In the second major industrial control system (ICS) threat development this week, the U.S. Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a Cybersecurity Advisory (CSA) warning of a complex and dangerous ICS threat. The CSA says that specific unnamed advanced persistent threat (APT) actors have exhibited the capability to gain complete system access to multiple ICS and supervisory control and data acquisition (SCADA) devices.
These agencies collaborated with a group of top-tier industrial control and security leaders including Dragos, Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric in drafting the alert. The CSA pointed specifically to three categories of devices vulnerable to the malware:
- Schneider Electric programmable logic controllers (PLCs)
- OMRON Sysmac NEX PLCs
- Open Platform Communications Unified Architecture (OPC UA) servers
The malware consists of a package of dangerous custom-made tools targeting ICS and SCADA devices that can scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.
Like the Industroyer2 ICS malware that Ukraine authorities announced earlier this week, the new malware, called Pipedream by Dragos and Incontroller by Mandiant and Schneider Electric, can reach beyond the operational technology environment to enable IT system access and control. Specifically, the malware can help threat actors compromise Windows-based engineering workstations, which may be present in IT or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities.
What is the Incontroller malware?
In its report, Dragos said the new malware, the seventh known ICS-specific malware and the fifth developed to disrupt industrial processes, “is a clear and present threat to the availability, control, and safety of industrial control systems and processes endangering operations and lives.” Mandiant said in a blog post that Incontroller “represents an exceptionally rare and dangerous cyberattack capability. It is comparable to Triton, which attempted to disable an industrial safety system in 2017; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged the Iranian nuclear program around 2010.”
Mandiant says Incontroller consists of three components. The first is Tagrun, a tool that scans for OPC (OLE [Object Linking and Embedding] for Process Control) servers, enumerates OPC structure/tags, brute forces credentials, and reads/writes OPC tag values. OPC allows Windows programs to communicate with industrial hardware devices.
The second component is what Mandiant calls CodeCall, a framework that communicates using Modbus, one of the most common industrial protocols, and Codesys, automation software for engineering control systems. CodeCall contains modules to interact with, scan, and attack at least three Schneider Electric programmable logic controllers (PLCs).
The third component is Omshell, which is a framework with capabilities to interact with and scan some types of Omron PLCs via HTTP, Telnet, and Omron FINS protocols. It can also interact with Omron’s servo drives which use feedback control to deliver energy to motors for precision motion control.
Targets likely chosen for reconnaissance into specific target networks
The equipment targeted by the malware consists of “machine automation solutions whose use cases span from supporting simple, repetitive machines to complex modular machines in distributed architectures,” says Mandiant, which highly doubts the threat actor “would target these devices at random. It is more likely they were chosen because of reconnaissance into specific target environment(s).” Dragos said that the targeted devices are used in many vertical industries. But the firm assesses that the most likely targets of the malware are equipment in liquefied natural gas (LNG) and electric power environments.
Dragos says that the collaboration among the private partners and the government agencies “is a rare case of analyzing malicious capabilities before employment against victim infrastructure, giving defenders a unique opportunity to prepare in advance.” Schneider Electric echoed this assessment, saying that the work among the private partners and the government “is an instance of successful collaboration to deter threats on critical infrastructure before they occur and further underscores how public-private partnerships are instrumental to proactively detect and counter threats before they can be deployed.”
ICS malware is becoming more complex
“The key highlight from this [announcement] is that this is a pretty rare type of tool,” Rob Caldwell, director of industrial control systems and operational technology at Mandiant, tells CSO. “We don’t see these types of control system, operational technology-focused tools, very often.”
Unlike Stuxnet or Industroyer, Incontroller “is much more of a framework. It’s not just targeting a specific device, although it is. It’s also targeting multiple specific devices and can, the way it’s written, be expanded to potentially do more types of activity,” Caldwell says. “Very rarely do you see all these capabilities together in a collection. So, one of the notable pieces about Incontroller is to have these different components related to each other but target different types of systems.”
This evolution of ICS malware to become more complex and dangerous is “just evidence that OT attackers are gaining more skill, understanding, and function. Just like they’ve done in the IT space, as time goes on their tools get more sophisticated.”
No attribution, but circumstances point to Russia
All parties to the announcement agree that a sophisticated threat actor is responsible for the malware, but none offer a definitive attribution. Mandiant says the malware “is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations.”
However, Mandiant hints that the circumstantial evidence preliminarily points the finger at Russia. Mandiant says, “the activity is consistent with Russia’s historical interest in ICS. While our evidence connecting Incontroller to Russia is largely circumstantial, we note it given Russia’s history of destructive cyberattacks, its current invasion of Ukraine, and related threats again.”
Steps to remediate Incontroller
The joint advisory offers tools, tactics, techniques and procedures (TTPs) associated with the cyber actors’ tools mapped to the MITRE ATT&CK for ICS framework. The advisory also offers steps organizations should take to deal with the custom-made tools and mitigations to enable network defenders to begin efforts to protect systems and devices from new capabilities.
Caldwell calls out a couple of key messages that organizations should heed. “Understand the connectivity of these systems and make sure that connectivity is reduced as much as possible,” he says. The second message is to understand the “known-good,” meaning what an environment free of malware looks like, and look for things that don’t match that known-good. It comes down to knowing “that network perimeter and minimize that as best as possible and understanding what known-good looks like within those systems.”