US agencies warn of custom-made hacking tools targeting energy sector systems

Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies. 

In an alert released on Wednesday, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. 

The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

Eric Byres, chief technology officer of ICS cybersecurity software firm aDolus Technology, told The Record that Schneider Electric MODICON PLCs and OPC Unified Architecture (OPC UA) servers are incredibly common and are used widely within many major industrial facilities across the US.

“The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the alert explained. 

“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

The agencies urged energy sector organizations and other critical infrastructure facilities to implement the detection and mitigation recommendations provided in the alert. 

The alert said the actors are specifically targeting Schneider Electric MODICON and MODICON Nano PLCs, including TM251, TM241, M258, M238, LMC058, and LMC078; and OMRON Sysmac NJ and NX PLCs, including NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT.

Time to focus on ICS/SCADA. Isolating ICS/SCADA networks and limiting connections, along with strong passwords/monitoring, aren't new mitigations but they help critical infrastructure defenders prevent disruptions stop threat actors from their objectives. https://t.co/oEwFee2Cbd

— Rob Joyce (@NSA_CSDirector) April 13, 2022

Byres said OPC UA specifically is the “glue that holds most multi-vendor systems together” because it serves as a ‘linga franca’ to allow products with different communications protocols to interoperate. 

“I'd be surprised if there was a major industrial facility in all of the US that doesn't have at least one (OPC UA) server (really small facilities might not as they can be single vendor). Schneider Electric MODICON PLCs are one of the two most widely used PLCs in the US today,” he said.  

'PIPEDREAM' malware

Robert Lee, CEO of security company Dragos, said the company has been tracking an ICS-specific malware called PIPEDREAM that was developed by a group they named CHERNOVITE.

Lee said the malware initially targets Schneider Electric and Omron controllers and takes advantage of native functionality in operations, making it more difficult to detect. 

“It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA,” Lee explained.  

“Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks.”

Lee noted that they assess “with high confidence“ that CHERNOVITE is a state actor that created the PIPEDREAM malware for use in disruptive or destructive operations against ICS.

“Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems,” Lee added.  

Cybersecurity company Mandiant released its own blog about a set of ICS-oriented attack tools they discovered with Schneider Electric called INCONTROLLER. Like PIPEDREAM, Mandiant said it is likely that the INCONTROLLER malware is state sponsored and wrote that it "contains capabilities related to disruption, sabotage, and potentially physical destruction."

CISA has released several warnings about attacks on energy facilities since the invasion of Ukraine by Russia.

Yesterday, Ukrainian officials said they stopped an attack on an energy facility with the help of researchers from ESET and Microsoft.