United States intelligence agencies have issued a public warning indicating that advanced persistent threat (APT) groups have developed a “mutli-tool” malware kit that targets a commonly used range of industrial control systems. There is no indication as of yet that any systems have been exploited by the malware, but a wide range are potentially vulnerable.
The malware attacks programmable logic controllers (PLCs) made by Schneider Electric and OMRON that are commonly used as a bridge between industrial environment components and computer networks, as well as the Open Platform Communications Unified Architecture (OPC UA) servers used to communicate with controllers. The malware toolkit essentially grants the attacker free run of these industrial control systems, giving them the option of taking control of functions or simply “bricking” the devices. It can also be used to move further into networks by taking over workstations that run Windows.
Tim Erlin, VP of strategy at Tripwire, summarized the seriousness of this announcement and the effort expected from impacted companies: “Make no mistake, this is an important alert from CISA. Industrial organizations should pay attention to this threat … It’s important to note that while this alert calls out tools for gaining access to specific industrial control systems, there’s a bigger picture threat that involves more of the industrial control environment. Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly. The joint advisory recommends isolating affected systems, as well as employing endpoint detection, configuration and integrity monitoring, and log analysis. This isn’t a matter of simply applying a patch.”
Highly adaptable “Pipedream” malware threatens many industrial environments
The joint cybersecurity advisory on industrial control systems has been issued by The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). The agencies did not define exactly which APT groups are using the malware, but said that more than one have exhibited the capability.
The malware kit is designed to compromise about half a dozen models of Schneider Electric MODICON and MODICON Nano PLCs, about the same amount of OMRON Sysmac NJ and NX PLCs, and the OPC UA servers. It also includes the capability to exploit a known vulnerability in an ASRock motherboard driver to take over the Windows workstations often used in conjunction with this equipment, creating a path for privilege escalation and lateral movement into the organization’s IT network.
The agencies are urging all critical infrastructure companies, particularly those in the energy sector, to implement an immediate series of steps to protect their industrial control systems: enforcing remote access to all ICS networks, set up a schedule for regularly resetting all ICS/SCADA device and system passwords, and put a continuous OT monitoring solution in place that logs and alerts when malicious indicators and behaviors are detected.
Industrial control systems at risk of complete takeover, permanent damage
The malware kit is dangerous not just due to the amount of industrial control systems it can potentially exploit, but also due to its ease of use. It includes the capability to scan for vulnerable devices and fetch necessary information about them, it is modular and highly automated to adjust to the particular target device, and it mirrors the actual control interface of the device being attacked. All of this appears designed specifically to allow larger amounts of lower-skilled attackers the ability to get in on the action.
The malware kit also appears to offer multiple automated methods of attempting to compromise industrial control systems once they are found. Attackers can conduct a brute force password guessing attempt against the PLCs, or sever the connections of existing users and attempt to capture credentials when they log back on. There are also at least two different forms of denial of service attack available even if a login has not been compromised, allowing the attacker to cut off network communications to the PLC or use a “packet of death” attack that knocks it offline until a reboot and power cycle is conducted.
In addition to the immediate emergency mitigation measures already listed, the agencies recommend further defensive measures that may take longer to roll out. These include changing perimeter controls to Isolate ICS/SCADA systems and networks from corporate and internet networks, review and practice related cyber incident response plans, ensure offline backups are up to date and regularly scheduled, and ensure that all installed applications are necessary for operation (and remove those that are not).
Nick Tausek, Security Automation Architect at Swimlane, adds: “In addition to this, leveraging low-code security automation allows companies to take a step further in their cybersecurity best practices by centralizing detection, investigation and response capabilities. With all-encompassing security platforms that automate tedious routines, the chance of both human error and outsider threats are brought down to a minimum and device integrity remains at its maximum.”
Security firm Mandiant additionally warns that the ASRock vulnerability used to compromise Windows workstations is not something that anti-malware software will pick up, given that it is in the Windows kernel.
Naturally, there is speculation about exactly which APT groups have this capability given that the announcement did not provide any direct clues. Suspicion will immediately drift to Russia, which has a long history of meddling in the critical infrastructure of other countries and which the Biden administration recently issued a separate warning about. Ukraine’s CERT also recently announced that it found a previously unknown piece of malware in industrial control systems that appeared to be aimed at causing power outages in the country. However, the assumption that the malware belongs to a state-sponsored group is based on its aims, complexity and the amount of funding it would have taken to create it rather than any known concrete links to a particular country.