US authorities have issued a warning to critical infrastructure businesses after they observed state-sponsored cyber attackers wielding custom tools to fully compromise systems.
Advanced persistent threat (APT) groups, which are typically comprised of state-sponsored hackers, have already proven their ability to gain full access to multiple types of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, the cyber security advisory (CSA) read.
Co-issued by the Department of Energy, Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), the CSA instructed all potentially vulnerable organisations to implement measures to ensure the security of their systems.
Businesses are advised to enforce multi-factor authentication (MFA) for all remote access to ICS networks and devices where possible. They’re also instructed to change passwords on all ICS and SCADA devices on a regular basis, avoiding default passwords, and use an operational technology (OT) security monitoring product.
The custom tools now in the hands of state-sponsored attackers allow for scanning of specific OT devices, compromising them, and in some cases, controlling them.
Authorities said the tools allow attackers to launch “highly automated” exploits against targeted devices and can be used by lower-skilled hackers to execute processes typically reserved for higher-skilled actors.
Successful attacks using the tools could lead to denial of service in affected devices, crashing of a device’s programmable logic controller (PLC), credential capturing, file manipulation, packet capturing, and sending custom commands in some cases.
The new toolkit is used in conjunction with a known vulnerability in an ASRock motherboard driver that allows hackers to execute code in the Windows kernel, allowing them to move laterally within IT or OT systems.
Cyber security companies Dragos and Mandiant released reports into the tools described by US authorities, with the latter working closely with Schneider Electric, the manufacturer of one of the affected OT devices.
Codenamed ‘Incontroller’ by Mandiant and ‘Pipedream’ by Dragos, these tools contain a number of connected capabilities that allow hackers to scan for devices and in some cases modify and disrupt them.
Mandiant said the hacking tools bear a strong resemblance to Triton, a malware previously used to target similar critical infrastructure environments and the one FireEye accused Russia of using against a Saudi petrochemical plant in 2018.
Dragos said the tools mark the seventh known ICS-specific malware framework in existence, with other notable cases involving a power outage in Ukraine back in 2016 and Stuxnet in 2010.
"This is a rare case of analysing malicious capabilities before employment against victim infrastructure giving defenders a unique opportunity to prepare in advance," said Dragos. "Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage Pipedream in future operations."
The cyber security company didn’t attribute the new tools to any specific nation but did tie the development to a group it tracks as ‘Chernovite’.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Capita handed £50m London police contract weeks after losing pension dataNews The outsourcer will provide digital fraud reporting services after its cyber incident disclosure drew criticism
-
Supercharge trust for operationsWhitepaper Innovating through uncertainty
-
Western Digital suffers cyber attack, shuts down systemsNews Customers are taking to Twitter to report they’re unable to log into their storage products through Western Digital’s online portal
-
Lazarus blamed for 3CX attack as byte-to-byte code match discoveredNews Additional analysis suggested 3CX developer teams ignored "red flags"
-
Some GitHub users must take action after RSA SSH host key exposedNews One cloud security expert likened the incident to the infamous HeartBleed bug from 2014
-
Latitude hack now under state investigation as customers struggle to protect their accountsNews The cyber attack has affected around 330,000 customers, although the company has said this is likely to increase
-
Four-year-old iframe flaw allows hackers to steal Bitwarden passwordsNews The password manager has known about the issue since 2018, publicising it in a report in 2018
-
WH Smith hit by cyber attack, current and former staff data accessedNews The company stated that it is notifying staff members who have been affected
