The US government on Wednesday warned of nation-state actors using specialized malware to maintain access to industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
“APT actors have developed custom tools for targeting ICS/SCADA devices,” several US agencies said in a warning. “The tools allow them to scan for, compromise and control compromised devices once they have initial access to the operational technology (OT) network.”
The joint federal advisory comes courtesy of the US Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).
The bespoke tools are specifically designed to highlight Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs and Open Platform Communications Unified Architecture (OPC UA) servers.
In addition, the unnamed actors are said to have the ability to infiltrate Windows-based engineering workstations across IT and OT networks by taking advantage of an exploit that compromises an ASRock-signed motherboard driver with known vulnerabilities (CVE -2020-15368).
The intent, authorities said, is to use access to ICS systems to escalate privileges, move laterally within networks, and sabotage mission-critical functions in liquefied natural gas (LNG) and electric power environments.
Industrial cybersecurity firm Dragos, which has been tracking the malware under the name “PIPEDREAM” since early 2022, described it as a “modular ICS attack framework that an attacker could leverage to cause disruption, impairment, and potentially even destruction, depending on the targets and environment.” .”
Dragos CEO Robert M. Lee attributed the malware to a state actor called CHERNOVITE, who assesses with great confidence that the destructive toolkit has not yet been used in real attacks, making it perhaps the first time that “an industrial cyber capability has been found *before* its intended impact.” “
PIPEDREAM has a set of five components to achieve its objectives, allowing it to conduct reconnaissance, hijack target devices, manipulate controller execution logic, and disrupt PLCs, effectively causing “loss of security, availability, and control of a… industrial environment.”
The versatile malware is also known to leverage CODESYS, a third-party development environment for programming controller applications, which contained up to 17 different vulnerabilities in the last year alone.
“Skills to reprogram and potentially disable safety controls and other machine automation controls could then be used to disable the emergency shutdown system and subsequently manipulate the operating environment into unsafe conditions,” Dragos warned.
Coinciding with the disclosure is another report from threat intelligence firm Mandiant, which has uncovered what it calls a “set of novel industrial control system (ICS) attack tools” targeting machine automation devices from Schneider Electric and Omron.
The state-sponsored malware, dubbed INCONTROLLER, is designed to “interact with specific industrial equipment embedded in various types of machines used in multiple industries” using industrial network protocols such as OPC UA, Modbus, and CODESYS.
However, it is still unclear how the authorities as well as Dragos and Mandiant found the malware. The findings come a day after Slovakian cybersecurity firm ESET detailed the use of an updated version of the Industroyer malware in a failed cyberattack against an unnamed utility company in Ukraine last week.
“INCONTROLLER [aka PIPEDREAM] represents an exceptionally rare and dangerous cyberattack capability,” Mandiant said. “It’s comparable to Triton, which tried to disable an industrial security system in 2017; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged Iran’s nuclear program around 2010.”
To mitigate potential threats and secure ICS and SCADA devices, authorities recommend organizations to enforce multi-factor authentication for remote access, change passwords regularly, and be constantly on the lookout for malicious indicators and behavior.