US Warns of APT Hackers Targeting ICS/SCADA Systems

US Warns of APT Hackers Targeting ICS/SCADA Systems

The U.S. government issued a warning on Wednesday about nation-state actors using specialized malware to keep industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices under their control.

ICS/SCADA devices are being targeted by APT actors who have developed custom-made tools, multiple U.S. agencies said in an alert. After gaining access to the OT network, the tools allow them to search for, compromise and take control of infected devices.

From the Department of Energy, CISA, NSA, and FBI, a joint federal advisory has been issued to help protect the nation's critical infrastructures (FBI).

Schneider Electric, OMRON Sysmac NEX, and OPC UA servers are the target of the custom-made tools.

With the help of an ASRock-signed motherboard driver that has known flaws, the unnamed actors are able to infiltrate Windows-based engineering workstations across both IT and OT networks (CVE-2020-15368).

It's hoped that access to ICS systems will allow the intruders to gain privileges, move between networks, and disrupt mission-critical operations in LNG and electric power plants.

According to Dragos, a company specializing in industrial cybersecurity, which has been tracking the "PIPEDREAM" malware since early 2022, the malware is a "modular ICS attack framework that an adversary could leverage to cause disruption or degradation to a target or the environment."

According to Dragos chief executive officer, Robert M. Lee, "an industrial cyber capability has been found *prior* to its deployment for intended effects," making this the first time "an industrial cyber capability has been found before its deployment."

PIPEDREAM has five components that enable it to conduct reconnaissance, hijack target devices, tamper with the execution logic of controllers, and disrupt PLCs, effectively causing "loss of safety, availability, and control of an industrial environment."

There have been 17 security flaws found in CODESYS, a third-party development environment for programming controller applications, in the past year alone, which has been used by the adaptable malware.

When safety controllers and other automation controllers can be reprogrammed, they can be used to disable the emergency shutdown system and manipulate the operational environment into unsafe conditions," Dragos warned.

Another report from threat intelligence firm Mandiant uncovered a "set of novel industrial control system (ICS)-oriented attack tools" aimed at machine automation devices from Schneider Electric and Omron, which coincides with the disclosure.

Known as INCONTROLLER, the state-sponsored malware targets industrial network protocols like OPC UA, Modbus, and CODESYS to "interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries.".

While the malware was discovered by Dragos and Mandiant along with government agencies, it is not yet clear how the malware was discovered. ESET, a Slovak cybersecurity firm, detailed the use of an upgraded version of the Industroyer malware in a failed cyberattack against an unnamed Ukrainian energy provider last week.

An "extremely rare and dangerous cyber-attack capability" known as "PIPEDREAM" is "INCONTROLLER," Mandiant stated. Compared to Triton, which attempted to disable an industrial safety system in 2017; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged the Iranian nuclear program around 2010,"

For ICS and SCADA devices, the agencies are urging organizations to implement multi-factor authentication for remote access, change passwords frequently, and constantly monitor for suspicious behavior and indicators.


Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post