The U.S. government today issued a new warning that advanced persistent threat actors have exhibited the capability to gain full system access to multiple industrial control systems and supervisory control and data acquisition devices using custom-made tools.
The joint advisory issued by the Department of Energy, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the National Security Agency and the Federal Bureau of Investigation details tools targeting specific systems. The tools enable the threat actors to scan for, compromise and control affected devices once access has been established in the operational technology network.
The custom-made tools do not stop at OT environments. They can also compromise Windows-based engineering systems that may be present in information technology or OT environments. The attacks typically compromise an ASRock motherboard driver with known vulnerabilities. The outcome of targeting both Window and OT networks could be the ability to disrupt critical devices or functions.
The alert notes that the custom tools have been found to be able to scan, compromise and control certain ICS and SCADA devices, including:
- Schneider Electric MODICON and MODICON Nano PLCs, including but potentially not be limited to TM251, TM241, M258, M238, LMC058, and LMC078;
- OMRON Sysmac NJ and NX PLCs, including but also potentially not be limited to NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
- OPC Unified Architecture (OPC UA) servers.
All organizations with ICS and SCADA devices are recommended to implement mitigations in an effort to protect systems. These include isolating those systems and networks from corporate and internet networks, enforcing multifactor authentication for all remote access and changing passwords on all those devices and systems on a consistent schedule.
Organizations are recommended to have a cybersecurity incident response plan and exercise it regularly and maintain known-good offline backups for faster recovery should an attack occur.
Security experts say that the warning is serious. Tim Erlin, vice president of strategy at cybersecurity and compliance solutions company Tripwire Inc., told SiliconANGLE that this is an important alert from CISA and that industrial organizations should pay attention to the threat.
“It’s important to note that while this alert calls out tools for gaining access to specific industrial control systems, there’s a bigger picture threat that involves more of the industrial control environment,” Erlin said. “Attackers need an initial point of compromise to gain access to the industrial control systems involved and organizations should build their defenses accordingly.”
The warning of attacks on ICS devices comes after a day after it was revealed that security researchers from ESET spol s.r.o and Microsoft Corp., in conjunction with Ukraine’s Governmental Computer Emergency Response Team, stopped a Russian attack against a Ukrainian energy company.