In the United States, the authorities are concerned about attacks on industrial systems

According to the US Cybersecurity and Infrastructure Security Agency (CISA), hackers have developed custom tools to gain full access to a number of industrial control systems (ICS) and control devices and data acquisition (SCADA).

This warning is part of a joint cybersecurity advisory issued by the US Department of Energy (DOE), CISA, NSA and FBI, which urges all critical infrastructure operators to immediately tighten the security of their devices and networks. ICS/SCADA.

The malware was developed to target programmable logic controllers (PLCs) from Schneider Electric and OMRON Sysmac NEX, as well as OPC UA (Open Platform Communications Unified Architecture) servers.

According to CISA, these tools can create “highly automated exploits” against targeted devices.

Security firm ICS Dragos, which studied the malware, dubbed it Pipedream, the seventh known example of malware specifically targeting ICS after Stuxnet, Havex, BlackEnergy, Crashoverride and Trisis. She attributes the malware to an advanced persistent threat (APT) actor dubbed Chevronite.

“Pipedream is a modular ICS attack framework that an adversary could use to cause disruption, degradation, or even destruction depending on the targets and the environment,” Dragos explains.

Mandiant calls this malware INCONTROLLER. In early 2022, Mandiant worked with Schneider Electric to analyze this malware.

The group can disrupt ICS devices after gaining a foothold in a target’s industrial network. Attackers can also compromise Windows workstations used by engineers with an exploit for known vulnerabilities in ASRock motherboard drivers, according to CISA.

A known ASRock vulnerability is listed as CVE-2020-15368 and affects the AsrDrv103.sys file. Exploitation of the latter can be used to execute malicious code in the Windows kernel, which bypasses anti-virus protections.

The agencies emphasize that organizations in the energy sector, in particular, should implement the detections and mitigation measures detailed in the alert.

“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate their privileges, move laterally in an industrial environment, and disrupt critical devices or functions,” CISA notes.

Devices known to be targeted by the APT group include:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but not limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
  • OMRON Sysmac NJ and NX PLCs, including (but not limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT;
  • OPC Unified Architecture (OPC UA) servers.

Schneider Electric notes in a security bulletin about the malware that it is not aware of any confirmed or potential use of the malware, but states that “the framework has capabilities related to disruption, sabotage and potentially physical destruction.

The agencies urge organizations to “isolate ICS/SCADA systems and networks from corporate networks and the internet using stringent perimeter controls, and to limit all communication entering or leaving ICS/SCADA perimeters.”

They also recommend using multi-factor authentication for remote access to ICS networks and devices, changing all passwords for these regularly, and removing all default passwords.


Leave a Comment