Critical infrastructure entities on red alert over ‘exceptionally rare and dangerous’ ICS malware

Powerful, versatile, and easy to use hacking toolset likened to Stuxnet

The US government has warned that advanced persistent threat (APT) actors have fashioned tools capable of hijacking industrial devices deployed in critical infrastructure sectors.

The bespoke hacking tools enable cybercriminals “to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network”, reads a joint cybersecurity advisory (CSA) issued yesterday (April 13) by the NSA, FBI, Department of Energy (DOE), and Cybersecurity and Infrastructure Security Agency (CISA).

“The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”

DON’T FORGET TO READ Attackers are abusing Spring4Shell vulnerability to spread Mirai botnet malware

One tool exploits a vulnerability (CVE-2020-15368) in the ASRock-signed motherboard driver, AsrDrv103.sys, to execute malicious code in the Windows kernel and provide a springboard for lateral movement and privilege escalation.

A trio of industrial control system (ICS) or supervisory control and data acquisition (SCADA) devices are vulnerable, including multiple models of Schneider Electric programmable logic controllers (PLCs) and OMRON Sysmac NEX PLCs, as well as Open Platform Communications Unified Architecture (OPC UA) servers.

PLCs are solid-state computers that monitor inputs and make decisions on the outputs of automated processes or machines. OPC UA is an extensible, platform-agnostic standard that facilitates the secure exchange of data in industrial systems.

‘Difficult to detect’

The modular attack tools, whose command interface mirrors the interface of targeted devices, enable malicious hackers with even modest technical skills to conduct highly automated exploits against targeted devices.

The toolset has been analyzed by industrial cybersecurity firm Dragos, which said it constitutes only the seventh ever ICS-specific malware and is the handiwork of a mysterious threat group it dubbed ‘Chernovite’.

While the malware – named ‘Pipedream’ by Dragos – is customized to target liquid natural gas and electric assets, it is versatile enough to target a variety of industrial controllers and systems, according to Robert M Lee, Dragos CEO and co-founder.

“Pipedream takes advantage of native functionality in operations, making it more difficult to detect,” he said. “It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA.”

In a separate analysis, cybersecurity company Mandiant said the toolset “represents an exceptionally rare and dangerous cyber-attack capability”.

Mandiant researchers likened the tool, which it called Incontroller, to Triton, which was involved in a 2017 attempt to disable an industrial safety system; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged the Iranian nuclear program in 2010.

‘Unique opportunity to defend’

Unusually, said Lee, discovery of the tools has come before they are unleashed on networks, giving “defenders a unique opportunity to defend ahead of the attacks”.

He continued: “While the malicious capability is sophisticated, with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS-specific incident response plan, and ICS network monitoring provide a robust defense against this threat.”

The news follows a warning to critical infrastructure entities from the Biden administration to brace themselves for cyber-attacks Russia as the country continues to wage war in Ukraine.