In response to the U.S. government’s Joint Cybersecurity Advisory on APT Cyber Tools Targeting ICS/SCADA Devices, we have compiled a list of the most frequently asked questions we are receiving from clients and the strategies we are seeing pursued across the market. Protiviti is monitoring this event closely and will continue to update this blog post to reflect the most accurate information.
What do we know?
Public agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy, the National Security Administration and the Federal Bureau of Investigation, and the private security firms Mandiant, Palo Alto and Microsoft Dragos have collaborated to identify a new piece of malware targeting industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices. This malware is described as a “Swiss Army knife” capable of inflicting damage on a wide range of ICS equipment. However, there are no public indications that this malware has successfully achieved its aim of disrupting ICS equipment.
Who is behind the malware?
Based on the technical skill needed to create the malware and the functionality across ICS devices, there are strong indicators that an advanced persistent threat (APT) crew of a nation-state built this malware. The malware is designed to disrupt, destroy or take control of devices connected to an operational technology (OT) network. The functionality and sophistication of the malware design poses significant risk to major operators in the energy and utilities industries.
What’s the potential impact?
The impact could potentially be significant for energy operators if their programmable logic controllers (PLCs) are unavailable or unsafe commands are sent to field devices. Traffic to and from compromised devices may use authorized protocols and communication patterns, making it difficult to differentiate potentially malicious traffic from regular traffic. If a PLC is attacked and degraded beyond operational use, production outages could result, and manual workarounds may be required.
What industries are currently being targeted?
Current indicators based on the SCADA devices targeted and the functionality built into the malware suggest that energy companies are likely the main target, particularly liquified natural gas (LNG) facilities. Industries that leverage products from Schneider Electric or OMRON (see Technical Details), or utilize OPC Unified Architecture (OPC UA) servers, should be prepared to respond.
Are there known breaches or successful attacks?
Publicly available information has not indicated any successful attacks with this malware. The malware could potentially inflict significant damage and pose a threat to the lives, or at least the safety, of nearby personnel. Current indicators are that significant investment went into the malware’s creation and that APT crews are in the reconnaissance phase. Changes to the geopolitical landscape could potentially impact the likelihood of this malware being deployed and utilized more broadly.
How do I know if my network is vulnerable?
Review current asset inventory lists to determine whether your operational environment uses any of the following products (see APT Cyber Tools Targeting ICS/SCADA Devices):
- Schneider Electric MODICON and MODICON Nano PLCs, including (but not necessarily limited to) TM251, TM241, M258, M238, LMC058 and LMC078
- OMRON Sysmac NJ and NX PLCs, including (but not necessarily limited to) NEX NX1P2, NXSL3300, NX-ECC203, NJ501-1300, S8VK and R88D-1SN10F-ECT
- OPC UA servers
Further, the ASRock motherboard driver (AsrDrv103.sys) is being targeted. If your organization has a configuration management database for OT devices or the ability to actively scan for drivers, searching for this driver would be a key indicator to apply firmware updates and review application logs to determine whether there are any signs of compromise.
Are there any mitigations in place?
The Joint Cybersecurity Advisory outlines a thorough step-by-step plan to mitigate the damage and how to search for indicators of compromise. The most beneficial recommendations from a risk-reduction perspective are to:
- Segment traffic between an OT network and a corporate network and between an OT network and the internet. No OT services should be accessible from the internet. Organizations that leverage micro-segmentation are even more resilient to lateral movement of attackers. Micro-segmentation is a concept where network traffic is segmented acutely based on device profiles and principles of least privilege, ensuring that only authorized data flows are allowed.
- Require multifactor authentication or other strong authentication for any direct access to an OT network.
- Change any default passwords for OT devices and rotate passwords for privileged roles. Privileged roles in the context of an OT application are roles granted to an account that would allow that account to make any change they deem necessary on a control system, whether that is disabling alarms, changing set points or restricting communication between devices.
- Monitor OT traffic to identify any potentially unsafe commands or attempts to disrupt normal operations.