US warns against APT hackers targeting ICS / SCADA systems with specialized malware

The U.S. government on Wednesday warned of nation state actors implementing specialized malware to maintain access to industrial control systems (ICS) and supervisory control and data collection units (SCADA).

“APT actors have developed tailor-made tools to target ICS / SCADA devices,” several U.S. agencies said in a warning. “The tools enable them to scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.”

The joint federal advice comes courtesy of the US Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

The custom-made tools are specifically designed to separate Schneider Electric’s programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

On top of that, the unnamed players are said to have the capacity to infiltrate Windows-based technical workstations across IT and OT networks by making use of an exploit that compromises an ASRock-signed motherboard driver with known vulnerabilities (CVE-2020- 15368).

Cyber ​​security

The intent, the agencies said, is to leverage access to ICS systems to increase privileges, move sideways within networks, and sabotage mission-critical functions in liquefied natural gas (LNG) and electrical energy environments.

Industrial cybersecurity company Dragos, which has been tracking the malware under the name “PIPEDREAM” since the beginning of 2022, described it as a “modular ICS attack framework that an adversary could exploit to cause disruption, degradation and possibly even destruction depending on the target and environment. . “

Dragos CEO Robert M. Lee attributed the malware to a state actor called CHERNOVITE, who with great confidence assesses that the destructive toolkit has not yet been used in real-world attacks, possibly for the first time, “an industrial cyber capacity has been found * before * its intended implementation effects. “

PIPEDREAM has a range of five components to achieve its objectives, enabling reconnaissance, hijacking units of measure, manipulating the execution logic of controllers and disrupting PLCs, effectively leading to “loss of security, availability and control of an industrial environment. “

The versatile malware is also known to benefit from CODESYS, a third-party development environment for programming controller applications, which has been revealed to contain as many as 17 different security vulnerabilities in the past year alone.

“The potential to reprogram and potentially disable security controllers and other machine automation controllers could then be exploited to disable the emergency stop system and subsequently manipulate the operational environment into unsafe conditions,” Dragos warned.

Cyber ​​security

Coinciding with the revelation is another report from the threat intelligence firm Mandiant, which revealed what it calls a “set of new industrial control system (ICS) -oriented attack tools” aimed at machine automation devices from Schneider Electric and Omron.

The state-sponsored malware, which it has named INCONTROLLER, is designed to “interact with specific industrial equipment embedded in various types of machines utilized across multiple industries” using industrial networking protocols such as OPC UA, Modbus and CODESYS.

That said, it is still unclear how the public authorities as well as Dragos and Mandiant found the malware. The results come a day after the Slovak cyber security company ESET detailed the use of an upgraded version of Industroyer malware in a failed cyber attack targeting an unnamed energy provider in Ukraine last week.

“INCONTROLLER [aka PIPEDREAM] represents an unusually rare and dangerous cyber-attack capability, “Mandiant said.” It is comparable to Triton, which tried to disable an industrial security system in 2017; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged the Iranian nuclear program around 2010. “

To mitigate potential threats and secure ICS and SCADA devices, agencies praise organizations for enforcing multifactor authentication for remote access, periodically changing passwords, and continually being on the lookout for malicious indicators and behaviors.

Leave a Comment