Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies, announced by The Record.
The official alert was released yesterday (Wednesday) by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), The agencies warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
Time to focus on ICS/SCADA. Isolating ICS/SCADA networks and limiting connections, along with strong passwords/monitoring, aren't new mitigations but they help critical infrastructure defenders prevent disruptions stop threat actors from their objectives. https://t.co/oEwFee2Cbd
— Rob Joyce (@NSA_CSDirector) April 13, 2022
The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.
The agencies urged energy sector organizations and other critical infrastructure facilities to implement the detection and mitigation recommendations provided in the alert.
The alert said the actors are specifically targeting Schneider Electric MODICON and MODICON Nano PLCs, including TM251, TM241, M258, M238, LMC058, and LMC078; and OMRON Sysmac NJ and NX PLCs, including NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT.
Lee said the malware initially targets Schneider Electric and Omron controllers and takes advantage of native functionality in operations, making it more difficult to detect.
“It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA,” Lee explained. “Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks.”
Lee noted that they assess “with high confidence“ that CHERNOVITE is a state actor that created the PIPEDREAM malware for use in disruptive or destructive operations against ICS.
“Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems,” Lee added.
CISA has released several warnings about attacks on energy facilities since the invasion of Ukraine by Russia.