Context
The Department of Energy (DOE), Cybersecurity and Infrastructure Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory on April 13, 2022 detailing new advanced persistent threat (APT) cyber tools targeting Industrial Control System and Supervisory Control and Data Acquisition (ICS/SCADA) devices.
The advisory notes three key devices at risk:
- Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs),
- Omron Sysmac NJ and NX PLCs, and
- Open Platform Communications Unified Architecture (OPC UA) servers.
Tool Details
The federal joint advisory does not identify the specific tools or indicators, but notes that the tools allow threat actors to:
- control devices and gain full system access
- compromise Windows engineering workstations by exploiting an ASRock motherboard driver with known vulnerabilities
- elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions
The tools outlined in the advisory also reportedly include a modular architecture and command interface that streamlines the compromise process and allows less skilled threat actors to execute sophisticated attacks more easily.
In addition to the federal advisory, major cybersecurity firms Mandiant and Dragos also issued research on ICS-focused cyber tools on April 13, 2022. It is highly likely, based on matching technical details, that the reports from Mandiant and Dragos describe the same malware as the federal joint advisory.
Mandiant partnered with Schneider Electric to publish research on malware they named INCONTROLLER. According to Mandiant’s report, INTCONTROLLER is designed to disrupt machine automation devices and can interact with multiple types of imbedded industrial machinery used in multiple industries. The malware is reportedly composed of three key components:
- TAGRUN, a scanner for open platform communication (OPC) servers that enumerates structure and tags, brute forces credentials, and reads/writes tag values
- CODECALL, a framework that uses common industrial protocol Modus for communication, which interacts with, scans, and attacks three Schneider Electric programmable logic controller (PLC) devices
- OMSHELL, a framework which interacts with and scans some models of Omron PLC and interacts with Omron servo drives
ICS-focused cybersecurity firm Dragos published research on a malware they named PIPEDREAM, which is designed to disrupt, degrade, and damage ICS/SCADA devices. Dragos noted that PIPEDREAM has not yet been observed in the wild, but that the malware was reportedly capable of executing 38% of known ICS attack techniques and 83% of known tactics.
PIPEDREAM reportedly manipulates multiple PLC devices and software, including Omron and Scheider Electric devices. Dragos identified five key components of the malware, EVILSCHOLAR, BADOMEN, DUSTTUNNEL, MOUSEHOLE, and LAZYCARGO. The components reportedly allow threat actors to enumerate environments, infiltrate workstations, exploit and disable process controllers, and manipulate executed logic and programming.
Impact Analysis
Cyber attacks on ICS/SCADA devices are increasingly prevalent globally. In the months since the initial Russian invasion of Ukraine in early 2022, multiple reports emerged describing attempted cyberattacks on Ukrainian critical infrastructure. In April 2022, the Ukrainian government announced that they disrupted an attack on their energy grid with assistance from Microsoft and ESET. The attack reportedly leveraged Industroyer 2, an update to a previously known ICS-focused malware previously leveraged against Ukrainian infrastructure.
When taken in conjunction with the federal joint advisory and reports from Mandian and Dragos, the rise in ICS/SCADA cyberattacks globally indicates that organizations using this equipment must be proactive and vigilant in their cyber defense. Because of the critical nature of the processes and operations that ICS/SCADA devices manage, cyberattacks on this technology has the potential to be especially harmful to an organization’s physical, cyber, financial, and reputational security.
Because of the severity of this threat, organizations in the retail, hospitality, and travel sectors that deploy ICS/SCADA technologies as part of their operations should implement the recommended mitigations from the federal joint advisory. These mitigations include, but are not limited to:
- Isolating systems from internet networks
- Enforcing multifactor authentication (MFA)
- Maintaining incident response plans
- Changing passwords on a regular schedule
- Maintaining proper backups
- Leveraging operational technology (OT) monitoring and endpoint detection and response (EDR) solutions
Yara Rules
Researchers from Mandiant provided the following Yara rules for searching executables associated with the ASRock driver exploit:
rule MTI_Hunting_AsRockDriver_Exploit_PDB
{
meta:
author = "Mandiant"
date = "03-23-2022"
description = "Searching for executables containing strings associated with AsRock driver Exploit."
strings:
$dos_stub = "This program cannot be run in DOS mode"
$pdb_bad = "dev projects\\SignSploit1\\x64\\Release\\AsrDrv_exploit.pdb"
$pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"
condition:
all of them and (@pdb_bad < @dos_stub[2]) and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])
}
rule MTI_Hunting_AsRockDriver_Exploit_Generic
{
meta:
author = "Mandiant"
date = "03-23-2022"
description = "Searching for executables containing strings associated with AsRock driver Exploit."
strings:
$dos_stub = "This program cannot be run in DOS mode"
$pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"
condition:
all of them and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])
}
