U.S. Warns of APT Hackers Targeting ICS/SCADA Systems with Specialized Malware

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a report warning of nation-state actors deploying specialized malware to maintain access to industrial control systems (ICS), supervisory control, and data acquisition (SCADA) devices.

The custom-made tools are specifically designed to single out Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

The unnamed actors are said to possess capabilities to infiltrate Windows-based engineering work stations across IT and OT networks by making use of an exploit that compromises an ASRock-signed motherboard driver with known vulnerabilities (CVE-2020-15368).

Dragos has been tracking the malware under the name of “PIPEDREAM” and has linked it to state actor CHERNOVITE. CHERNOVITE has the capability to disrupt, degrade, and potentially destroy industrial environments and physical processes in industrial environments. PIPEDREAM provides operators with the ability to scan for new devices, brute force passwords, sever connections, and crash the target device. To accomplish this, PIPEDREAM uses several different protocols including FINS, Modbus, and Schneider Electric’s implementation of CoDeSys.

Brief description of PIPEDREAM’s components:

Components
Description
EVILSCHOLAR
A capability designed to discover, access, manipulate, and disable Schneider Electric PLCs.
BADOMEN
A remote shell capability designed to interact with Omron software and PLCs
MOUSEHOLE
A scanning tool designed to use OPC UA to enumerate PLCs and OT networks.
DUSTTUNNEL
A custom remote operational implant capability to perform host reconnaissance and command and control.
LAZYCARGO
A capability that drops and exploits a vulnerable ASRock driver to load an unsigned driver.

Adversary:

  • Unique Tool Development.


Capabilities:

  • Uses ICS-specific protocols for reconnaissance, manipulation, and disabling of PLCs.
  • PLC credential capture, brute force, and denial of service.

Victims:

  • Oil and Gas, Electric Utilities, and other industries may be targeted.
  • Asset owners with Schneider Electric, Omron PLCs, CoDeSys based PLCs, as well as an OPC UA operations.

Infrastructure:

  • Uses victim PLCs, engineering software, and PLC control software for lateral movement.

ICS Impact:

  • Loss of safety, availability, control, and manipulation of control.
  • Execute ICS attack.

Intent:

  • Leverage the access to ICS systems to elevate privileges.
  • Move laterally within the networks.
  • Sabotage mission-critical functions in liquified natural gas (LNG) and electric power environments.

Mitigations:

  • Enforce Multi-factor Authentication for remote access.
  • Periodically change passwords.
  • Be on the lookout continuously for malicious indicators and behaviours.

ITC-TI – Recommendations:

  • Ensure that cyber security/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behaviour. Enable logging to better investigate issues or events.
  • Confirm that the organisation’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
  • Designate an Incident Response (IR) team with main points of contact for a suspected cyber security incident and roles/responsibilities within the organisation, designing playbooks, including technology, communications, legal, and business continuity.
  • Assure availability of key personnel, identify means to provide surge support for responding to an incident.
  • Conduct table-top exercises to ensure that all participants understand their roles during an incident.

MITRE:

Activity
MITRE ATT&CK
File Transfer of PIPEDREAM
T1544 Remote File Copy; T1105 Ingress Tool Transfer
PIPEDREAM Execution
T1059 Command and Scripting Interpreter
PIPEDREAM Interrogate Windows System
T1047 Windows Management Instrumentation
BADOMEN Telnet Login Bypass
T1552.001 Unsecured Credentials: Credentials in Files
BADOMEN HTTP Login Bypass
T1552.001 Unsecured Credentials: Credentials in Files
BADOMEN Get PLC Status
T0868 Detect Operating Mode
BADOMEN PLC Read Operation
T0888 Remote System Information Discovery
BADOMEN HTTP Encrypted Post
T1573 Encrypted Channel
BADOMEN Activate Telnet
T1021 Remote Services
BADOMEN File Upload
T1544 Remote File Copy
EVILSCHOLAR Password Brute Force Attempt
T1110 Brute Force
EVILSCHOLAR Denial of Service Attempt
T0814 Denial of Service
EVILSCHOLAR Initial Communication Attempt
T0869 Standard Application Layer Protocol
EVILSCHOLAR Unauthorized Login
T1078 Valid Accounts
File Transfer of LAZYCARGO
T1544 Remote File Copy
MOUSEHOLE Scan for Devices
T1046 Network Service Scanning
MOUSEHOLE Initial Device Connectivity
T0869 Standard Application Layer Protocol