APTs Using New Tools to Target ICS/SCADAUS Government Agencies, Mandiant, Dragos, Schneider Electric Issue Joint Advisory
U.S. government agencies, including the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation, have released a joint cybersecurity advisory about advanced persistent threat actors using new tools and malwares to target industrial control systems and supervisory control and data acquisition devices.
Critical infrastructure organizations, especially in the energy sector, are urged to implement the detection & mitigation recommendations to harden their #ICS/#SCADA devices. See the @CISAgov, @DOE_CESER, @NSACyber, & @FBI joint Cybersecurity Advisory: https://t.co/3xF9hSvlaQ pic.twitter.com/ryvl7SZ3Fx— CISA Infrastructure Security (@CISAInfraSec) April 13, 2022
Eric Goldstein, executive assistant director of the cybersecurity division at CISA, tells Information Security Media Group that the agency's advisory sought to offer "tangible and timely information about cyber threats," along with measures for critical infrastructure companies to strengthen their security.
"We know that threat actors continue to conduct reconnaissance for vulnerable industrial control system, or ICS, internet-connected devices, leverage malicious custom-made tools and exploit known vulnerabilities. We urge every organization with ICS and SCADA devices, especially energy sector organizations, to review and implement recommended mitigations," he says.
Unidentified APT actors have designed specialized tools capable of damaging programmable logic controllers from Schneider Electric and Omron Corp., and servers from Open Platform Communications Unified Architecture, the advisory says.
"The tools enable them to scan for compromised and control-affected devices once they [threat actors] have established initial access to the operational technology [OT] network. The actors can compromise Windows-based engineering workstations, which may be present in IT or OT environments, using an exploit that compromises an ASRock motherboard driver [
AsrDrv103.sys] with known vulnerabilities [CVE-2020-15368]," the advisory says.
Using these tools, a successful compromise of the ICS and SCADA devices can be achieved and, subsequently, full system/persistent access to these devices can be maintained, the advisory adds. Also, "APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions" with this degree of access, the joint advisory says.
Which Devices Are Affected?
The joint advisory says that the tools have a modular architecture and enable threat actors to conduct highly automated exploits against the following targeted ICS/SCADA-related devices:
- Schneider Electric MODICON and MODICON Nano PLCs, including TM251, TM241, M258, M238, LMC058 and LMC078;
- Omron Sysmac NJ and NX PLCs, including NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT;
- OPC Unified Architecture (OPC UA) servers.
APT Tools Used
The APT tools were first spotted by researchers at cybersecurity firm Mandiant in early 2022. Along with Schneider Electric, Mandiant analyzed the specifics and explored how the tools functioned, according to a Schneider Electric security bulletin. Mandiant has named the set of tools INCONTROLLER.
According to Mandiant's security blog, INCONTROLLER includes three tools that enable the attacker to send instructions to a variety of different ICS devices embedded across different types of machinery used in various critical industries such as power plants, milling machines and industrial press machines used in the manufacturing sector.
Mandiant tells ISMG that the three tools, described in the table below, can be used to shut down critical machinery, sabotage industrial processes and disable safety controllers to cause physical destruction of machinery that could potentially lead to the loss of human lives.
Mandiant adds that each tool can be used independently or in combination with others to attack a single environment as shown in the tooling overview diagram below.
Both CISA and Mandiant tell ISMG that attribution of these tools to any publicly known APT at this time is not possible as there is no conclusive evidence. But Mandiant says that the functionality of INCONTROLLER is similar to the malware used in Russia's prior cyber physical attacks.
Nathan Brubaker, director of intelligence analysis at Mandiant, adds that INCONTROLLER represents an exceptionally rare and dangerous cyberattack capability, following Stuxnet, Industroyer and Trion as the fourth-ever attack-oriented ICS malware."
Citing the functionalities of these APT tools, Brubaker tells ISMG that it is likely that a state-sponsored group has developed these tools. "[It] contains capabilities related to disruption, sabotage and potentially physical destruction. While we are unable to definitively attribute the malware, we note that the activity is consistent with Russia's historical interest in ICS."
As a result, Mandiant's experts also believe "INCONTROLLER poses the greatest threat to Ukraine, NATO member states, and other states actively responding to Russia's [ongoing] invasion of Ukraine."
Organizations should take immediate action to determine if the targeted ICS devices are present in their environments and begin applying vendor-specific countermeasures, Brubaker adds.
Around the same time that Mandiant and Schneider Electric discovered these tools, Dragos' independent research also spotted them. The cybersecurity firm named it PIPEDREAM; Schneider acknowledges this in its security bulletin.
Dragos says that PIPEDREAM is the seventh-known ICS-specific malware and attributes it to the CHERNOVITE activity group, which the company is said to have been tracking since 2021.
Unlike Mandiant, which described a set of three tools, Dragos split the tools into five components:
Dragos says that "these combined components allow CHERNOVITE to enumerate an industrial environment, infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers and manipulate executed logic and programming," which is similar to the functionality of Mandiant's discovered tools.
All of these capabilities can lead to a loss of safety, availability, and control of an industrial environment, dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk, Dragos adds.
CISA's spokesperson tells ISMG that the agency and its interagency partners are not aware of these tools being used by any of the APT actors in the wild, and therefore "the U.S. government has not publicly attributed the APT actors referenced in this [joint] advisory."
Although no active use of these tools has been noted, the joint security advisory from CISA warns that these "tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.
The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents and modify device parameters.
CISA, Mandiant, Dragos and Schneider Electric have all published a host of mitigation measures for the safety and security of ICS and SCADA devices in their respective blogs.