APT actors targeting ICS/SCADA Devices with custom tools

US Government cybersecurity experts are warning of advanced persistent threat (APT) actors using custom tools to target and compromise multiple industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices.

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory and overview of the threat on April 13, 2022 (updated April 14):

The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

According to the report, the APT actors used these custom tools to scan for, compromise, and control certain ICS/SCADA devices, to include:

  • Schneider Electric programmable logic controllers (PLCs)
  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers.

Moreover, the tools include a virtual console with a command interface module that mimic the targeted ICS/SCADA device.

The actors then use the module to conduct reconnaissance against targeted device details and then upload malicious code to the targeted devices, back up/restore contents, and modify device configurations.

Readers can check out the full PDF report for more details on the APT custom tools as well as recommended mitigations.

Related Articles