The US Cybersecurity and Infrastructure Security Agency (CISA) has released a report warning of nation-state actors deploying specialized malware to maintain access to industrial control systems (ICS), supervisory control, and data acquisition (SCADA) devices.
The custom-made tools are specifically designed to single out Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.
The unnamed actors are said to possess capabilities to infiltrate Windows-based engineering work stations across IT and OT networks by making use of an exploit that compromises an ASRock-signed motherboard driver with known vulnerabilities (CVE-2020-15368).
Dragos has been tracking the malware under the name of “PIPEDREAM” and has linked it to state actor CHERNOVITE. CHERNOVITE has the capability to disrupt, degrade, and potentially destroy industrial environments and physical processes in industrial environments. PIPEDREAM provides operators with the ability to scan for new devices, brute force passwords, sever connections, and crash the target device. To accomplish this, PIPEDREAM uses several different protocols including FINS, Modbus, and Schneider Electric’s implementation of CoDeSys.
Brief description of PIPEDREAM’s components:
Components | Description |
|---|---|
EVILSCHOLAR | A capability designed to discover, access, manipulate, and disable Schneider
Electric PLCs.
|
BADOMEN | A remote shell capability designed to interact with Omron software and PLCs
|
MOUSEHOLE | A scanning tool designed to use OPC UA to enumerate PLCs and OT networks.
|
DUSTTUNNEL
| A custom remote operational implant capability to perform host reconnaissance and command and control.
|
LAZYCARGO
| A capability that drops and exploits a vulnerable ASRock driver to load an unsigned driver.
|
Adversary:
- Unique Tool Development.
Capabilities:
- Uses ICS-specific protocols for reconnaissance, manipulation, and disabling of PLCs.
- PLC credential capture, brute force, and denial of service.
Victims:
- Oil and Gas, Electric Utilities, and other industries may be targeted.
- Asset owners with Schneider Electric, Omron PLCs, CoDeSys based PLCs, as well as an OPC UA operations.
Infrastructure:
- Uses victim PLCs, engineering software, and PLC control software for lateral movement.
ICS Impact:
- Loss of safety, availability, control, and manipulation of control.
- Execute ICS attack.
Intent:
- Leverage the access to ICS systems to elevate privileges.
- Move laterally within the networks.
- Sabotage mission-critical functions in liquified natural gas (LNG) and electric power environments.
Mitigations:
- Enforce Multi-factor Authentication for remote access.
- Periodically change passwords.
- Be on the lookout continuously for malicious indicators and behaviours.
ITC-TI – Recommendations:
- Ensure that cyber security/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behaviour. Enable logging to better investigate issues or events.
- Confirm that the organisation’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
- Designate an Incident Response (IR) team with main points of contact for a suspected cyber security incident and roles/responsibilities within the organisation, designing playbooks, including technology, communications, legal, and business continuity.
- Assure availability of key personnel, identify means to provide surge support for responding to an incident.
- Conduct table-top exercises to ensure that all participants understand their roles during an incident.
MITRE:
Activity | MITRE ATT&CK |
|---|---|
File Transfer of PIPEDREAM
| T1544 Remote File Copy; T1105 Ingress Tool Transfer
|
PIPEDREAM Execution
| T1059 Command and Scripting Interpreter
|
PIPEDREAM Interrogate Windows System
| T1047 Windows Management Instrumentation
|
BADOMEN Telnet Login Bypass
| T1552.001 Unsecured Credentials: Credentials in Files
|
BADOMEN HTTP Login Bypass
| T1552.001 Unsecured Credentials: Credentials in Files
|
BADOMEN Get PLC Status
| T0868 Detect Operating Mode
|
BADOMEN PLC Read Operation
| T0888 Remote System Information Discovery
|
BADOMEN HTTP Encrypted Post
| T1573 Encrypted Channel
|
BADOMEN Activate Telnet
| T1021 Remote Services
|
BADOMEN File Upload
| T1544 Remote File Copy
|
EVILSCHOLAR Password Brute Force Attempt
| T1110 Brute Force
|
EVILSCHOLAR Denial of Service Attempt
| T0814 Denial of Service
|
EVILSCHOLAR Initial Communication Attempt
| T0869 Standard Application Layer Protocol
|
EVILSCHOLAR Unauthorized Login
| T1078 Valid Accounts
|
File Transfer of LAZYCARGO
| T1544 Remote File Copy
|
MOUSEHOLE Scan for Devices
| T1046 Network Service Scanning
|
MOUSEHOLE Initial Device Connectivity
| T0869 Standard Application Layer Protocol
|
