US infrastructure attack threat, lead image.
Image: iStock/Yelantsevv

A new joint advisory from several US government agencies has just been released. The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) are warning the US energy sector that certain APT (advanced persistent threat) threat actors have exhibited the capability to gain full system access to multiple industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices.

Targeted devices and servers

Several of the attacker tools are exposed in the advisory based on the targeted hardware.

Schneider Electric devices

Several Schneider Electric MODICON and MODICON Nano PLCs (programmable logic controls), including (but may not be limited to) TM251, TM241, M258, M238, LMC058 and LMC078, are impacted.

The threat actor tool targeting those devices has modules that interact via normal management protocols and Modbus protocols, allowing attackers to:

  • Rapidly scan a local network for all Schneider PLCs
  • Brute-force PLCs passwords using CODESYS and other available device protocols against defaults or dictionary word list
  • Conduct denial of service attack to prevent PLCs from being reached
  • Interrupt connections, requiring users to re-authenticate on PLC, likely to facilitate the capture of valid credentials
  • Crash the PLC until a power cycle and configuration recovery is conducted
  • Send custom Modbus commands (which can also work against Modbus devices besides Schneider Electric PLCs)

OMRON devices

The affected devices are OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK and R88D-1SN10F-ECT.

The threat actor tool targeting those devices have modules allowing attackers to:

  • Scan for OMRON using the FINS (factory interface network service) protocol
  • Parse HTTP response from OMRON devices
  • Retrieve media access control (MAC) address of devices
  • Poll for specific devices connected to PLCs
  • Back up/restore arbitrary files to/from PLCs
  • Load a custom malicious agent on OMRON PLCs for additional attack operations (do file manipulations, make packet captures or execute code).

OPC Unified Architecture servers

OPC UA servers could be accessed using default or previously compromised credentials. The attacker client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.

SEE: Security vendors pledge free protection for US hospitals and utilities amid fear of Russian cyberattacks (TechRepublic)

The Incontroller threat

A report from Mandiant, mentioned in the advisory, refers to a likely state-sponsored attacking tool dubbed Incontroller (aka Pipedream), built to target automation devices.

Incontroller comprises three elements targeting all the devices reported in the security advisory. Mandiant researchers highly doubt that the threat actor would target all these devices at random and that it is likely they were chosen because of reconnaissance into specific target environments. Each tool might be used separately, but it is also possible that all the tools would be used to attack a single environment.

Incontroller attack scenarios, as exposed by Mandiant, could lead to:

  • Operational disruption of activities, leading to delayed production, financial losses and complex facility startup procedures
  • Sabotage of industrial processes, resulting in defective products or malfunctioning machine behavior
  • Physical destruction of the industrial machinery, impacting human safety and the environment and damage to equipment

Given the complexity of these tools and the expertise and resources that are required to build them, in addition to the fact that such tools have limited utility in financially motivated operations, Mandiant notes that the activity is consistent with Russia’s historical interest in ICS.

Dragos, also mentioned in the advisory for its report about Pipedream, assesses that this tool  has not yet been deployed in the wild. Dragos also believes with high confidence that Pipedream was developed by a state actor known as Chernovite with the intention of leveraging it in future operations.

When it comes to the possible targets, Dragos researchers write that Pipedream malware is targeted to equipment in liquefied natural gas (LNG) and electric power environments, but could easily adapt and compromise and disrupt a broader set of targets.

SEE: Network security policy (TechRepublic Premium)


The joint advisory from US government agencies suggests mitigations to this threat:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls.
  • Limit communications entering or leaving ICS/SCADA perimeters.
  • Limit ICS/SCADA systems network connections to only specifically allowed management and engineering workstations.
  • Enforce multifactor authentication (MFA) for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan prepared and exercised regularly with stakeholders in IT, cybersecurity and operations.
  • Change all passwords to ICS/SCADA devices and systems to avoid having any default password left, and use device-unique strong passwords to mitigate brute-force attacks.
  • Maintain known-good offline backups and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups.
  • Protect management systems by configuring Device Guard, Credential Guard, Hypervisor Code Integrity (HVCI).
  • Install endpoint detection and response (EDR) solutions and ensure strong antivirus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT (operational technology) monitoring solution to alert on malicious indicators and behaviors.
  • Ensure all applications are installed only when necessary.
  • Enforce the principle of least privilege and limit the use of administrator accounts.
  • Investigate every symptom of denial of service or connection severing.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver, if none is normally used on the system.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday