cables, in turn, connect to additional cables connecting the West and East coasts of Africa, with a single cable running from Angola to Brazil providing another 40 tbps.
However, it emerged in the past week that smaller ISPs in South Africa had bought capacity on only one or two cables. In a freak occurrence, two of the most commonly used cables, the WACS and SAT 3 cables, were cut simultaneously, plunging millions of Internet users into data darkness.
Customers of the major mobile network operators – Vodacom and MTN – were largely unaffected, as these tend to have both part-ownership and access to most of the cables running up both the East and West coasts of Africa.
Visit the next page to read about how ISPs have battled to reroute access, how massive resources are needed to deal with these kinds of outages, and when the ship will reach the breakage points.
Lenovo express-delivers new range from CES to SA
Lenovo has unveiled its new range of ThinkBook laptops, barely two weeks after they were showcased at the Consumer Electronics Show in Las Vegas.
The company’s newest sub-brand, ThinkBook, is intended to meet the demand for more aesthetically pleasing, yet agile and powerful devices.
The new range is aimed at small and medium enterprises. According to the Small Enterprise Development Agency (SEDA), there are more than 2-million SMEs in South Africa – although there are only 667,433 in the formal sector. This tallies with estimates in recent editions of SME Survey, produced by World Wide Worx, which suggest 650,000 active, formal businesses in South Africa. These SMEs employ about 14% of the South African workforce.
Lenovo argues that access to affordable, yet efficient, technology is a crucial factor in aiding business success and contributing towards the success of the nation. The company has found, in its own research, that younger people prefer working, creating and communicating online “with stylish devices that make a statement”. This means they require streamlined laptops which can be used to collaborate from any remote location, to enhance productivity.
Lenovo said in a statement on Thursday night: “Backed by customer research, ThinkBook is specially designed for SMEs, who typically purchase consumer laptops for perceived design and price advantages but can no longer rationalise their lack of extended services and warranties – core needs of any business. ThinkBook allows growing firms to keep a competitive edge in attracting today’s young tech-savvy execs with trendy yet cost-effective devices.
Thibault Dousson, general manager of Lenovo for Europe, Middle East and Africa, said at the launch event: “With the capacity, SMEs have to grow and upskill the country’s workforce, they are perfectly positioned to bridge the gap between the public sector and large enterprise. Bearing in mind the demands of the digital economy, this sector needs skills and resources in order to compete, and that is where devices such as the ThinkBook come in.”
In South Africa, ThinkBook laptops are now available in 13-, 14- and 15-inch variants. The flagship ThinkBook 14 and ThinkBook 15 devices are powered by Windows 10 Pro and up to 10th Gen Intel Core processing, which Lenovo says combines high performance with intuitive, time-saving features. Options include Intel Optane memory, WiFi 6, and discrete graphics.
The ThinkBook 15 comes at just 18.9mm thin, while the ThinkBook 14 is a mere 17.9mm, both with FHD displays and two Dolby Audio speakers, dual-array, Skype certified microphones and a USB 3.1 (Gen2, Type-C) port.
Lenovo has also introduced the ThinkBook S series, including an elegant 13.3-inch ThinkBook 13s. The sleek and light device is constructed of a metallic finish on an all-aluminium chassis, alongside a narrow bezel display. As with the ThinkBook 14 and 15, the ThinkBook 13s also features advanced Intel processing and an FHD display, Dolby Vision and Harman speakers with Dolby Audio.
Visit the next page to read about the design and features of the new ThinkBook range.