Hackers have developed custom tools to gain full system access to a number of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
The warning comes in a joint cybersecurity advisory released by the Department of Energy (DOE), CISA, the NSA, and the FBI that urges all critical infrastructure operators to immediately bolster the security of their ICS/SCADA devices and networks.
The custom-made tools have been developed for programmable logic controllers (PLCs) from Schneider Electric and OMRON Sysmac NEX, as well as Open Platform Communications Unified Architecture (OPC UA) servers.
SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydays
CISA says the tools allow for “highly automated exploits” against targeted devices.
ICS security firm Dragos, which has studied the tools, dubs it Pipedream, the seventh-known piece of ICS-specific malware following Stuxnet, Havex, BlackEnergy, Crashoverride, and Trisis. It attributes the malware to an advanced persistent threat (APT) actor it calls Chevronite.
“Pipedream is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment,” Dragos explains.
Mandiant calls the malware INCONTROLLER. In early 2022, it worked with Schneider Electric to analyze the malware.
The APT group can disrupt ICS devices after gaining a foothold in a target’s operational technology (OT) network, which should be isolated from the internet. The attackers can also compromise Windows workstations used by engineers with an exploit for known vulnerabilities in ASRock motherboard drivers, according to CISA.
One known ASRock vulnerability is tracked as CVE-2020-15368 and affects the AsrDrv103.sys. The exploit for it can be used to execute malicious code in the Windows kernel, which is below the visibility of anti-malware technology.
The agencies stress that energy sector organizations in particular need to implement detections and mitigations detailed in the alert.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” CISA notes.
Devices known to be targeted by the APT group include:
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
- OPC Unified Architecture (OPC UA) servers.
Schneider Electric notes in a security bulletin about the malware that it is not aware of any confirmed or potential use of the malware, but notes: “The framework has capabilities related to disruption, sabotage, and potentially physical destruction.”
The agencies are urging organizations to “isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.”
They also recommend using multi-factor authentication for remote access to ICS networks and devices, to change all passwords to them regularly, and remove all default passwords.
The alert for the energy sector follows multiple warnings from the US government for all organizations to bolster cybersecurity amid rising tensions after Russia’s invasion of Ukraine. Satellite operator Viasat recently confirmed wiper malware knocked out thousands of end-user modems in Europe on the day Russia invaded Ukraine.