Kaspersky does not expect the industrial cyber threat landscape to change dramatically in 2024. Most of the trends described below have been observed before, and many of them have been around for years. However, some of these trends have already reached tipping points for slow change, which could lead to a qualitative change in the threat landscape as early as next year.
Ransomware
In 2024, ransomware remains the number one scourge for industrial companies.
In 2023, ransomware attacks have cemented their position at the top of the list of information security threats to industrial enterprises. fromFirst half of 2023As can be seen in the official statements of the organizations affected by the cyber incident, at least one in six ransomware attacks results in the halt of production or delivery of products. In some cases, the damage caused by the attack is estimated to be in the hundreds of millions of dollars. At the moment, there is no reason to believe that this threat will decrease in the near future.
Ransomware attacks that target large organizations, vendors that provide unique products (equipment, materials), or large logistics and transportation companies can have serious economic and social consequences.
Currently, according to the company under attack,Not less than 18%.Ransomware attacks against industrial companies cause disruptions to production and/or product delivery. In addition, cybercriminals are clearly targeting the high-end market when selecting victims, preferring to attack large organizations that can pay huge ransom payments.
The result is a situation where an attacker, whether intentionally or accidentally, could cross the line again, causing the consequences of the attack to become infrastructure-level, likeThe case of the Colonial pipeline being attackedThe same. Another example is the Dubai-based International Container Terminal and **Chain OperatorDP World was recently attacked, causing work to come to a standstill at the ports of Melbourne, Sydney, Brisbane and Fremantle, with around 30,000 containers unable to be delivered.
The ransomware market is heading for a peak, which can be followed by a decline or stagnation. Potential victims are unlikely to be immune to the attack in the short term. However, they can learn to mitigate the impact more effectively (for example, by better protecting their most confidential data and having appropriate backup and incident response plans in place).
If this results in a decrease in the amount of money paid by the victim and less frequently, cybercriminals will have to look for new target types and attack monetization options. Possible pathways to development include:
1. Attacks on logistics and transport companies may no longer be directed at the IT infrastructure that supports operations, but against the vehicles themselves (cars, ships).
At first glance, the wide variety of vehicles in parking lots and convoys seems to hinder the implementation of such attacks, significantly increasing the development costs of the attackers. However, the target of the attack can be multiple vehicles of the same type with the same or similar internal control system, rather than targeting a specific owner or operator.
Another factor contributing to the attack is that fleet owners and operators also equip vehicles with their own customized telemetry collection systems, which often have remote control capabilities by default (e.g., remotely reflash firmware or change the data set to be collected). Automakers and service providers sometimes do the same. As a result, this attack vector becomes viable.
In the event of such an attack, the victim will not be able to resume operations on their own, or there will be costs that will make it impossible for the business to continue to survive. Restoring the operation of an encrypted IT system (e.g., restoring from a backup) is much easier than solving even technically simple problems that affect a widely distributed vehicle (e.g., removing malware that prevents a vehicle's engine from starting or cutting off power inside a ship). Companies may find themselves unable to resume normal operations on their own in a timely manner without causing unacceptable financial losses.
2. The same attack vectors are also suitable for owners and operators of various specialized equipment operating on remote, hard-to-reach sites, such as in the mining or agricultural sectors.
3. Cybersecurity concerns for oil and gas companies, utilities, and general industries are equally relevant for any organization with a highly distributed operational technology infrastructure, with multiple hard-to-reach sites. For attacks on sites far from the main location, the possibility of remote recovery is excluded (e.g., because malware blocks regular remote access channels), which guarantees the payment of the ransom.
4. Non-traditional attack monetization methods (e.g., through speculation) target economically important enterprises, such as large transportation and logistics organizations, large mining companies, material manufacturers and merchants (such as metals, alloys or composites), agricultural and food products, and unique and in-demand products (such as microchips or fertilizers) that are difficult to quickly compensate for.
5. The interruption of the products of these enterprises will seriously affect their markets. In addition to the immediate consequences, there could be a ripple effect and indirect***Saudi Aramco's unexpected decision to replace all computer hard drives affected by the attack with new ones after the Shamoon attack has had a sexual impact on hard drives worldwide.
Hacktivist
On the geopolitical dividing line, politically motivated hacktivism will become more ferocious and have even more devastating consequences.
