U.S. Security Agencies Warn of New ICS Malware

Highlights

• The unnamed advanced Persistent Threat Actors (PTA) have made custom tools to get a hold of ICS and SCADA devices.
• The actors’ tactics are being observed to alert the systems to take strict precautionary against the challenges.

Key U.S. government security organizations have warned that Industrial Control System (ICS)/supervisory control and data acquisition (SCADA)-based networks are being threatened by bad actors armed with customized software tools.

The Department of Energy (DOE), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) jointly issued a warning that certain Advanced Persistent Threats (APT) actors have shown the ability to gain full system access to compromised ICS/SCADA systems.

The alert did not identify which groups were making the threats, but it did recognize that the likes of Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric have helped put together the warning. Dragos also released a paper that talked about a part of the threat.

The two departments, ICS and SCADA, typically manage and control large industrial systems and utility networks, including gas pipelines, water supplies, and power grids.

CISA stated that the custom software tools referred to in the warning would enable attack groups to scan for, compromise, and control the affected devices once the initial access to the Operational Technology (O.T.) network has been established.

According to CISA, the tools also have a modular architecture and enable the cyber actors to conduct highly automated exploits against the targeted devices. With the help of a virtual console, the tools can easily see the interface of the targeted ICS/SCADA device.

The systems of industrial SCADA and ICS have seen continuous threats by the state actors and others for many years. In recent times, maximum threats emerged from Russia as it faced worldwide sanctions and isolation because of its war against Ukraine.

In March, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics employee for their involvement in the campaigns against the U.S. and international oil refineries energy companies, and the nuclear facilities between 2012 and 2018.

Tips for organizations with ICS/SCADA to harden their system

The DOE, NSA, CISA, and FBI recommended that all organizations that witnessed threats must take the following steps to harden their systems:

• Limit the ISA/SCADA systems’ network connections to specific management and engineering workstations.
• Isolate ISA/SCADA systems and networks from the internet and corporate networks using perimeter controls and limit any communications coming or leaving ISA/SCADA systems.
• Implement multifactor authentications for all remote access to ICS networks and devices when possible.
• Change all the passwords of all ISA/SCADA devices and systems and enforce strong passwords to take precautions against attacks and troubles.
• Maintain offline backups for speedy recovery in the case of any attack.

Experts’ view

“Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” CISA stated.

“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

“Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities,” CISA stated. “The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.”

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a statement.  “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defences and remain vigilant.”