Quote: While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.

Contents:

• Methodology
  
• The use of RATs in ICS
  
• Scenarios of RAT installation on ICS computers
  
• RAT-related threats to ICS
  
• Attacks of threat actors involving RATs
  
• Attacks on industrial enterprises using RMS and TeamViewer
  
• Multiple attacks on an auto manufacturer
  
• Conclusion