Connect with us

Hi, what are you looking for?



Public ICS Hacking Tools Make It Easier to Launch Attacks: FireEye

Publicly available hacking tools, many of which have been developed for research and testing purposes, lower the bar for threat actors looking to target industrial control systems (ICS) and operational technology (OT) networks, FireEye warned this week.

Publicly available hacking tools, many of which have been developed for research and testing purposes, lower the bar for threat actors looking to target industrial control systems (ICS) and operational technology (OT) networks, FireEye warned this week.

The cybersecurity firm told SecurityWeek that its Mandiant Intelligence team tracks nearly 100 tools that can be used to exploit vulnerabilities in ICS or interact with industrial equipment in an effort to support intrusions or attacks. The company also tracks hundreds of exploit modules developed for frameworks such as Metasploit, Core Impact and Immunity Canvas.

Of the ICS hacking tools tracked by FireEye — the company calls them ICS cyber operation tools — 28% are designed for discovering ICS devices on a network and 24% for software exploitation. Other tools are related to low-power radios, fuzzers, ICS devices connected to the internet, malware, hardware interaction, infrared ports, knowledge repositories, and ransomware.

ICS hacking tool types

FireEye says a majority of the tools are either vendor agnostic or designed to target the products of major manufacturers such as Siemens, Schneider Electric, ABB, GE, Rockwell Automation, and Wind River Systems.

In the case of modules designed for exploitation frameworks, FireEye has been tracking hundreds of ICS-specific modules covering a total of more than 500 vulnerabilities. Worryingly, 71 percent of these vulnerabilities are described by the company as “potential zero-days.”

“When we say potential zero day vulnerability, we mean that there is not enough information for us to determine if the exploited vulnerability is related to a specific CVE or identifier,” Nathan Brubaker, senior manager for analysis at FireEye, told SecurityWeek. “This changes every day as information on the exploits and vulnerabilities are updated often. However, given the large proportion of the exploited vulnerabilities that fall into this category, and the age of some of the exploits, we don’t anticipate seeing the percentage of vulnerabilities that are potential zero days to change dramatically. We also note that while there may be associated CVEs in some cases that are simply not identified, it is very difficult for an asset owner to learn which vulnerabilities are or are not exploited by these modules.”

Learn More About ICS Security at SecurityWeek’s 2020 ICS Cyber Security Conference

A majority of the modules are developed for Core Impact and Immunity Canvas, which are both commercial products, unlike Metasploit, which is freely available.

Advertisement. Scroll to continue reading.

In terms of the ICS products covered by these modules, many target Advantech, Schneider Electric, Siemens, Cogent, GE, and ICONICS.

Many of these ICS hacking tools have been developed by researchers and security practitioners, and they can be very useful for organizations looking to assess their security posture, but they can also make it easier for malicious actors to launch attacks on industrial systems.

“Although successful attacks against OT environments will normally require a high level of skills and expertise from threat actors, the tools and exploit modules discussed in this post are making it easier to bridge the knowledge gap,” FireEye said in a blog post.

The company added, “Awareness about the proliferation of ICS cyber operation tools should serve as an important risk indicator of the evolving threat landscape. These tools provide defenders with an opportunity to perform risk assessments in test environments and to leverage aggregated data to communicate and obtain support from company executives. Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.”

Related: Dragos Acquires NexDefense, Releases Free ICS Assessment Tools

Related: GUI Now Available for Kamerka ICS/IoT Reconnaissance Tool

Related: Researcher Shows How Adversaries Can Gather Intel on U.S. Critical Infrastructure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.