×
Uncategorized

Cybercriminals Exploit ICS Computers via Scripts and Phishing Attacks

Industrial control systems (ICS) continue to face increasing cybersecurity challenges as threat actors employ sophisticated malicious scripts and phishing campaigns to target critical infrastructure.

According to new data from Q2 2025, while overall attack rates have shown a marginal decline, specific threat vectors including email-based attacks and malicious documents are intensifying their assault on industrial environments.

The latest cybersecurity landscape data reveals that 20.5% of ICS computers experienced blocked malicious objects in Q2 2025, representing a 1.4 percentage point decrease from the previous quarter and a 3.0 percentage point decline compared to Q2 2024.

Percentage of ICS computers on which malicious objects were blocked, Q2 2022–Q2 2025.
Percentage of ICS computers on which malicious objects were blocked, Q2 2022–Q2 2025.

Despite this apparent improvement in overall security posture, the distribution of threats remains highly uneven across global regions, with Africa experiencing the highest attack rates at 27.8% compared to Northern Europe’s relatively modest 11.2%.

This regional disparity highlights the complex nature of ICS cybersecurity challenges, where geopolitical factors, infrastructure maturity, and cybersecurity investment levels significantly influence vulnerability exposure.

The biometrics sector emerged as the most targeted industry vertical, leading the ranking for ICS computers experiencing blocked malicious objects, while traditional manufacturing and energy sectors continue to face persistent threats.

Email-Based Attack Vectors Intensify

While internet-based threats and removable media attacks decreased across most regions, email clients emerged as an increasingly dangerous attack vector for ICS environments.

The percentage of ICS computers blocking threats from email clients continued its upward trajectory, with malicious documents, spyware, malicious scripts, and phishing pages representing the primary categories of email-borne threats.

This trend is particularly concerning given the operational technology (OT) environment’s traditional air-gapped security model.

Ranking of industries and OT infrastructures by percentage of ICS computers on which malicious objects were blocked.
Ranking of industries and OT infrastructures by percentage of ICS computers on which malicious objects were blocked.

As industrial organizations increasingly integrate their operational networks with corporate IT systems for efficiency and remote monitoring capabilities, email-based attack vectors create new pathways for threat actors to penetrate previously isolated industrial control systems.

The geographic distribution of email threats shows remarkable variation, ranging from 0.80% in Russia to 7.23% in Southern Europe, suggesting that regional cybersecurity awareness, training programs, and email security implementations significantly impact organizational resilience against phishing campaigns.

Threat actors are increasingly leveraging malicious scripts and phishing pages as initial infection vectors, with 6.49% of ICS computers blocking such threats in Q2 2025, despite a 0.67 percentage point decrease from the previous quarter.

These attack methods represent sophisticated social engineering techniques designed to exploit human vulnerabilities within industrial organizations.

The multi-stage nature of modern ICS attacks typically begins with these initial infection attempts, where attackers establish footholds within target networks before deploying next-stage malware including spyware (3.84% of ICS computers affected), ransomware (0.14%), and cryptocurrency miners (0.63% for executable files, 0.30% for web miners).

The correlation between initial infection rates and subsequent malware deployment underscores the critical importance of preventing these entry-level attacks.

Denylisted internet resources showed a concerning 1.2-fold increase in blocking rates, reaching 5.91% of ICS computers, while malicious documents increased by 1.1 times to 1.97%.

In Q2 2025, Kaspersky security solutions blocked malware from 10,408 different malware families from various categories on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects from various categories was blocked.
Percentage of ICS computers on which the activity of malicious objects from various categories was blocked.

This growth pattern suggests threat actors are adapting their tactics to exploit popular public websites and file-sharing services as distribution mechanisms for malicious code targeting industrial environments.

Network Propagation

Self-propagating malware, including worms and viruses, continues to pose significant risks to ICS networks despite overall declining detection rates of 1.22% and 1.29% respectively.

These threats exploit fundamental network architecture vulnerabilities, spreading through removable media, network folders, infected backup files, and network attacks targeting outdated software such as legacy Radmin2 installations.

The persistence of these attack vectors highlights the challenge of securing complex industrial networks containing legacy systems and diverse connectivity requirements.

Threat actors specifically target these architectural weaknesses to achieve lateral movement within OT networks, escalating privileges and accessing critical control systems through established communication channels with command and control (C2) infrastructure.

AutoCAD malware, while representing a smaller percentage at 0.29% of affected systems, demonstrates the specialized nature of threats targeting industrial design and engineering workflows.

This category illustrates how attackers develop industry-specific malware to exploit the unique software ecosystems prevalent in manufacturing and engineering environments.

Global Security Disparities

The substantial regional variations in threat detection rates reveal significant disparities in global ICS cybersecurity preparedness.

Africa leads in multiple threat categories, with internet-based threats affecting 11.88% of systems compared to East Asia’s 6.35%, while removable media threats range from 0.04% in Australia and New Zealand to 1.77% in Africa.

These variations reflect differences in cybersecurity infrastructure investment, regulatory frameworks, and threat landscape maturity across different geographic regions.

Organizations operating in higher-risk regions must implement more robust security measures and maintain heightened vigilance against evolving threat actors targeting industrial control systems.

The data underscores the critical need for enhanced email security, employee training programs focused on phishing recognition, and comprehensive network segmentation strategies to protect industrial control systems from increasingly sophisticated malicious scripts and phishing campaigns targeting critical infrastructure globally.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Related Posts

Post Comment

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by