Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



U.S. Warns Sophisticated ICS/SCADA Malware Can Damage Critical Infrastructure

Custom made, modular ICS attack framework can be used to disrupt and/or destruct devices in industrial environments

The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers.

A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.

“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agencies warned.

[ Related: Pipedream/Incontroller ICS Malware Built to Target Energy Facilities ]

“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” according to the joint advisory [PDF].

The government warning comes on the heels of a series of wiper malware attacks linked to Russia’s invasion of Ukraine and a software supply chain compromise that effectively crippled Viasat’s satellite internet service.

Privately owned ICS security firm Dragos issued a separate notice documenting what is now the seventh known industrial control system (ICS)-specific malware. “[This] is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment,” the company said.

Dragos, which calls the malware “PIPEDREAM“, said the combined components in the custom tool could allow attackers to enumerate an industrial environment, infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers, and manipulate executed logic and programming. 

“All of these capabilities can lead to a loss of safety, availability, and control of an industrial environment, dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk,” Dragos added.

The U.S. government agencies confirmed the Dragos assessment, warning that the tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. 

[ READ: ICS Patch Tuesday: Siemens, Schneider Fix Critical Flaws ]

“Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities. The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”

The government has also spotted signs that the tool is being used to exploit a known-vulnerable ASRock-signed motherboard driver, PI, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. “Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions,” the agencies said.

The government advisory said the custom malware has been seen targeting the following products:

● Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;

● OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and 

● OPC Unified Architecture (OPC UA) servers.  

Security response teams are being pushed to  enforce multi-factor authentication for all remote access to ICS networks and devices and use a continuous OT monitoring solution to log and alert on malicious indicators and behaviors.

The government agencies are also recommending the isolation of ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. 

Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities

Related: High-Severity Vulnerabilities Patched in Omron PLC Programming Software

Related: Researchers Link ‘MeteorExpress’ Wiper to Iranian Train Cyberattack

Related: Flaws in Omron HMI Product Exploitable via Malicious Project Files

Related: Siemens Addresses Over 90 Vulnerabilities Affecting Third-Party Components


Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


White hat hackers received $180,000 at Pwn2Own Miami 2023 for exploits targeting widely used ICS products.