During 2021, Kaspersky noticed a curious anomaly in statistics on spyware threats blocked on ICS computers – computers which could include HMIs, SCADA systems, historians, data gateways, engineering workstations, computers used for the administration of industrial networks, and devices used to develop software for industrial systems. In its research, they identified more than 2,000 industrial organizations worldwide have been incorporated into the malicious infrastructure and used by cyber gangs to spread the attack to their contact organizations and business partners. Stolen credentials were observed being sold across 25 different cybercrime marketplaces, noting the interest that some threat actors place on industrial companies by the significant increase in price over other account types within the marketplaces. Furthermore, the malware/spyware used in the attacks was not sophisticated. Samples were used from well-known commodity families such as Agent Tesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, Lokibot, etc. by financially motivated “low-skilled individuals and small groups.” For more highlights, visit SecurityWeek. For greater detail, including the tactics, techniques, and procedures, visit Kaspersky.