Incontroller ICS malware has “rare, dangerous” abilities, says Mandiant
According to a new alert, a suite of novel industrial control systems (ICS)-targeted attack tools, dubbed incontrollers by researchers from Mandiant and Schneider Electric, pose a critical risk to organizations using the equipment containing the targeted machine automation devices.
Incontroller interacts with specific Schneider Electric and Omron elements embedded in various types of machines present in multiple industries. Known targets include Schneider Electric Modicon M251, Modicon M258 and Modicon M221 Nano PLCs, as well as Omron NX1P2 and NJ501 PLCs and R88D-1SN10F ECT servo drives. Most likely, these were chosen by the operators of Incontroller because they allow reconnaissance in specific target environments – this has been a fairly common practice for ICS malware in the past.
Nathan Brubaker, Director of Intelligence Analysis at Mandiant, said: “Incontroller is the fourth-ever attack-focused ICS malware, following Stuxnet, Industroyer and Triton, presenting an exceptionally rare and dangerous cyberattack capability.
“Incontroller is very likely state-sponsored and contains abilities related to disruption, sabotage, and possibly physical destruction. While we cannot positively identify the malware, we note that the activity is consistent with Russia’s historical interest in ICS.
“Incontroller poses a critical risk to organizations using targeted and affected devices. Organizations should take immediate action to determine if the targeted ICS devices are present in their environment and begin applying vendor-specific countermeasures, detection methods, and hunting tools.”
Incontroller includes three tools that allow the attacker to attack ICS devices using different network protocols. The tools are called Tagrun, Codecall and Omshell.
The first, Tagrun, has a scanning and reconnaissance capability and gets a detailed view of systems and processes, but can also write and change tag values, meaning they are used to modify data to support an attack or for obfuscation could.
Codecall, on the other hand, is used to communicate with Schneider Electric ICS devices via the Modbus and Codesys protocols. Its abilities include uploading, downloading, and deleting files on the device, disconnecting existing sessions, attempting distributed denial of service (DDoS) attacks, causing crashes, and sending custom raw packets.
Finally, Omshell serves to get shell access to Omron devices via both HTTP and Omron’s proprietary FINS protocol. Besides enumerating target devices, it can wipe program memory and perform resets, connect to a backdoor on the device to run arbitrary commands, kill arbitrary processes on the device, and transfer files to it.
Mandiant said indicator-based detections are unlikely to detect Incontroller in victim environments, likely because attackers have almost certainly extensively modified and customized it, as well as its peer ICS malware. Instead, attention should be paid to behavior-based hunting and detection methods. For more detailed information on detecting, confronting, and containing the threat, click here.
Although Mandiant refrained from directly attributing Incontroller to a Russian Advanced Persistent Threat (APT) actor, historical evidence pointed in that direction. As such, Incontroller is likely to be a more pressing threat to organizations with a presence in Ukraine, and to a lesser extent to NATO member states and other allied countries.
Incontroller is the second ICS-specific group of malware tools to surface in a week. On April 12, researchers from ESET together with the Ukrainian government’s computer emergency response team, CERT-UA, revealed the existence of Industroyer2, which was used in an attack on a Ukrainian electricity company. The attack was successfully repelled.
Industroyer2, a child of Industroyer, a tool of the Sandworm or Voodoo Bear APT and affiliated with the Russian intelligence agency GRU, targeted the target’s high-voltage substations on Windows, Linux and Solaris operating systems. It is a highly targeted malware that is likely specially designed for each target chosen by its operators.
In light of these disclosures, on April 13, the US Agency for Cybersecurity and Infrastructure Security issued a new alert about threats to ICS infrastructure, including the threat from Incontrollers.