We all remember Iran in 2021RailwayswithGas stationsHackedHit the headlines, a pro-Israel oneHacker groupsClaimed responsibility for the matter. Last year, we saw more cases:Israel's irrigation system was attackedThe Israeli-made UNITRONICS Vision All-In-One (PLC & Integrated HMI) solution is hereUnited StateswithIrelandUnder attack,Gas stations in IranAttacked again in 2023. PR effects aside, the actual scale of negative impact in all of these events is not significant.
That said, recent hacktivism attacks have shown that attackers have the ability to hack into OT systems. In some similar cases investigated by Kaspersky ICS Cert this year, it was a slight lack of preparation and perseverance on the part of the attackers that saved the victims from actual damage. The escalation of tensions is likely to elevate politically motivated hacking to a whole new threat level.
In addition to the domestic ** movements that have been sparked against the backdrop of heightened social tensions (caused by religious and ethnic conflicts and the growing economic instability in many parts of the globe), we will also see a growing cosmopolitan ** hacktivism, for example driven by the introduction of new socio-cultural and macroeconomic agendas or, conversely, aimed at opposing the introduction of new socio-cultural and macroeconomic agendas. An example related to environmental protection and green technology is the so-called "eco-hacktivism", such as the attack on a mining company in Guatemala by the Guacamaya Roja hacktivist group.
The full-blown rise of hacktivism across the globe will inspire more individuals and groups to start fighting for "reasons that don't matter," or even "just for fun," similar to this year's attack on Idaho National Laboratories by the hacking group Siegedsec.
From the gray area to the shadows
The widespread use of "offensive cybersecurity" to gather cyber threat intelligence will have both positive and negative consequences.
On the one hand, we'll see some improvements in enterprise security, as offensive cyber threat intelligence will provide users with signs of potential threats, not only through traditional cyber threat intelligence such as telemetry, incident research, indirect information**, and the dark web from security solutions, but also directly from the attacker-controlled infrastructure. This will allow the victim to restore system security faster and more efficiently.
On the other hand, the development of offensive cyber intelligence, while becoming the new norm (although not formally legalized, but applied with the tacit consent of the Gray), also has a negative impact, because the boundary between the gray area and the shadows may be too fragile for those who cross this boundary to resist. Spearheaded by some countries, some commercial enterprises may try to benefit from the help of commercial offensive intelligence solutions and service providers, and may not even be limited to cybersecurity purposes. Some industrial enterprises may also be involved. This is particularly evident in highly competitive ecosystems, such as construction, mining and energy, and many other industrial sectors.
these"Profit-driven"Web activity will be more precise than common APT activity. These activities will primarily use commercial and open-source tools, which will allow them to mask their activities against the backdrop of a general high incidence of cybercrime attacks. As a result, the chances of these actions being detected and investigated are even lower than those of APT activities.
Threats related to logistics and transportation
The rapid automation and digitalization of the logistics and transportation industry will lead to:
Cybercrime and traditional crime are more closely intertwined, especially in the long-established criminal realms such as:
1. Auto theft, which applies to all modern cars, but is particularly relevant for Asian brands, and because of aggressive strategies to enter the market quickly, new car brands often make cybersecurity maturity their top priority.
2. Cyber-driven piracy and logistics disruptions – as a logical continuation of known attack tactics and techniques, such as the recent attacks on the Automatic Tracking System (AIS) in the Red Sea and Indian Ocean, or the 2020 attack on the Shahid Rajaee port terminal in Iran.
3. Using network means to steal items.
4. Smuggling by cyber means – like the tactical development used in the infamous "Ocean's Thirteen" case in the Port of Antwerp.
5. Other logistics and transportation frauds, such as payments related to the cancellation of fines for insurance claims, and many other fraudulent tactics, somewhat unpredictable, such as the use of DRM as a means of unfair competition that we have seen recently in Poland.
The likelihood of physical consequences from non-targeted attacks increases.
There have been cases of malware infection in various types of vehicles. If we look to the near future, such infections will increase exponentially due to the adoption of "legacy" operating systems like Android and Linux in the transportation sector, the widespread integration of standard IT components and communication protocols, and the increase in the number of use cases involving connectivity to cloud services. Some can lead to failures in critical monitoring and control systems, with undesirable consequences. On top of that, this risk involves river, sea, trucking, and emergency transportation – vehicles that are generally less secure than buses.
Article**: Computer and Network Security.