Remote Administration Tools (RATs) have always been controversial. Yes, they let people avoid direct access to hardware, but at the same time, they put computer systems at risk by opening remote access to equipment. In an industrial environment, remote access is especially dangerous, and so our colleagues from KL ICS CERT undertook a study on how widespread RATs are on industrial computers and what harm they can cause.
According to statistics from Kaspersky Security Network, in the first half of 2018 legitimate RATs were installed on one in three industrial systems using Windows OS. By industrial systems we mean SCADA servers, historian servers, data gateways, engineers’ and operators’ workstations, and human–machine interface computers.
Sometimes, local administrators and engineers use RATs in their daily work. Sometimes, outside parties such as system integrators or industrial control system developers need remote access for diagnostics, maintenance and troubleshooting. So actually, in some cases RATs are used not for operational needs but to lower service costs. And even if they are required for normal technological processes, it is worth assessing possible risks and maybe even restructuring processes to decrease attack surface.
Another possibility cannot be excluded: To deceive protective solutions, malware actors sometimes use legitimate remote administration software as an attack tool.
To reduce the risk of cyberattacks involving RATs, we recommend the following high-priority measures:
- Audit the use of application and system remote administration tools on the industrial network, such as VNC, RDP, TeamViewer, and RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.
- Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
- Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.