Start your day with intelligence. Get The OODA Daily Pulse.

 

Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) device vulnerabilities are, arguably, the threat surfaces that are of the utmost concern to cyber and homeland security professionals.  If ICS/SCADA devices are mission-critical to your organization, the Joint Cybersecurity Advisory (CSA) released this week by multiple U.S. agencies is a must-read.

A unique element of this CSA is the direct contribution made by the private sector to the research included in the advisory:  “‘This is the most expansive industrial control system attack tool that anyone has ever documented,’ says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “’It’s like a Swiss Army knife with a huge number of pieces to it.’” (1)

For our readership for whom this cyber threat is of less direct concern, we still encourage you to at least take a cursory look at the alert, as there may be ancillary impacts on your broader cybersecurity efforts.  There is also an argument that (due to the cyber threat climate created by the Ukrainian Crisis) the cybersecurity community (broadly speaking) should have a basic working knowledge of these hardware-level vulnerabilities.  As a result, This post is both an introductory overview and comprehensive as needed (depending on your level of concern and interest in the implications of the CSA).

Industroyer2 and Pipedream Malware

The README cybersecurity site on Medium (published by Synack) provides an overview of the emergence of the ICS/SCADA malware which prompted the U.S. Joint Cybersecurity Advisory this week:

The last example of malware tailor-made to twist a knife into critical infrastructure networks’ ICS underbelly emerged in 2017. Now, two ICS-focused malware variants have come to light in the same week, an unprecedented escalation in control system threats that’s ringing alarm bells from Kyiv to Washington.  Unlike the Triton malware, which caused a string of outages at a major Saudi Arabian petrochemical plant in 2017, the latest two ICS cyber threats, dubbed Industroyer2 and Pipedream, evidently failed to cause disruptions.

The rise of Pipedream and Industroyer2 highlights how quickly changes can wash over the threat landscape for ICS networks, which still tend to be highly specialized, relatively isolated and difficult to target. The back-to-back threats have also appeared as Russia continues its invasion of Ukraine in a hybrid war that has drawn White House warnings about potential cyberattacks on U.S. targets.

Industroyer2, aimed squarely at disrupting Ukraine’s power grid, puts an exclamation point on Russia’s willingness to target Ukrainian civilian networks and could upend some expert assessments about the extent of Moscow’s cyber aggression in the wider conflict. And while Pipedream has not been attributed to the Russian government, its sophistication has drawn comparisons to past Russian attack tools like Triton.

Industroyer2 is a brutish tool replete with disk wipers for Windows, Linux, and Solaris operating systems, as ESET researchers wrote in an analysis of the malware. It incorporates the IEC-104 communications protocol used by certain substations and protective relays, which act like circuit breakers for big electricity networks. And it takes pains to cover up its tracks as it manipulates specific ICS components to force a power outage.

Investigations into the malware samples are ongoing, but both are believed to have been developed by state-backed hackers with a deep understanding of control system networks, and Ukraine has attributed Industroyer2 to Russia. ICS and SCADA systems, like those that support power grids worldwide, often use their own sets of arcane protocols and network architectures that vary widely from site to site.

Pipedream, by contrast, has not been deployed in an actual attack, cybersecurity researchers say. But that doesn’t make it any less menacing.  Cybersecurity company Mandiant, which tracks Pipedream by the name Incontroller, warned in its own analysis today that the tool “represents an exceptionally rare and dangerous cyber-attack capability.”  That obscurity is part of the reason ICS-specific cyberthreats are incredibly rare — just seven malware strains have ever been found to specifically target control systems, counting Industroyer2 and Pipedream, according to Dragos.

Pipedream zeroes in on programmable logic controllers — a type of rugged computer used for industrial processes like managing the flow of electricity or natural gas — with an eye toward a handful of specific industrial devices produced by Omron and Schneider Electric.  “PIPEDREAM could be successful — it’s extremely capable and flexible. It was found before it was deployed in the target networks though,” Robert M. Lee, CEO of industrial cybersecurity firm Dragos, told README, calling its discovery “a huge win for defense.” (2)

National Cyber Awareness SystemAlert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices

On Wednesday, April 13th (with revisions on Thursday, April 14th)  the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

From the Advisory

The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices.

The agencies urged energy sector organizations and other critical infrastructure facilities to implement the detection and mitigation recommendations provided in the alert.

Technical Details

APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
  • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
  • OPC Unified Architecture (OPC UA) servers.

The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.

In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.

Mitigations

Note: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices from new capabilities. They have not been verified against every environment and should be tested prior to implementation.

DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
  • Enforce multi-factor authentication for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
  • Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
  • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
  • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
  • Ensure all applications are only installed when necessary for operation.
  • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates.
  • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system.

Further Resources

Direct Link to APT Cyber Tools Targeting ICS/SCADA Devices | CISA

PDF Version of Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices

Private Sector Advisories include:

Mandiant’s Blog – INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems

Dragos’ Blog – CHERNOVITE’S PIPEDREAM: Malware Targeting Industrial Control Systems

Our friends over at the Record have done some solid reporting as well:

US agencies warn of custom-made hacking tools targeting energy sector systems

Researchers find new malware variant after stopping attack on Ukrainian energy provider

OODA Recommendations

In the current climate created by the viable threat of a Russian cyberattack on the U.S., if you are preparing your organization or your individual household to mitigate risk please see OODA CTO Bob Gourley’s Guide For Business: Final checks for reducing risks in the face of nation-state cyber-attacks based on White House advisory.  In the post, Bob itemizes OODA recommendations for:

  • Large Businesses/Large Federal Government Agencies
  • Small To Mid-Sized Businesses/State and Local Governments;  and
  • Individuals

OODA is here to help.  OODA members can contact us by replying to any of our emails or using this form.

Further OODA Loop Resources

The CISA Shields Up! Initiative

Preparing for Cyber Attacks: The CISA Online Resource Hub

Guide For Business: Final checks for reducing risks in the face of nation-state cyber-attacks based on White House advisory

CISA, FBI Issue Joint Cybersecurity Advisory for SATCOM Ecosystem Following Viasat Cyberattack

The FBI Cyber Division, NSA, Australian Cyber Security Centre, and the UK’s NCSC Issue Joint CSA on Global Ransomware Activity

CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks

Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine

CISA Apache Log4j Vulnerability Guidance Webpage Up and Running with Mitigation Guidance from JCDC Partners

A Call to Action from CISA’s Jen Easterly and Def Con’s Jeff Moss at Inaugural CISA Advisory Committee Mtg.

At Black Hat 2021, CISA Director Jen Easterly launches CISA JCDC (Joint Cyber Defense Collaborative)

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.