Businesses warned to protect against suite of nation-state hacking tools targeting critical infrastructure
A new malware framework capable of disrupting multiple different types of IT and OT devices has been observed by US authorities, placing potentially vulnerable businesses on high alert
US authorities have issued a warning to critical infrastructure businesses after they observed state-sponsored cyber attackers wielding custom tools to fully compromise systems.
Advanced persistent threat (APT) groups, which are typically comprised of state-sponsored hackers, have already proven their ability to gain full access to multiple types of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, the cyber security advisory (CSA) read.
Co-issued by the Department of Energy, Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), the CSA instructed all potentially vulnerable organisations to implement measures to ensure the security of their systems.
Businesses are advised to enforce multi-factor authentication (MFA) for all remote access to ICS networks and devices where possible. They’re also instructed to change passwords on all ICS and SCADA devices on a regular basis, avoiding default passwords, and use an operational technology (OT) security monitoring product.
The custom tools now in the hands of state-sponsored attackers allow for scanning of specific OT devices, compromising them, and in some cases, controlling them.
Authorities said the tools allow attackers to launch “highly automated” exploits against targeted devices and can be used by lower-skilled hackers to execute processes typically reserved for higher-skilled actors.
Successful attacks using the tools could lead to denial of service in affected devices, crashing of a device’s programmable logic controller (PLC), credential capturing, file manipulation, packet capturing, and sending custom commands in some cases.
The new toolkit is used in conjunction with a known vulnerability in an ASRock motherboard driver that allows hackers to execute code in the Windows kernel, allowing them to move laterally within IT or OT systems.
Cyber security companies Dragos and Mandiant released reports into the tools described by US authorities, with the latter working closely with Schneider Electric, the manufacturer of one of the affected OT devices.
Codenamed ‘Incontroller’ by Mandiant and ‘Pipedream’ by Dragos, these tools contain a number of connected capabilities that allow hackers to scan for devices and in some cases modify and disrupt them.
Mandiant said the hacking tools bear a strong resemblance to Triton, a malware previously used to target similar critical infrastructure environments and the one FireEye accused Russia of using against a Saudi petrochemical plant in 2018.
"This is a rare case of analysing malicious capabilities before employment against victim infrastructure giving defenders a unique opportunity to prepare in advance," said Dragos. "Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage Pipedream in future operations."
The cyber security company didn’t attribute the new tools to any specific nation but did tie the development to a group it tracks as ‘Chernovite’.
Activation playbook: Deliver data that powers impactful, game-changing campaigns
Bringing together data and technology to drive better business outcomesFree Download
In unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growthFree Download
Achieving resiliency with Everything-as-a-Service (XAAS)
Transforming the enterprise IT landscapeFree Download
What is contextual analytics?
Creating more customer value in HR software applicationsFree Download