The U.S. Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a joint advisory to warn about the rising cyberattacks on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices. This is the latest advisory issued after the FBI warned that the energy sector is under attack by Triton malware.
What does the advisory say?
Federal agencies detected several custom tools that can allow APT groups to compromise and hijack devices.
The tools developed by threat actors can enable scanning, compromising, and controlling of affected ICS/SCADA devices.
The advisory highlights that OPC Unified Architecture (OPC UA) servers and multiple versions of Programmable Logic Controllers (PLCs) from Schneider Electric, and OMRON are vulnerable to such attacks initiated by these custom tools.
These tools have a modular architecture that can enable threat actors to conduct highly-automated exploits against targeted devices.
In addition, one of these tools can be used to exploit a known vulnerability in the ASRock-signed motherboard driver (tracked as CVE-2020-15368) to execute malicious code in the Windows kernel.
By compromising and maintaining full system access to ICS/SCADA devices, APT actors can elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
Triton malware wreak havoc on the energy sector
In March, the FBI had urged firms in the energy sector to stay alert for Triton malware attacks.
The new warning came a day after the US Department of Justice unsealed a pair of indictments against a Russian national and TsNIIkhM employee involved in a 2017 cyberattack against a Middle East petrochemical plant’s safety instrumented system.
The agency said that attackers could leverage the attack framework (used in the 2017 attack) and Triton malware to design similar attacks against Safety Instrument Systems (SIS).
A new PIPEDREAM malware identified
To add more trouble, researchers at Dragos revealed details about a new Incotroller (PIPEDREAM) malware designed to target ICS and SCADA systems.
The malware accomplishes a far-reaching impact through a series of five components - EVILSCHOLAR, BADOMEN, DUSTTUNNEL, MOUSEHOLE, and LAZYCARGO.
Associated with Chernovite, PIPEDREAM can manipulate a wide variety of PLC and industrial software. It can attack ubiquitous industrial technologies from the likes of CODESYS, Modbus, and OPC UA.
Conclusion
The federal agencies have recommended all organizations with ICS/SCADA devices implement proactive mitigation measures. These include isolating ICS and SCADA systems from the rest of the IT and OT networks, limiting access to specific management and engineering workstations, and monitoring systems to catch unusual activities.