US warns of govt hackers targeting industrial control systems - BleepingComputer
2022-04-13 14:55 (EST) - Sergiu Gatlan
A joint cybersecurity advisory issued by CISA, NSA, FBI, and the Department of Energy (DOE) warns of government-backed hacking groups being able to hijack multiple industrial devices.
The federal agencies said the threat actors could use custom-built modular malware to scan for, compromise, and take control of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices.
"The APT actors' tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities," the joint advisory reads .
"The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters."
ICS/SCADA devices at risk of being compromised and hijacked include:
- Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs)
- Omron Sysmac NJ and NX PLCs, and
- Open Platform Communications Unified Architecture (OPC UA) servers
DOE, CISA, NSA, and the FBI also found that state-sponsored hackers also have malware that leverages CVE-2020-15368 exploits to target Windows systems with ASRock motherboards to execute malicious code and move laterally to and disrupt IT or OT environments.
NEW PIPEDREAM MALWARE TARGETING ICS DEVICES
While the federal agencies did not share any additional info on the hacking tools and malware mentioned in the advisory, Robert M. Lee, the co-founder and CEO of industrial cybersecurity firm Dragos, said the company has been tracking one of the malware strains as PIPEDREAM since its discovery in early 2022.
"Dragos has been analyzing this since early 2022 and working with our partners the best we can to make sure the community is aware," Lee said .
"PIPEDREAM is the seventh ever ICS specific malware. It's highly capable and worth paying attention to."
Dragos assesses with high confidence this was developed by a state actor with the intent on deploying it to disrupt key infrastructure sites.
— Robert M. Lee (@RobertMLee) April 13, 2022 The federal agencies recommend network defenders start taking measures to protect their industrial networks from attacks using these new capabilities and malicious tools.
They advise enforcing multifactor authentication (MFA) for remote access to ICS networks, changing default passwords to ICS/SCADA devices and systems, rotating passwords, and using OT monitoring solutions to detect malicious indicators and behaviors.
Additional mitigation measures can be found within today's advisory , with more information provided by CISA and the Department of Defense on blocking attacks targeting OT systems [ PDF ], layer network security via segmentation , and reducing exposure across industrial systems .