Human Error Fuels Industrial APT Attacks, Kaspersky Reports

Written by

Cybersecurity firm Kaspersky has identified the primary factors contributing to advanced persistent threat (APT) attacks in industrial sectors.

The first of them, discussed in a new report published today, is the absence of isolation in operational technology (OT) networks. 

Kaspersky experts have observed instances where engineering workstations are connected to the IT and OT networks. This dependence on network configuration for isolation can be manipulated by skilled attackers, allowing them to manage malware traffic or infect seemingly isolated networks.

“In situations where the OT networks’ isolation solely relies on the configuration of networking equipment, experienced attackers can always reconfigure that equipment to their advantage,” explained Evgeny Goncharov, head of the industrial control systems cyber emergency response team at Kaspersky. 

The human factor also remains a significant driver of cyber-criminal activities in industrial settings, according to the report, with employees or contractors frequently being given access to OT networks without adequate attention to information security measures. 

Remote administration tools, such as TeamViewer or Anydesk that were intended to be temporary may continue to run unnoticed, making it easy for attackers to gain entry.

Read more on similar attacks: CISA Warns Against Malicious Use of Legitimate RMM Software

Kaspersky’s investigations also highlighted instances where disgruntled employees or contractors with OT network access have tried to cause harm.

Insufficient protection of OT assets further amplifies these risks, as malware can spread more easily when security solutions have outdated databases, security components are disabled and there are too many exclusions from scanning and protection.

Insecure configuration of security solutions also plays a significant role in APT attacks, as does the absence of cybersecurity protection in OT networks and the inability to keep industrial workstations and servers up to date.

“In some cases, updating the server’s operating system may require updating specialized software [...] which in turn requires upgrading the equipment – that all may be too expensive. Consequently, there are outdated systems found on industrial control system networks,” Goncharov added. 

“Surprisingly, even internet-facing systems in industrial enterprises, which can be relatively easy to update, can remain vulnerable for a long time. This exposes the operational technology [...] to attacks and serious risks, as real-world attack scenarios have shown.”

The Kaspersky report comes a few months after a separate research study from the company suggested two out of every five (40.6%) OT computers used in industrial settings were affected by malware in 2022.

What’s hot on Infosecurity Magazine?