Skip to main content

Woburn, MA – September 21, 2018 – Today, Kaspersky Lab ICS CERT experts published a new report which found that nearly one third (31.6%) of ICS computers protected by Kaspersky Lab have legitimate remote administration tools (RATs) installed on them. This poses a serious threat to industrial networks as cybercriminals can use RATs to install ransomware or cryptocurrency mining software, or steal confidential information and money.

The new Kaspersky Lab ICS CERT report also found that almost one-in-five (18.6%) RATs come bundled with ICS software by default. This makes RATs even less visible to system administrators and consequently more attractive to threat actors. RATs are often used legitimately by employees at industrial enterprises to save resources, but can also be used by malicious actors for stealthy privileged access to targeted computers without computer users knowing until the organization’s security team finds it. 

The most significant threat posed by RATs is their ability to gain elevated privileges in the system attacked. This type of access is often gained through a basic brute force attack, which involves trying to guess a password by trying all possible character combinations until the correct one is found. While brute force is one of the most popular ways to take control of a RAT, attackers can also find and exploit vulnerabilities in the RAT software itself. According to the research, malicious users utilize RAT software to:

  • Gain unauthorized access to the targeted network;
  • Infect the network with malware to conduct espionage, sabotage and make illegal financial profits through ransomware operations, or by accessing financial assets via the networks attacked. 

To reduce the risk of cyberattacks involving RATs, Kaspersky Lab ICS CERT recommends implementing the following technical measures:

  • Audit the use of application and system remote administration tools used on industrial networks. Remove all remote administration tools that are not required by the industrial process.
  • Conduct an audit and disable remote administration tools which come with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
  • Closely monitor and log events for each remote control session that is required by the industrial process. Remote access should be disabled by default and enabled only upon request and only for limited periods of time.

“The number of ICSs with RATs is worrying, while many organizations don’t even suspect how great the potential risk associated with RATs is,” said Kirill Kruglov, senior security researcher at Kaspersky Lab ICS CERT. “For example, we recently observed attacks on an automotive company, where one of the computers had a RAT installed on it. This led to regular attempts to install various malware on the computer over a period of several months, with our security solutions blocking at least two such attempts every week. If that organization had not been protected by our security software, the consequences would have been unpleasant to say the least. However, this doesn’t mean that companies should immediately remove all RAT software from their networks. After all, these are very useful applications, which save time and money. However, their presence on a network should be treated with care, particularly on ICS networks, which are often part of critical infrastructure facilities.”

To read the full report, “Threats posed by using RATs in ICS,” please visit the Kaspersky Lab ICS CERT website here.

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

About Kaspersky Lab ICS CERT
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project launched by Kaspersky Lab in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky Lab ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the industrial internet of things. During its first year of operation, the team identified over 110 critical vulnerabilities in products by major global ICS vendors. Kaspersky Lab ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com 

Kaspersky Lab Media Contact: 
Denise Berard
781.503.1836
Denise.Berard@kaspersky.com

Kaspersky Lab Report: Remote Administration Tool Threats to Industrial Networks

New report finds that nearly one third of ICS computers protected by Kaspersky Lab have remote administration tools (RATs) installed on them
Kaspersky Logo