The U.S. government warned Wednesday of the possibility that nation-state actors could use specialized malware to gain access to industrial control system (ICS) or supervisory control, data acquisition (SCADA), devices.
“The APT actors have developed custom-made tools for targeting ICS/SCADA devices,” multiple U.S. agencies said in an alert. Once they gain access to an operational technology network (OT), the tools allow them to scan, compromise and control any affected devices. “
The joint federal advisory is courtesy of U.S. Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency(NSA) and Federal Bureau of Investigations (FBI).
These custom-made tools were specifically created to distinguish Schneider Electric programmable controllers (PLCs), OMRON Sysmac NEX PCLCs and Open Platform Communications Unified Architecture servers (OPC UA).
On top of that, the unnamed actors are said to possess capabilities to infiltrate Windows-based engineering workstations across IT and OT networks by making use of an exploit that compromises an ASRock-signed motherboard driver with known vulnerabilities (CVE-2020-15368).
The agencies stated that the purpose of the access to ICS was to raise privileges and move laterally in the networks to sabotage mission critical functions in liquified gas (LNG), and other power environments.
Industrial cybersecurity company Dragos, which has been tracking the malware under the name “PIPEDREAM” since early 2022, described it as a “modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment. “
Dragos CEO Robert M. Lee attributed the malware to a state actor dubbed CHERNOVITE, assessing with high confidence that the destructive toolkit has yet to be employed in real-world attacks, making it possibly the first time “an industrial cyber capability has been found *prior* to its deployment for intended effects. “
PIPEDREAM features an array of five components to accomplish its goals, enabling it to conduct reconnaissance, hijack target devices, tamper with the execution logic of controllers, and disrupt PLCs, effectively leading to “loss of safety, availability, and control of an industrial environment. “
The versatile malware is also known to take advantage of CODESYS, a third-party development environment for programming controller applications and which has been uncovered to contain as many as 17 different security vulnerabilities in the past year alone.
“Capabilities to reprogram and potentially disable safety controllers and other machine automation controllers could then be leveraged to disable the emergency shutdown system and subsequently manipulate the operational environment to unsafe conditions,” Dragos cautioned.
Coinciding with the disclosure is another report from threat intelligence firm Mandiant, which uncovered what it calls a “set of novel industrial control system (ICS)-oriented attack tools” aimed at machine automation devices from Schneider Electric and Omron.
The state-sponsored malware, which it has named INCONTROLLER, is designed to “interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries” by means of industrial network protocols such as OPC UA, Modbus, and CODESYS.
However, it is not clear how Dragos or Mandiant discovered the malware. The findings come a day after Slovak cybersecurity company ESET detailed the use of an upgraded version of the Industroyer malware in a failed cyberattack directed against an unnamed energy provider in Ukraine last week.
“INCONTROLLER “*” is an extremely rare and deadly cyber attack capability. “It is comparable to Triton, which attempted to disable an industrial safety system in 2017; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged the Iranian nuclear program around 2010. “
To mitigate potential threats and secure ICS and SCADA devices, the agencies are commending organizations to enforce multi-factor authentication for remote access, periodically change passwords, and continuously be on the lookout for malicious indicators and behaviors.