#CyberSecurityReport21H1: More than 246 million OT cyber security events detected in six months

Innovation and Laboratory Area in ElevenPaths    9 August, 2021
Cyber Securiry Report 2H 21

There are many reports on security trends and summaries, but at Telefónica Tech we want to make a difference. From the Innovation and Lab team, we have just launched our own report on cybersecurity that summarises the highlights of the first half of 2021. Its philosophy is to offer a global, concrete and useful overview of the most relevant data and facts about cybersecurity, and it is designed to be consumed by both professionals and amateurs in a simple and visually attractive way.

The aim of this report is to summarise the cyber security information of the past months, taking a viewpoint covering most aspects of the discipline, in order to help the reader understand the risks of the current landscape.

The information gathered is largely based on the compilation and synthesis of internal data, cross-checked with public information from sources we consider to be of high quality. The following are some of the points that are important to us.

Mobile Security


The first half of 2021 closed with more than 200 vulnerabilities patched in iOS, of which almost 50 are considered high-risk, with the possibility of executing arbitrary code. Some of them affect the core of the system itself.

Total vulnerabilities found – Category within “arbitrary code execution”

Typically, Google releases a set of security patches every month. So six bulletins have been published, with a total of 246 CVEs or vulnerabilities fixed in Android. 26 of them are critical.

Total vulnerabilities found – Category within “arbitrary code execution”

Windows security


In this period we have analysed 384 accredited vulnerabilities out of a total of more than 440. From all of them we have extracted their severity through the official NIST CVSS. We understand that most of the uncredited bugs may come from vulnerabilities found in 0-days or other circumstances where the author is not known and has not been reported anonymously. In these cases, Microsoft does not credit anyone in particular. This difference between credited and “uncredited” vulnerabilities, which is not the same as anonymous, is reflected in the following graph:

Total vulnerabilities found- Category within “arbitrary code execution” – Level Accredited – Non-Accredited

OT Security


The following information comes from the OT threat capture and analysis system, Aristeo. Aristeo incorporates a network of decoys, made of real industrial hardware, which appear to be real industrial systems in production, and behave as such, but are extracting all the information about the threats accessing the system. With the information from all the devices deployed in the different node-signposts, Aristeo applies relationships and intelligence to go beyond the data, being able to proactively detect campaigns, targeted or sectorised attacks, 0-day vulnerabilities, etc.

Each node-nested token has its own characteristics and reproduces a different process. Therefore, protocols, devices, productive sectors… change in each of them. In addition, the nodes are alive, which means that they can undergo alterations in their configuration at the will of the team of researchers working with them, or of the client who has temporary or permanent use of them. This variability may lead to slight discrepancies in the data shown in this section when compared between semesters.

More information at: https://aristeo.elevenlabs.tech

It has always been said that criminals are the ones who know society and its realities, its legislation… When we deployed the first Aristeo node, we began to perceive a variation in the data as the pandemic was increasing or decreasing in incidence. We decided to analyse the data to see if our perception was correct. The answer is the graph below, which plots the Covid data against the RDP event data for the month of January 2021 separated by week. S0 is the latest from December 2020 (to observe the change since the start of that wave).

SARS-COV-2 infections & RDP attacks – Covid cases – RDP Events

The cyber threat data comes entirely from our system, while the SARS-COV-2 threat data comes from several governments and reputable research organisations. Attackers increased the number of attacks against devices exposing an RDP (in our case, an engineering bay that controls the industrial process and serves to manage industrial devices on a node).

In addition, more than 246 million cybersecurity events were detected in the first half of 2021. Most of the events were related to more or less sophisticated RDP attacks. The distribution by country is as follows:

TOP-10 Countries

Below, we can observe the Top-10 IP addresses with the most interaction with the Aristeo system and their reference countries.

TOP-10 IP attackers

Leave a Reply

Your email address will not be published.