While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.
MethodologyThe statistical data presented in this paper was collected using the Kaspersky Security Network (KSN) from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes windows computers that perform one or several of the following functions:
supervisorycontrol and data acquisition (SCADA)servers; data storage servers (Historian); data gateways (OPC); stationary workstations of engineers and operators; mobile workstations of engineers and operators; Human Machine Interface (HMI).As part of our research, we considered and analyzed all popular RATs for Windows, with the exception of Remote Desktop, which is part of the Windows operating system. Our research into this RAT is ongoing and will be presented in the next paper of the series.
The use of RATs in ICSAccording to KSN data, in the first half of 2018, legitimate RATs (programs categorized as not-a-virus: RemoteAdmin) were installed and used on one ICS computer in three.
Percentage of ICS computers that have RATs legitimately installed on them (download)
The statistics support our observations: RATs are indeed often used on OT networks of industrial enterprises. We believe this could be due to attempts to reduce costs associated with maintaining ICS and minimize the response time in the event of malfunction.
As we were able to find out, remote access to computers on the OT network is not restricted to administrators and engineers inside the enterprise network’s perimeter. It can also be made available via the internet to users outside the enterprise network perimeter. Such users can include representatives of third-party enterprises employees of system integrators or ICS vendors, who use RATs for diagnostics, maintenance and to address any ICS malfunctions. As our industrial network security audits have shown, such access is often poorly supervised by the enterprise’s responsible employees, while remote users connecting to the OT network often have excessive rights, such as local administrator privileges, which is obviously a serious issue in terms of ensuring the information security of industrial automation systems.
From interviews with engineers and operators of various industrial systems that we have audited, and based on an analysis of ICS user documentation, we have determined that RATs are most commonly used on industrial networks according to the following scenarios:
To control/monitor HMI from an operator workstation (including displaying information on a large screen); To control/maintain HMI from an engineering workstation; To control SCADA from an operator workstation; To provide SCADA maintenance from an engineering workstation or a computer of a contractor/vendor (from an external network); To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations); To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet, work with office documents, etc.).Some of the scenarios listed above indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes. At the same time, it is important to realize that an attack on a poorly protected RAT could easily cause disruptions to the industrial process and any decisions on using RATs on the OT network should be made with this in mind. Tight controls on the use of RATs on the OT network would help to reduce the attack surface and the risk of infection for systems administered remotely.
TOP 20 countries by percentage of ICS computers on which RATs were used at least once during the first half of 2018 (to all ICS computers in each country) (download)
Scenarios of RAT installation on ICS computersAccording to our research, there are three most common scenarios of RAT installation on ICS computers:
Installation of ICS software distribution packages that include RATs (using separate distribution packages or ICS software installers). RATs included in ICS software distribution packages make up 18.6% of all RATs we have identified on ICS computers protected by Kaspersky Lab products.Percentage of RATs bundled with ICS products to all RATs found on ICS computers (download)
Deliberate installation of RATs by personnel or suppliers network administrators, engineers, operators, or integrator companies. We do not undertake to judge whether these installations are legitimate. Based on our experience of industrial network audits and incident investigation, we can state that many such installations do not comply with the organization’s information security policy and some are installed without the knowledge of respective enterprises’ responsible employees. Stealthy installation of RATs by malware. An example of this is a recent attack that we have investigated (see below). RAT-related threats to ICSThreats associated with the use of RATs on industrial networks are not always obvious, nor are the reasons for which RATs are used.
Most of the RATs we have identified on industrial systems have the following characteristics that significantly reduce the security level of the host system:
Elevated privileges the server part of a RAT is often executed as a service with system privileges, i.e., NT SYSTEM; No support for restricting local access to the system / client activity; Single-factor authentication; No logging of client activity; Vulnerabilities (our report on zero-day vulnerabilities identified in popular RAT systems that are used, among other applications, in products by many ICS vendors, will be published by the end of the year); The use of relay servers (for reverse connections) that enable RATs to bypass NAT and firewall restrictions on the network perimeter. The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s serve