Security News > 2022 > April > APT group has developed custom-made tools for targeting ICS/SCADA devices

APT group has developed custom-made tools for targeting ICS/SCADA devices
2022-04-14 14:10

Just a few days after news of attempted use of a new variant of the Industroyer malware comes a warning from the US Cybersecurity and Infrastructure Security Agency: Certain APT actors have exhibited the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices.

These tools may allow attackers to compromise and control Schneider Electric programmable logic controllers, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture servers.

Researchers from several cybersecurity companies as well as one of the manufacturer of targeted equipment have been involved in the analysis of the malware: Dragos, Mandiant, Microsoft, Palo Alto Networks and Schneider Electric.

"The Pipedream malware initially targets Schneider Electric and Omron controllers however there are not vulnerabilities specific to those product lines. Pipedream takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA," said Robert M. Lee, CEO and Co-Founder of Dragos.

Dragos dubbed the group behind the malware Chernovite, and they "Assess with high confidence" that it's a state-backed APT group that developed it for disruptive or destructive operations against ICS. "While Chernovite is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and Pipedream's functionality could work across hundreds of different controllers. Said simply, a focus on the equipment vendor is misplaced, and instead the focus should be placed on the tactics and techniques the adversary is leveraging," Dragos researchers noted.

"Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks. While the malicious capability is sophisticated with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defense," Lee noted.


News URL

https://www.helpnetsecurity.com/2022/04/14/apt-ics-scada/