Cyber Alert: New State-Sponsored APT Cyber Tools Targeting ICS/SCADA Devices, Multiple Industrial Control Systems
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) are releasing a Cybersecurity Advisory (CSA) to warn that certain Advanced Persistent Threat (APT) actors have exhibited the capability to gain full system access to multiple Industrial Control System (ICS)/Supervisory Control and Data Acquisition (SCADA) devices.
The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise and control affected devices once they have established initial access to the Operational Technology (OT) network.
Additionally, the actors can compromise Windows-based engineering workstations, which may be present in Information Technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment and disrupt critical devices or functions.
Suggested Immediate Company-Wide Actions
- Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
- Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.
Suggested Immediate Individual Actions
- Change all passwords to ICS/SCADA devices and systems, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
- Report all suspected phishing attempts.
- Remain vigilant in monitoring for suspicious activities on networks.
The Cyber Breakdown
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently released a joint Cybersecurity Advisory (CSA) warning certain advanced persistent threat (APT) actors appear to be able to gain full system access to ICS and SCADA devices and systems. Codenamed INCONTROLLER (Mandiant) and PIPEDREAM (Dragos), the APT has been compared to TRITON, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a power outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010.
In early 2022, Mandiant, in partnership with Schneider Electric, analyzed a set of novel industrial control system (ICS)-oriented attack tools built to target machine automation devices. The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER contains capabilities related to disruption, sabotage, and potentially physical destruction.
Researchers at Mandiant, Palo Alto Networks, Microsoft and Schneider Electric also contributed to the advisory.
How It Occurred – APT Tool for Schneider Electric Devices (CODECALL)
The APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502). This allows cyber actors to:
- Brute-force passwords using CODESYS (Note: not limited to Schneider PLCs)
- Denial-of-Service (DOS) attacks
- Reset connections causing reauthentication to facilitate capture of credentials
How It Occurred – APT Tool for Omron FIN (OMSHELL)
OMRON modules can upload an agent that allows a cyber actor to connect and initiate commands—such as file manipulation, packet captures and code execution—via HTTP and/or Hypertext Transfer Protocol Secure (HTTPS).
How It Occurred – APT Tool for OPC UA (TAGRUN)
The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.
- Disrupt controllers for operational shutdown
- Reprogram controllers for sabotage
- Disable safety controls leading to physical destruction or harm
To help keep your Schneider Electric products secure and protected, it is suggested that you implement the cybersecurity best practices as indicated in the Cybersecurity Best Practices document provided on the Schneider Electric website: Recommended Cybersecurity Best Practices White paper | Schneider Electric.
Omron's guidance for unpatched vulnerabilities, as noted in their security brief, indicates that external firewall filtering of identified FIN ports can be used as mitigation.
OPC UA (TAGRUN)
- Monitoring and blocking of external traffic to OPC UA ports, when possible, to aid in detecting anomalous traffic and prevent external network traffic directed at OPC UA-associated ports.
- Enabling and aggregating audit logs for OPC servers and clients.
- Do not expose management interfaces for network devices to the internet.
- Keep network devices up to date with the latest security and firmware releases from the product manufacturer.
- Implementation of ICS-aware intrusion protection systems to aid in monitoring for function codes from potentially malicious sources.
- Periodic reviewing of audit logs for inconsistent or nefarious connections, security options negotiations, configuration changes and user interaction.
About ABS Group
ABS Group of Companies, Inc. (www.abs-group.com), through its operating subsidiaries, provides technical advisory and certification services to support the safety and reliability of high-performance assets and operations in the oil, gas and chemical, power generation, marine, offshore and government sectors, among others. Headquartered in Houston, Texas, ABS Group operates with more than 1,000 professionals globally. ABS Group is a subsidiary of ABS (www.eagle.org), a leading marine and offshore classification society.