Kaspersky experts have identified several key contributors to the success of Advanced Persistent Threat (APT) operations within victims’ networks. These factors include human elements, inadequate security measures, difficulties with updates and configuration of cybersecurity solutions, and other related issues.
Although some of these reasons may seem trivial, they are commonly encountered during incident response activities. To assist companies in mitigating these threats and promoting the adoption of best practices, the experts have compiled a list of the most prevalent issues:
Insufficient Isolation of OT Networks
The security of Operational Technology (OT) networks is compromised due to a lack of proper isolation, as highlighted by incident investigations conducted by Kaspersky experts. One common issue is the presence of engineering workstations that are connected to both the regular IT network and the OT network, leaving vulnerabilities in the system.
Relying solely on network equipment configuration for OT network isolation proves to be ineffective against experienced attackers who can easily reconfigure the equipment to their advantage. These attackers can exploit such configurations to control malware traffic or use them as a storage and delivery system for malware, even in supposedly isolated networks. Kaspersky has observed such malicious activities on multiple occasions.
The Human Factor in Cybercriminal Activities
Granting access to OT networks without considering proper information security measures can lead to exploitation. Remote administration utilities like TeamViewer or Anydesk, initially set up temporarily, often remain active and can be exploited by attackers.
Dissatisfied employees, driven by various motivations such as work assessments, income, or political factors, may engage in cybercriminal actions. Implementing a Zero Trust approach, where neither the user, device, nor application within the system is inherently trusted, can mitigate such risks.
Inadequate Protection and Configurations of OT Assets
Incident analysis has revealed several vulnerabilities in OT networks, including outdated security solution databases, missing or removed license keys, disabled security components, and excessive exclusions from scanning and protection. These shortcomings contribute to the spread of malware within the networks.
For example, outdated databases and failure to update security solutions automatically create opportunities for advanced threats to propagate quickly, especially in APT attacks, where sophisticated threat actors aim to avoid detection.
Insecure Configurations of Security Solutions
APT groups/actors critically depend on proper configurations of security solutions to prevent them from being disabled or abused. Attackers may hijack critical IT systems and target the administration servers of security solutions to gather information or use tools within the security system to spread malware to supposedly separate systems.
The Lack of Cybersecurity Protection in OT Networks
Surprisingly, some OT networks lack cybersecurity solutions installed on many endpoints, leaving them vulnerable to attacks. Even if the OT network is physically separated from other networks and not connected to the Internet, attackers can still find ways to gain access. For instance, they can distribute specially crafted malware through removable drives like USBs.
Challenges with Workstation and Server Security Updates
Industrial control systems have unique operational requirements, making tasks like installing security updates on workstations and servers challenging. These updates often require careful testing during scheduled maintenance, leading to infrequent updates. Threat actors take advantage of this delay to exploit known vulnerabilities and carry out attacks.
Updating the server’s operating system may even necessitate upgrading specialized software like SCADA servers, which can be costly. Industrial control system networks commonly have outdated systems as a result. Surprisingly, even Internet-facing systems in industrial enterprises, which are relatively easier to update, can remain vulnerable for extended periods, exposing operational technology (OT) to attacks and serious risks.
