Businesses warned to protect against suite of nation-state hacking tools targeting critical infrastructure

An industrial mining plant processing rare earth metals
(Image credit: Shutterstock)

US authorities have issued a warning to critical infrastructure businesses after they observed state-sponsored cyber attackers wielding custom tools to fully compromise systems.

Advanced persistent threat (APT) groups, which are typically comprised of state-sponsored hackers, have already proven their ability to gain full access to multiple types of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, the cyber security advisory (CSA) read.

Co-issued by the Department of Energy, Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), the CSA instructed all potentially vulnerable organisations to implement measures to ensure the security of their systems.

Businesses are advised to enforce multi-factor authentication (MFA) for all remote access to ICS networks and devices where possible. They’re also instructed to change passwords on all ICS and SCADA devices on a regular basis, avoiding default passwords, and use an operational technology (OT) security monitoring product.

The custom tools now in the hands of state-sponsored attackers allow for scanning of specific OT devices, compromising them, and in some cases, controlling them.

Authorities said the tools allow attackers to launch “highly automated” exploits against targeted devices and can be used by lower-skilled hackers to execute processes typically reserved for higher-skilled actors.

Successful attacks using the tools could lead to denial of service in affected devices, crashing of a device’s programmable logic controller (PLC), credential capturing, file manipulation, packet capturing, and sending custom commands in some cases.

The new toolkit is used in conjunction with a known vulnerability in an ASRock motherboard driver that allows hackers to execute code in the Windows kernel, allowing them to move laterally within IT or OT systems.

Cyber security companies Dragos and Mandiant released reports into the tools described by US authorities, with the latter working closely with Schneider Electric, the manufacturer of one of the affected OT devices.

Codenamed ‘Incontroller’ by Mandiant and ‘Pipedream’ by Dragos, these tools contain a number of connected capabilities that allow hackers to scan for devices and in some cases modify and disrupt them.

Mandiant said the hacking tools bear a strong resemblance to Triton, a malware previously used to target similar critical infrastructure environments and the one FireEye accused Russia of using against a Saudi petrochemical plant in 2018.

Dragos said the tools mark the seventh known ICS-specific malware framework in existence, with other notable cases involving a power outage in Ukraine back in 2016 and Stuxnet in 2010.

"This is a rare case of analysing malicious capabilities before employment against victim infrastructure giving defenders a unique opportunity to prepare in advance," said Dragos. "Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage Pipedream in future operations."

The cyber security company didn’t attribute the new tools to any specific nation but did tie the development to a group it tracks as ‘Chernovite’.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.