IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Businesses warned to protect against suite of nation-state hacking tools targeting critical infrastructure

A new malware framework capable of disrupting multiple different types of IT and OT devices has been observed by US authorities, placing potentially vulnerable businesses on high alert

US authorities have issued a warning to critical infrastructure businesses after they observed state-sponsored cyber attackers wielding custom tools to fully compromise systems.

Advanced persistent threat (APT) groups, which are typically comprised of state-sponsored hackers, have already proven their ability to gain full access to multiple types of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, the cyber security advisory (CSA) read.

Co-issued by the Department of Energy, Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), the CSA instructed all potentially vulnerable organisations to implement measures to ensure the security of their systems.

Businesses are advised to enforce multi-factor authentication (MFA) for all remote access to ICS networks and devices where possible. They’re also instructed to change passwords on all ICS and SCADA devices on a regular basis, avoiding default passwords, and use an operational technology (OT) security monitoring product.

The custom tools now in the hands of state-sponsored attackers allow for scanning of specific OT devices, compromising them, and in some cases, controlling them.

Authorities said the tools allow attackers to launch “highly automated” exploits against targeted devices and can be used by lower-skilled hackers to execute processes typically reserved for higher-skilled actors.

Successful attacks using the tools could lead to denial of service in affected devices, crashing of a device’s programmable logic controller (PLC), credential capturing, file manipulation, packet capturing, and sending custom commands in some cases.

The new toolkit is used in conjunction with a known vulnerability in an ASRock motherboard driver that allows hackers to execute code in the Windows kernel, allowing them to move laterally within IT or OT systems.

Cyber security companies Dragos and Mandiant released reports into the tools described by US authorities, with the latter working closely with Schneider Electric, the manufacturer of one of the affected OT devices.

Codenamed ‘Incontroller’ by Mandiant and ‘Pipedream’ by Dragos, these tools contain a number of connected capabilities that allow hackers to scan for devices and in some cases modify and disrupt them.

Mandiant said the hacking tools bear a strong resemblance to Triton, a malware previously used to target similar critical infrastructure environments and the one FireEye accused Russia of using against a Saudi petrochemical plant in 2018.

Dragos said the tools mark the seventh known ICS-specific malware framework in existence, with other notable cases involving a power outage in Ukraine back in 2016 and Stuxnet in 2010.

"This is a rare case of analysing malicious capabilities before employment against victim infrastructure giving defenders a unique opportunity to prepare in advance," said Dragos. "Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage Pipedream in future operations."

The cyber security company didn’t attribute the new tools to any specific nation but did tie the development to a group it tracks as ‘Chernovite’.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022