CISA Warns of APT Targeting ICS/SCADA Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the the Department of Energy, FBI and NSA, have issued a joint Cybersecurity Advisory warning that an advanced persistent threat (APT) actor has displayed the ability to gain full access to some ICS (industrial control system) and SCADA (supervisory control and data acquisition) devices.

The advisory lists three devices:

• Schneider Electric programmable logic controllers (PLCs)
• OMRON Sysmac NEX PLCs
• Open Platform Communications Unified Architecture (OPC UA) servers

The threat actors created custom tools to target these devices, enabling them to scan, compromise, and control affected devices after establishing access to the operational technology (OT) network.

After gaining access to the whole system, the threat actors can elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

The advisory also provides some technical details of the threat actors and their tools:

"The APT actors' tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device
contents, and modify device parameters.

In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRocksigned motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions."

How can you better protect your ICS/SCADA devices?

The agencies involved in this joint advisory strongly urge all critical infrastructure organizations, specifically those in the energy sector, to implement all detection and mitigation recommendations in order to protect their ICS/SCADA devices.

It notes three actions that organizations can take immediately:

1. "Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible."
2. "Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks
   and to give defender monitoring systems opportunities to detect
   common attacks."
3. "Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors."

The advisory also includes a long list of other mitigations, as well as information specific to Schneider, OMRON, and OPC UA devices.

For more information, read the joint Cybersecurity Advisory, APT Cyber Tools Targeting ICS/SCADA Devices.