Custom made, modular ICS attack framework can be used to disrupt and/or destruct devices in industrial environments
The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers.
A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.
“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agencies warned.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” according to the joint advisory [PDF].
The government warning comes on the heels of a series of wiper malware attacks linked to Russia’s invasion of Ukraine and a software supply chain compromise that effectively crippled Viasat’s satellite internet service.
Privately owned ICS security firm Dragos issued a separate notice documenting what is now the seventh known industrial control system (ICS)-specific malware. “[This] is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment,” the company said.
Dragos, which calls the malware “PIPEDREAM“, said the combined components in the custom tool could allow attackers to enumerate an industrial environment, infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers, and manipulate executed logic and programming.
“All of these capabilities can lead to a loss of safety, availability, and control of an industrial environment, dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk,” Dragos added.
The U.S. government agencies confirmed the Dragos assessment, warning that the tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device.
“Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities. The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”
The government has also spotted signs that the tool is being used to exploit a known-vulnerable ASRock-signed motherboard driver, PI, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. “Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions,” the agencies said.
The government advisory said the custom malware has been seen targeting the following products:
● Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
● OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
● OPC Unified Architecture (OPC UA) servers.
Security response teams are being pushed to enforce multi-factor authentication for all remote access to ICS networks and devices and use a continuous OT monitoring solution to log and alert on malicious indicators and behaviors.
The government agencies are also recommending the isolation of ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.