Threat group builds custom malware to attack industrial systems

Hackers have created custom tools to control a range of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, marking the latest threat to a range of critical infrastructure in the United States, according to several government agencies.

In an alert this week, the Cybersecurity and Infrastructure Security Agency, (CISA), Department of Energy (DOE), National Security Agency (NSA), and FBI said that some of the devices at risk including programmable logic controllers from Schneider Electric and Omron Electronics as well as Open Platform Communications Unified Architecture servers.

The tools enable threat groups to scan for, compromise, and eventually control affected device after gaining initial access to an organization's operational technology networks.

"Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities," the agencies wrote in the alert.

"By compromising and maintaining full system access to ICS/SCADA devices, APT [advanced persistent threat] actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions."

Cybersecurity firm Dragos identified the ICS-specific malware – which it calls Pipedream – earlier this year through independent research and work with partners.

Dragos researchers linked Pipedream to the threat group Chernovite.

The government agencies are urging critical infrastructure organizations – particularly those in the energy sector – to put in place recommended detection and mitigation processes, including using strong perimeter controls to isolate ICS and SCADA system and networks from corporate and internet networks and limit communications entering or leaving those perimeters.

They also recommend using multifactor authentication for remote access to ICS networks and devices.

Tim Erlin, vice president of strategy at cybersecurity firm Tripwire, told that industrial organizations need to pay heed to the government's alert.

"It's important to note that while this alert calls out tools for gaining access to specific industrial control systems, there's a bigger picture threat that involves more of the industrial control environment," Erlin said.

"Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly."

Pointing to the extensive list of recommended mitigation processes, he noted that protecting against the threat "isn't a matter of simply applying a patch."

• Backup frustration brought this CTO to forefront of ransomware protection
• China accused of cyberattacks on Indian power grid
• Fintech platform flaw could have allowed bank transfers, exposed data
• US State Department opens cybersecurity policy bureau

Government agencies over the last couple of years have put a spotlight on the cybersecurity threat to critical infrastructure within the United States, with the 2021 ransomware attacks on energy provider Colonial Pipeline and JBS Foods that had wide-ranging impacts in the country.

The threat has only grown with Russia's unprovoked invasion of Ukraine, with agencies warning of a spillover affect from the cyberattacks Russia and the threat groups it supports have launched against its neighbor.

The private sector also is moving to protect industrial systems in industries' automotive, semiconductor, energy, banking and telecommunications in particular. A new consortium called the Operational Technology Cybersecurity Coalition (OTCSA) includes such corporations as Coca-Cola, Honeywell and Blackberry and cybersecurity firms like Fortinet, ABB and Check Point.

The goal is to collect and share information with consortium members and government agencies.

In the latest alert, the agencies said the APT groups have created tools with modular architectures that enable them to run automated exploits against systems. The software includes a virtual console with a command line interface that mirrors what's in the targeted devices.

"Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities," they wrote. "The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters."

There also is a tool that installs and exploits a known flaw in ASRock-signed motherboard driver, AsrDrv103. The tool exploits the vulnerability tracked as CVE-2020-15368, executing malicious code in the Windows kernel and enabling the APT actors to move laterally within an IT or OT environment and disrupt critical devices and functions.

Dragos researchers wrote in a blog post that Pipedream is a "modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment."

The don't believe that Pipedream has yet been used in the wild, adding that it can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics.

"While Chernovite is specifically targeting Schneider Electric and Omron controllers, there could be other modules targeting other vendors as well and Pipedream's functionality could work across hundreds of different controllers," they wrote.

"Said simply, a focus on the equipment vendor is misplaced, and instead the focus should be placed on the tactics and techniques the adversary is leveraging."

Along with isolating ICS and SCADA systems and leveraging multifactor authentication, the US agencies also are recommending such steps as having a cyber-incident plan in place, changing all passwords to targeted devices and systems and using strong passwords, maintain backups, implementing strong log collection and retention from ICS and SCADA systems and ensuring that applications are installed only when necessary for operation. ®