APT group has developed custom-made tools for targeting ICS/SCADA devices

Just a few days after news of attempted use of a new variant of the Industroyer malware comes a warning from the US Cybersecurity and Infrastructure Security Agency (CISA): Certain APT actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices.

These tools may allow attackers to compromise and control Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

“Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agency explained.

Detection and defensive mitigations

Researchers from several cybersecurity companies as well as one of the manufacturer of targeted equipment have been involved in the analysis of the malware: Dragos, Mandiant, Microsoft, Palo Alto Networks and Schneider Electric.

They have different specific and collective names for the various malicious programs – Dragos, for example, dubbed the entire toolset Pipedream, while Mandiant calls it Incontroller.

“The Pipedream malware initially targets Schneider Electric and Omron controllers however there are not vulnerabilities specific to those product lines. Pipedream takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA,” said Robert M. Lee, CEO and Co-Founder of Dragos.

Dragos dubbed the group behind the malware Chernovite, and they “assess with high confidence” that it’s a state-backed APT group that developed it for disruptive or destructive operations against ICS (more specifically, organizations handling liquid natural gas and electric utilities).

“While Chernovite is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and Pipedream’s functionality could work across hundreds of different controllers. Said simply, a focus on the equipment vendor is misplaced, and instead the focus should be placed on the tactics and techniques the adversary is leveraging,” Dragos researchers noted.

There is some good news, though: the malware was discovered, analyzed, and details, IoCs and defensive actions potential targets can take have been publicly shared before it was leveraged by the attackers.

“Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks. While the malicious capability is sophisticated with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defense,” Lee noted.