Critical infrastructure organizations in the United States are being targeted by custom malware designed specifically for the hardware they use, the country’s security and law enforcement agencies warn.
The new warning was issued jointly by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).
In it, the agencies warn against threat actors placing multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices in their sights – namely programmable logic controllers (PLC) from Schneider Electric, OMRON Sysmac NEX and Open Platform PLCs. Unified Communications Architecture (OPC UA) servers.
More specifically – Schneider Electric MODICON and MODICON Nano PLCs, including TM251, TM241, M258, M238, LMC058 and LMC078; and OMRON Sysmac NJ and NX PLCs including NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK and R88D-1SN10F-ECT are targeted.
Apparently, one of the threat actors is called CHERNOVITE, and they are trying to deploy malware called PIPEDREAM. Security researchers from cybersecurity firm Dragos have been tracking the ICS-specific malware for some time now and found that it initially targeted Schneider Electric and Omron controllers. By taking advantage of the native functionality of endpoints in operations, the malware is a little harder to spot.
Dragos CEO Robert Lee believes CHERNOVITE is a state-sponsored attacker.
A separate cybersecurity company, Mandiant, tracked another piece of malware, called INCONTROLLER. This one also targets Schneider Electric tools and is also created and operated by a state-sponsored attacker.
Although no country was named, the publication recalls that Ukrainian officials recently announced the halting of an attack on an energy facility.
Talk to The recordCTO of cybersecurity software company ICS aDolus Technology, said Schneider Electric’s MODICON PLCs and OPC Unified Architecture (OPC UA) servers are likely targeted because they are extremely common in the industry.
Potential flaws that could be exploited could provide attackers with elevated privileges, lateral movement in an OT environment, and allow disruption of critical devices or functions, he added.
Via: The file