U.S. Warns of APT Hackers Targeting ICS/SCADA Systems with Specialized Malware

The U.S. government on Wednesday warned of nation-state actors
deploying specialized malware to maintain access to industrial
control systems (ICS) and supervisory control and data acquisition
(SCADA) devices.

“The APT actors have developed custom-made tools for targeting
ICS/SCADA devices,” multiple U.S. agencies said^[1]
in an alert. “The tools enable them to scan for, compromise, and
control affected devices once they have established initial access
to the operational technology (OT) network.”

The joint federal advisory comes courtesy of the U.S. Department
of Energy (DoE), the Cybersecurity and Infrastructure Security
Agency (CISA), the National Security Agency (NSA), and the Federal
Bureau of Investigation (FBI).

The custom-made tools are specifically designed to single out
Schneider Electric programmable logic controllers (PLCs), OMRON
Sysmac NEX PLCs, and Open Platform Communications Unified
Architecture (OPC UA) servers.

On top of that, the unnamed actors are said to possess
capabilities to infiltrate Windows-based engineering workstations
across IT and OT networks by making use of an exploit that
compromises an ASRock-signed motherboard driver with known
vulnerabilities^[2]
(CVE-2020-15368^[3]).

The intent, the agencies said, is to leverage the access to ICS
systems to elevate privileges, move laterally within the networks,
and sabotage mission-critical functions in liquified natural gas
(LNG) and electric power environments.

Industrial cybersecurity company Dragos, which has been tracking
the malware under the name “PIPEDREAM^[4]” since early 2022,
described it as a “modular ICS attack framework that an adversary
could leverage to cause disruption, degradation, and possibly even
destruction depending on targets and the environment.”

Dragos CEO Robert M. Lee attributed^[5]
the malware to a state actor dubbed CHERNOVITE, assessing with high
confidence that the destructive toolkit has yet to be employed in
real-world attacks, making it possibly the first time “an
industrial cyber capability has been found *prior* to its
deployment for intended effects.”

PIPEDREAM features^[6]
an array of five components to accomplish its goals, enabling it to
conduct reconnaissance, hijack target devices, tamper with the
execution logic of controllers, and disrupt PLCs, effectively
leading to “loss of safety, availability, and control of an
industrial environment.”

The versatile malware is also known to take advantage of
CODESYS, a third-party development environment for programming
controller applications and which has been uncovered to contain as
many as 17 different^[7]
security vulnerabilities^[8] in the past year
alone.

“Capabilities to reprogram and potentially disable safety
controllers and other machine automation controllers could then be
leveraged to disable the emergency shutdown system and subsequently
manipulate the operational environment to unsafe conditions,”
Dragos cautioned.

Coinciding with the disclosure is another report from threat
intelligence firm Mandiant, which uncovered what it calls a “set of
novel industrial control system (ICS)-oriented attack tools” aimed
at machine automation devices from Schneider Electric and
Omron.

The state-sponsored malware, which it has named INCONTROLLER^[9], is designed to
“interact with specific industrial equipment embedded in different
types of machinery leveraged across multiple industries” by means
of industrial network protocols such as OPC UA, Modbus, and
CODESYS.

That said, it’s unclear as yet how the government agencies as
well as Dragos and Mandiant found the malware. The findings come a
day after Slovak cybersecurity company ESET detailed the use of an
upgraded version of the Industroyer malware^[10] in a failed cyberattack
directed against an unnamed energy provider in Ukraine last
week.

“INCONTROLLER [aka PIPEDREAM] represents an exceptionally rare
and dangerous cyber attack capability,” Mandiant said. “It is
comparable to Triton^[11], which attempted to
disable an industrial safety system in 2017; Industroyer, which
caused a power outage in Ukraine in 2016; and Stuxnet^[12], which sabotaged the
Iranian nuclear program around 2010.”

To mitigate potential threats and secure ICS and SCADA devices,
the agencies are commending organizations to enforce multi-factor
authentication for remote access, periodically change passwords,
and continuously be on the lookout for malicious indicators and
behaviors.