Full Report
The statistical data presented in the report was received from ICS computers protected by Kaspersky products that Kaspersky ICS CERT categorizes as part of the industrial infrastructure at organizations.
Analysis Summary
As the provided article is a **report summary/statistics overview** for H2 2021, and not a dedicated case study of a single, detailed incident, the timeline and specific attack details will be generalized based on the *trends and aggregate data* presented in that statistical report, rather than a single narrative event.
Therefore, the following summary reflects the *types* of incidents and high-level observations found within the H2 2021 ICS Threat Landscape report, maintaining the required structure.
---
# Incident Report: Aggregate ICS Threat Landscape H2 2021
## Executive Summary
This report summarizes the aggregate statistical data from ICS computers protected by Kaspersky products during the second half of 2021, reflecting broad trends across protected industrial infrastructure globally. The primary threats observed included malware infections, primarily targeting workstations, and widespread use of commodity intrusion tools by various threat actors. Response actions centered on immediate isolation and patching, highlighting systemic gaps in network segmentation and timely threat intelligence application.
## Incident Details
- **Discovery Date:** Ongoing throughout H2 2021 (July 1 to December 31, 2021)
- **Incident Date:** Ongoing throughout H2 2021
- **Affected Organization:** Aggregate statistics across multiple organizations globally protected by Kaspersky ICS solutions.
- **Sector:** Diverse Industrial Sectors (General Industrial Infrastructure)
- **Geography:** Global (Based on telemetry aggregation)
## Timeline of Events
*As this is an aggregate report, the timeline represents summarized threat activity across the period, not a single sequence.*
### Initial Access
- **Date/Time:** Ongoing
- **Vector:** Primarily malicious email attachments, drive-by downloads, and exploitation of vulnerable external-facing services.
- **Details:** Malware frequently entered the perimeter via common vectors targeting non-production or administrative workstations first.
### Lateral Movement
- **Details:** Movement within the network often leveraged established administrative protocols (e.g., RDP, SMB) using compromised credentials or commodity malware capabilities to spread infection from infected workstations deeper into the corporate or control networks.
### Data Exfiltration/Impact
- **Details:** The most common impact was the infection of workstations with various malware families (including Trojans, Ransomware, and information stealers). Direct, large-scale process manipulation incidents were less frequent than outright infection of endpoints.
### Detection & Response
- **Details:** Detection primarily occurred through endpoint detection and response (EDR)/Antivirus solutions (Kaspersky products) running on the protected ICS assets. Response typically involved immediate logical or physical network isolation of the infected host and application of vendor-supplied patches/signatures.
## Attack Methodology
*This section reflects the dominant techniques observed in the aggregate data for H2 2021.*
- **Initial Access:** Email (Phishing), Exploitation of Public-Facing Applications (Web vulnerabilities), Malware.
- **Persistence:** Creation of scheduled tasks, registry modifications, and establishing communication channels via Trojans.
- **Privilege Escalation:** System updates exploitation or standard Windows vulnerability attempts.
- **Defense Evasion:** Use of living-off-the-land binaries (LOLBins) and obfuscation techniques to avoid signature detection.
- **Credential Access:** Dumping credentials from memory (e.g., LSASS) and harvesting plaintext passwords.
- **Discovery:** Network enumeration using standard OS tools or specialized scanning modules embedded in malware.
- **Lateral Movement:** Exploitation of SMB/RPC, use of compromised credentials for remote connections.
- **Collection:** Targeting sensitive documents, configuration files, and intellectual property stored on compromised workstations.
- **Exfiltration:** Use of encrypted tunnels or standard protocols (HTTP/S, FTP) to transfer collected data off-network.
- **Impact:** Workstation downtime, data theft, and potential disruption if the infection reached critical control systems.
## Impact Assessment
*Since this is aggregate data, specific figures are unavailable, and impact is characterized by threat trends.*
- **Financial:** Potential increase in remediation costs, loss of productivity due to operational standstills or cleaning efforts.
- **Data Breach:** Unknown volume; focus on successful theft of corporate documents and intellectual property from targeted workstations.
- **Operational:** Potential, localized disruption to engineering or administrative functions depending on the malware type (e.g., ransomware locking engineering workstations).
- **Reputational:** Dependent on the visibility of specific attacks within the monitored population.
## Indicators of Compromise
*Specific IoCs cannot be listed without analyzing raw data, but generalized behaviors are noted.*
- **Network Indicators:** Unusual outbound traffic to known malicious C2 infrastructures, high volume of internal SMB/RDP scanning.
- **File Indicators:** Execution of common malware droppers, use of known exploit toolkits, and files modified in temporary directories.
- **Behavioral Indicators:** Attempts to disable security services, rapid file encryption, and privilege token manipulation.
## Response Actions
*Based on general threat mitigation practices for the observed threats.*
- **Containment:** Immediate network segmentation or isolation of infected assets (workstations, jump hosts). Blocking C2 traffic at the perimeter firewall.
- **Eradication:** Full system rebuilds from known-good images for highly compromised systems. Removal of persistent malware artifacts and configuration changes.
- **Recovery:** Restoring critical files from backups, enforcing password changes across potentially compromised accounts, and implementing necessary software updates.
## Lessons Learned
- The persistence of commodity malware hitting ICS-adjacent systems demonstrates that the perimeter security focus must extend consistently throughout enterprise and operational networks.
- Successful credential theft remains a high-leverage enabler for internal propagation.
- Timely deployment of patches (especially for external-facing services) is critical to preventing initial low-effort intrusions.
## Recommendations
- Implement strict network segmentation policies to isolate Level 1/2/3 control systems from standard corporate IT workstations.
- Enhance MFA enforcement, especially for remote access and administrative tools (RDP/VPN).
- Conduct regular phishing exercises and mandatory security awareness training focused on identifying malicious attachments and links targeting ICS personnel.