The United States government recently alerted that advanced persistent threat (APT) actors have developed tools capable of hijacking industrial equipment deployed in vital infrastructure sectors.
Cybercriminals can use specialized hacking tools “to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network,” as per a joint cybersecurity advisory (CSA) released on April 13 by the FBI, NSA, Cybersecurity and Infrastructure Security Agency (CISA), and Department of Energy (DOE). “The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”
One tool uses a flaw (CVE-2020-15368) in the ASRock-signed motherboard driver AsrDrv103.sys to run malicious code in the Windows kernel, allowing for lateral movement and privilege escalation. Multiple Schneider Electric programmable logic controllers (PLCs) and OMRON Sysmac NEX PLCs, as well as Open Platform Communications Unified Architecture (OPC UA) servers, are among the susceptible industrial control system (ICS) or supervisory control and data acquisition (SCADA) equipment.
PLCs (programmable logic controllers) are solid-state computers that monitor inputs and make decisions about the outputs of automated processes or equipment. OPC UA is a platform-independent, extensible standard for securing data sharing in industrial systems. Malicious hackers with even basic technical capabilities may launch highly automated exploits against targeted devices using modular attack tools, including a command interface that replicates the interface of the targeted devices.
Dragos, an industrial cybersecurity firm, claimed the toolkit is only the third ICS-specific malware ever discovered and is the product of a secretive threat organization known as ‘Chernovite.’ According to Robert M Lee, Dragos CEO and co-founder. However, the malware is specialized to target liquid natural gas and electric assets. It is adaptable enough to target a range of industrial controllers and systems.
Mandiant, a cybersecurity firm, revealed in an analysis that the toolkit “represents an exceptionally rare and dangerous cyber-attack capability.” The tool, dubbed Incontroller by Mandiant, was compared to Triton, which was used in a 2017 effort to deactivate an industrial safety system; Industroyer, which triggered a power outage in Ukraine in 2016; and Stuxnet, which destroyed Iran’s nuclear program in 2010.
Unusually, the tools were discovered before they were released on networks, offering “defenders a unique opportunity to defend ahead of the attacks,” according to Lee. He continued saying that while the malicious capability is complex, with various abilities, adopting basic ICS cybersecurity principles like having a defensible architecture, an ICS-specific incident response plan, and ICS network monitoring provide solid protection against this threat.
The announcement comes after the Biden administration warned critical infrastructure entities to prepare for cyber-attacks from Russia as the country continues to wage war in Ukraine.