US Warns of APT Hackers

The security agencies of the US government, “CISA, FBI, DOE, and NSA,” have recently released a joint security advisory that alerts about the ongoing attacks against the industrial control systems (ICS) and SCADA devices using malware by the state-sponsored hacking groups.

Here’s what the security agencies have stated:-

“The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.”

Targets

All the custom-made malicious tools were particularly designed by the threat actors to target the:-

EHA
  • Schneider Electric programmable logic controllers (PLCs)
  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers

Infection Chain

In addition to this, researchers from the DOE, NSA, CISA, and FBI have discovered that the state-sponsored hackers were also exploiting the:- 

  • CVE-2020-15368

It is believed that by exploiting this flaw, the attackers targeted Windows systems with motherboards from ASRock and ransomed malicious code to them, allowing them to spread laterally into OT and IT environments and disrupt them.

APT actors can escalate privileges within an OT environment, move laterally within an OT backdrop, and disrupt critical devices or functions by compromising and maintaining full system access to ICS/SCADA devices.

ICS devices were Targeted by the Malware

Moreover, what is notable is that no further information has been given by the federal agencies on the hacking tools or malware that are used by the threat actors and mentioned in the advisory.

The co-founder and CEO of industrial cybersecurity firm Dragos, Robert M. Lee stated:-

“Since the discovery of these malicious tools in early 2022, the company has been tracking them under the name PIPEDREAM (aka INCONTROLLER).”

Dragos has identified this new malware as the seventh ICS-specific malware that has ever been found to have been developed by the CHERNOVITE Activity Group (AG).

By exploiting the PIPEDREAM, the threat actors can control and manipulate several industrial software and industrial control PLCs. And among them, some of the most common are:-

  • Omron
  • Schneider Electric controllers

Aside from these, by abusing the PIPEDREAM, an attacker can also execute attacks against widely used Industrial Internet technologies like:- 

  • CoDeSyS
  • Modbus
  • OPC UA

Mitigations

It is very important that critical infrastructure organizations, especially those in the Energy Sector, implement the detection and mitigation recommendations that are provided by the federal government agencies DOE, CISA, NSA, and the FBI.

Here below, we have mentioned all the mitigations provided:-

  • Utilizing strong perimeter controls, isolate ICS/SCADA networks from corporate and internet networks so that they do not interfere with one another.
  • ICS/SCADA perimeters should be protected from any communication entering or leaving them.
  • For all remote access to ICS networks and devices, always use multi-factor authentication.
  • Create a response plan for cyber incidents.
  • Frequently change all the passwords of ICS/SCADA devices and systems.
  • Always use complex passwords.
  • Always keep offline backups for faster recovery.
  • Make sure to limit the network connections of ICS/SCADA systems.
  • Make sure to well-configure the Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI).
  • Always monitors the system and event logs.
  • Utilize an OT monitoring system that provides a continuous status update.
  • Make sure that you only install applications that are necessary to the operation of the system.
  • Make sure that the principle of least privilege is enforced.
  • Watch for strange drivers to be loaded into your system.

The security agencies of the US government, “CISA, FBI, DOE, and NSA,” have recently released a joint security advisory that alerts about the ongoing attacks against the industrial control systems (ICS) and SCADA devices using malware by the state-sponsored hacking groups.

Here’s what the security agencies have stated:-

“The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.”

Targets

All the custom-made malicious tools were particularly designed by the threat actors to target the:-

  • Schneider Electric programmable logic controllers (PLCs)
  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers

Infection chain

In addition to this, researchers from the DOE, NSA, CISA, and FBI have discovered that the state-sponsored hackers were also exploiting the:- 

  • CVE-2020-15368

It is believed that by exploiting this flaw, the attackers targeted Windows systems with motherboards from ASRock and ransomed malicious code to them, allowing them to spread laterally into OT and IT environments and disrupt them.

APT actors can escalate privileges within an OT environment, move laterally within an OT backdrop, and disrupt critical devices or functions by compromising and maintaining full system access to ICS/SCADA devices.

ICS devices were targeted by the malware

Moreover, what is notable is that no further information has been given by the federal agencies on the hacking tools or malware that are used by the threat actors and mentioned in the advisory.

The co-founder and CEO of industrial cybersecurity firm Dragos, Robert M. Lee stated:-

“Since the discovery of these malicious tools in early 2022, the company has been tracking them under the name PIPEDREAM (aka INCONTROLLER).”

Dragos has identified this new malware as the seventh ICS-specific malware that has ever been found to have been developed by the CHERNOVITE Activity Group (AG).

By exploiting the PIPEDREAM, the threat actors can control and manipulate several industrial software and industrial control PLCs. And among them, some of the most common are:-

  • Omron
  • Schneider Electric controllers

Aside from these, by abusing the PIPEDREAM, an attacker can also execute attacks against widely used Industrial Internet technologies like:- 

  • CoDeSyS
  • Modbus
  • OPC UA

Mitigations

It is very important that critical infrastructure organizations, especially those in the Energy Sector, implement the detection and mitigation recommendations that are provided by the federal government agencies DOE, CISA, NSA, and the FBI.

Here below, we have mentioned all the mitigations provided:-

  • Utilizing strong perimeter controls, isolate ICS/SCADA networks from corporate and internet networks so that they do not interfere with one another.
  • ICS/SCADA perimeters should be protected from any communication entering or leaving them.
  • For all remote access to ICS networks and devices, always use multi-factor authentication.
  • Create a response plan for cyber incidents.
  • Frequently change all the passwords of ICS/SCADA devices and systems.
  • Always use complex passwords.
  • Always keep offline backups for faster recovery.
  • Make sure to limit the network connections of ICS/SCADA systems.
  • Make sure to well-configure the Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI).
  • Always monitors the system and event logs.
  • Utilize an OT monitoring system that provides a continuous status update.
  • Make sure that you only install applications that are necessary to the operation of the system.
  • Make sure that the principle of least privilege is enforced.
  • Watch for strange drivers to be loaded into your system.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.