US warns of govt hackers targeting industrial control systems

A joint cybersecurity advisory issued by CISA, NSA, FBI, and the Department of Energy (DOE) warns of government-backed hacking groups being able to hijack multiple industrial devices using a new ICS-focused malware toolkit.

The federal agencies said the threat actors could use custom-built modular malware to scan for, compromise, and take control of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices.

"The APT actors' tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities," the joint advisory reads.

"The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters."

ICS/SCADA devices at risk of being compromised and hijacked include:

• Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs)
• Omron Sysmac NJ and NX PLCs, and
• Open Platform Communications Unified Architecture (OPC UA) servers

DOE, CISA, NSA, and the FBI also found that state-sponsored hackers also have malware that leverages CVE-2020-15368 exploits to target Windows systems with ASRock motherboards to execute malicious code and move laterally to and disrupt IT or OT environments.

New malware targeting ICS devices

While the federal agencies did not share any additional info on the hacking tools and malware mentioned in the advisory, Robert M. Lee, the co-founder and CEO of industrial cybersecurity firm Dragos, said the company has been tracking this set of malicious tools as PIPEDREAM since its discovery in early 2022.

Developed by a group Dragos tracks as the CHERNOVITE Activity Group (AG), this is the seventh ICS-specific malware ever found.

"Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects. This is a rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment and gives defenders a unique opportunity to prepare in advance," the company says.

"PIPEDREAM can manipulate a wide variety of industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers.

"It can also execute attacks against the ubiquitous industrial technologies CoDeSyS, Modbus, and OPC UA. Together, a significant percentage of industrial assets worldwide are vulnerable to PIPEDREAM."

Dragos assesses with high confidence this was developed by a state actor with the intent on deploying it to disrupt key infrastructure sites.

— Robert M. Lee (@RobertMLee) April 13, 2022

Mandiant also tracks this toolkit as INCONTROLLER and said today that it "represents an exceptionally rare and dangerous cyber attack capability."

"It is comparable to TRITON, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a power outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010," Mandiant added.

Recommended mitigation measures

The federal agencies recommend network defenders start taking measures to protect their industrial networks from attacks using these new capabilities and malicious tools.

They advise enforcing multifactor authentication (MFA) for remote access to ICS networks, changing default passwords to ICS/SCADA devices and systems, rotating passwords, and using OT monitoring solutions to detect malicious indicators and behaviors.

Additional mitigation measures can be found within today's advisory, with more information provided by CISA and the Department of Defense on blocking attacks targeting OT systems [PDF], layer network security via segmentation, and reducing exposure across industrial systems.

"APT actors are targeting certain ICS/SCADA devices and could gain full system access if undetected," the NSA said.

"We urge organizations to apply the detection and mitigation recommendations in our joint advisory to thwart this activity."