APT Cyber Tools Are Targeting Energy Sector, Among Others

Photo of Industrial Electrical System

APT groups are using cyber tools to target critical industrial ICS/SCADA systems, a new alert by the U.S.’s CISA agency states. High-profile threat actors are capable of gaining full system access to multiple industrial control systems (ICS) and supervisory and data acquisition (SCADA) devices, the report said.

Threat actors have developed offensive cyber tools that target these systems and can scan for, compromise, and control targeted devices by breaching the operational technology (OT) network, the report added. The threat actors in question have not been identified in CISA’s alert.

Schneider, Omron, OPC UA Systems in the Crosshairs

The Department of Energy (DOE), the Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have joined forces to fight APT (Advanced Persistent Threat) actors targeting critical infrastructure, the report stated.

Schneider’s Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers are now at risk, the report added.

These systems are at risk of brute-force attacks, denial-of-service attacks, credential capture, and even hardware crashes as a result of “packet of death” attacks.

Custom-Made Offensive Cyber Tools

High-profile threat actors have crafted custom-made cyber tools to compromise critical infrastructure, the report stated. An “ICS-specific” malware (malicious software) dubbed “PIPEDREAM” developed by the “Chernovite Activity Group (AG)” is suspected to be the weapon of choice here, cybersecurity company Dragos stated in their news blog.

Mandiant threat intelligence dubbed the malware “INCONTROLLER” — a novel software weapon “built to target machine automation devices” across multiple industries, wrote Mandiant. Mandiant believes the malware can be correlated with Russian cyber-physical (CPS) attacks on Ukraine between 2015 and 2016.

“The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices,” CISA said. In addition to this, APT threat actors have been discovered using a tool that exploits known vulnerabilities in ASRock-signed motherboard drivers via Windows Kernel. This allows cybercriminals to “move laterally within an IT or OT environment” which in turn allows them to compromise critical devices and functions, CISA wrote.

Which ICS/SCADA Devices are Vulnerable?

According to authorities, the following devices are at risk:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078
  • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT
  • OPC Unified Architecture (OPC UA) servers

ICS and SCADA systems are usually installed to control and manage substantial industrial systems and networks such as water supplies, gas pipelines, and power grids.

There are several emergency security approaches posted by CISA for US agencies that enable network defenders “to begin efforts to protect systems and devices from new capabilities.” The DOE, CISA, NSA, and the FBI recommend the following steps for all organizations that use ICS/SCADA devices:

  • Isolating systems and networks using strong perimeter controls
  • Enforcing multifactor authentication for ICS networks and devices wherever possible
  • Including a cyber incident response plan and exercising it regularly
  • Changing all passwords on all devices and systems on a consistent schedule
  • Maintaining backups, especially offline backups
  • Limit systems access to only specifically allowed management and engineering stations
  • Configuring DeviceGuard, Credential Guard, and Hypervisor Code Integrity (HVCI)
  • Implementing robust log collection across systems
  • Leveraging a continuous OT monitoring solution
  • Enforcing principles of least privilege
  • Monitoring systems for loading of unusual drivers, particularly ASRock drivers

For more in-depth security mitigation information, please refer to the original CISA report.

Critical Infrastructure Attacks

As the digital transformation of industrial sectors takes hold, attacks on critical infrastructure and CPS systems like ICS/SCADA and others can wreak havoc on an entire nation’s fundamental lifelines.

This has been the case many times over the years in cases such as the Colonial Pipeline attack in 2021, the attack that disrupted Toyota’s business operations last month, an attempt to poison the Florida water supply, and several others.

For these reasons, the private sector is working on protecting industrial systems in several critical sectors such as energy, automotive, banking, and semiconductor sectors via a new consortium called the Operational Technology Cybersecurity Coalition (OTCSA), The Register said in a report.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.