Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
News
Risk & Compliance
Secure Remote Access
Threat Landscape
Vendors
Vulnerabilities

APT hackers demonstrate capability to gain system access to multiple ICS/SCADA devices

April 14, 2022
APT hackers demonstrate capability to gain system access to multiple ICS/SCADA devices

The U.S. security agencies and the Department of Energy (DOE) warned in a joint Cybersecurity Advisory (CSA) that specific advanced persistent threat (APT) hackers have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices. In addition, the APT hackers can leverage the modules to interact with targeted ICS/SCADA devices, enabling operations by lower-skilled cyber hackers to emulate higher-skilled hacker capabilities.

“The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network,” according to the advisory released on Wednesday by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), and the DOE. “Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities.”

The advisory added that by compromising and maintaining full system access to ICS/SCADA devices, APT hackers could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions. The DOE, CISA, NSA, and the FBI credited several vendors, including Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric, for their contributions to this joint CSA.

The APT hackers have developed custom-made tools that, once they have established initial access in an OT network, enable them to scan for, compromise, and control certain ICS/SCADA devices. The affected hardware includes Schneider Electric MODICON and MODICON Nano PLCs, including though may not be limited to TM251, TM241, M258, M238, LMC058, and LMC078. In addition, the advisory said that OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT and OPC Unified Architecture (OPC UA) servers were also affected.

The advisory identified that the tools used by the APT hackers have a modular architecture and enable cyber hackers to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. The APT hackers can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 

In addition, the APT hackers can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT hackers to move laterally within an IT or OT environment and disrupt critical devices or functions.

The advisory also included details of the APT tools used across the multiple ICS/SCADA devices.

The advisory said that the APT hackers’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502). Modules may allow cyber hackers to run a rapid scan that identifies all Schneider PLCs on the local network via User Datagram Protocol (UDP) multicast with a destination port of 27127, and use brute-force on Schneider Electric PLC passwords using CODESYS and other available device protocols via UDP port 1740 against defaults or a dictionary word list. It may also conduct a denial-of-service attack to prevent network communications from reaching the PLC. 

In addition, the modules may sever connections, requiring users to re-authenticate to the PLC, which is likely to facilitate the capture of credentials. It may also conduct a ‘packet of death’ attack to crash the PLC until a power cycle and configuration recovery and send custom Modbus commands, though this capability may work against Modbus other than in Schneider Electric PLCs.

The advisory identified that the APT hackers’ tool for OMRON devices has modules that can interact by scanning for OMRON using the Factory Interface Network Service (FINS) protocol, parsing the Hypertext Transfer Protocol (HTTP) response from OMRON devices, retrieving the media access control (MAC) address of the device, polling for specific devices connected to the PLC, backing up/restoring arbitrary files to/from the PLC, and loading a custom malicious agent on OMRON PLCs for additional attacker-directed capability.

Additionally, the OMRON modules can upload an agent that allows a cyber hacker to connect and initiate commands, such as file manipulation, packet captures, and code execution using HTTP and/or Hypertext Transfer Protocol Secure (HTTPS).

The advisory revealed that the APT hackers’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. In addition, the client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.

The advisory recommends that network defenders begin efforts to protect systems and devices from these malicious tools and new capabilities. Among other measures, they advise isolating ICS/SCADA systems and networks from corporate and internet networks, using strong perimeter controls, and limiting any communications entering or leaving ICS/SCADA perimeters. In addition, organizations must enforce multifactor authentication for all remote access to ICS networks and devices whenever possible, have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.

Last month, the FBI alerted the ICS community of ‘continued activity’ by the group responsible for deploying TRITON malware. As a result, the agency warned that critical infrastructure asset owners and operators should be mindful of the risks posed to safety instrumented systems (SIS), regardless of vendor, ‘as these safety systems will likely continue to be targeted by sophisticated cyber actors.’

In addition, U.S. security agencies and the DOE provided information on multiple intrusion campaigns conducted by state-sponsored Russian cybercriminals from 2011 to 2018. They targeted the U.S. and international energy sector organizations. In addition, the agencies are sharing this information to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target these installations.

“If attackers are successful,  the consequences of such intrusions are vast and can be potentially devastating,” Marty Edwards, vice president for OT security at Tenable, wrote in an emailed statement. “When your adversary is using advanced tools to potentially disrupt your system then organisations must have the people, processes and technology in place beforehand to harden their environments and detect any malicious activity.”

“The actors are apparently capable of directly interacting and manipulating the OT devices referenced in the advisory, so it is imperative that asset owners and operators are continuously monitoring for any malicious communications to these devices as well as monitoring for any changes to the configuration or logic inside the devices in real-time,” Edwards added.

“It’s important to note that while this alert calls out tools for gaining access to specific industrial control systems, there’s a bigger picture threat that involves more of the industrial control environment,” Tim Erlin, vice president of strategy at Tripwire, wrote in an emailed statement. “Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly. The joint advisory recommends isolating affected systems, as well as employing endpoint detection, configuration and integrity monitoring, and log analysis. This isn’t a matter of simply applying a patch,” he added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations