A new joint Cybersecurity Advisory (CSA) from the United States government issued on Wednesday warns that advanced persistent threat (APT) actors (read: cybercriminals) have developed a way to gain full system access to multiple industrial control systems (ICS) and supervisory control and data acquisition devices (SCADA), targeting specific models of programmable logic controllers (PLCs) manufactured by Schneider Electric and OMRON.
Industrial cybersecurity firm Dragos is among the organizations that contributed to the CSA. "The initial targeting appears to be liquid natural gas and electric community-specific," says Robert M. Lee, CEO at Dragos. "However, the nature of the malware is that it works in a wide variety of industrial controllers and systems. The malware initially targets Schneider Electric and Omron controllers, however, there are no vulnerabilities specific to those product lines."
"Make no mistake, this is an important alert from CISA. Industrial organizations should pay attention to this threat," says Tim Erlin, VP of strategy at Tripwire. "It’s important to note that while this alert calls out tools for gaining access to specific industrial control systems, there’s a bigger picture threat that involves more of the industrial control environment."
Specific Cyberthreats to Specific Industrial Machinery
According to the CSA, cybercriminals have developed custom-made tools to specifically target the machines in question. Once the machines are compromised, the cybercriminals can upload malicious code, modify device parameters, and back up device contents, among other things a company does not want to have to deal with.
Practical concerns for the Schneider Electric devices in question include losing the ability to connect your network to the PLCs; severing connections to prompt re-connects that require entering credentials that the cybercriminals may then steal, and crashing PLCs outright until they are restarted and recovery operations are completed.
For OMRON devices, cybercriminals may install hostile software to further enable new attacks; back up and restore files to and from the PLC, and outright issue commands to the PLC to manipulate files and capture data.
Cybercriminals have also developed a tool to exploit a known vulnerability in a specific ASRock-signed motherboard driver. The tool adds malicious code to Windows systems, opening the door for cybercriminals to move into general computer networks and wreak havoc in IT or OT environments.
Finally, the CSA cites fresh vulnerabilities for servers running Open Platform Communications Unified Architecture (OPC UA).
Enact Point Defense Early
The CSA includes numerous strategies to mitigate risk before cybercriminals have a chance to attack the industrial systems in question, including the usual advice on multifactor authentication, changing passwords often and making them strong, and closely monitoring any machines cited as being under particular threat. The CSA also provides a plentiful list of more advanced preventative actions for IT professionals.
"Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly," adds Erlin. "The joint advisory recommends isolating affected systems, as well as employing endpoint detection, configuration and integrity monitoring, and log analysis. This isn’t a matter of simply applying a patch.”
Marty Edwards, VP of OT Security at Tenable and the former CERT director under President Barack Obama added: “The joint advisory issued by the U.S. Government about advanced tools being used to target Industrial Control Systems and Operational Technology environments is concerning. If attackers are successful, the consequences of such intrusions are vast and can be potentially devastating. When your adversary is using advanced tools to potentially disrupt your system then organizations must have the people, processes and technology in place beforehand to harden their environments and detect any malicious activity.”
Edwards added that the “actors are apparently capable of directly interacting and manipulating the OT devices referenced in the advisory, so it is imperative that asset owners and operators are continuously monitoring for any malicious communications to these devices as well as monitoring for any changes to the configuration or logic inside the devices in real-time. The advisory states that actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions. Asset owners and operators should have systems in place to monitor for credential abuse and or discover accounts that are not adhering to the principle of least privilege.”
Justin Fier, the VP of Tactical Risk and Response at Darktrace remarked that this news represents a major step up from the relatively unsophisticated previous DDoS attacks, and it’s particularly interesting to see that Sandworm has reared its head again.
“CISA and other government agencies in the Five Eyes have been anticipating an attack like this and issuing sophisticated warnings for some time. Ukraine has been dealing with this type of threat for years and has been preparing with the help of global allies, including the U.S.,” Fier said. “While we cannot confirm these allegations, the hope is that governments worldwide will take this seriously and realize that the same type of attack could happen to them. Any attack on Ukrainian soil could also occur anywhere else, be replicated by other cyber-criminal groups or nation-states, or cause ripple effects across the global supply chain. During this ongoing ‘World War Wired,’ we must be concerned not only with the prospect of an inbound warhead but also infrastructure destroying cyber-attacks. The responsibility will fall on each potentially at-risk organization to bolster their defenses: they must fight fire with fire, arming themselves with the latest technologies. You go to war with the army you have, not the one you wish you built, and organizations must prepare now.”
About the author: Dennis Scimeca is a veteran technology journalist for IndustryWeek, a fellow Endeavor Business Media publication. He has particular experience in vision system technology, machine learning/artificial intelligence, virtual and augmented reality, and interactive entertainment, along with experience writing for consumer, developer, and B2B audiences with bylines in many highly regarded specialist and mainstream outlets.
At IndustryWeek, he covers the continuing expansion of new technologies into the manufacturing world and the competitive advantages gained by learning and employing these new tools. He also seeks to build connections between manufacturers by sharing the stories of their challenges and successes employing new technologies. If you would like to share your story with IndustryWeek, please contact him at [email protected].
Note: SecurityInfoWatch.com editors added to this report. Read the original story in IndustryWeek here.
