CISA Alert AA22-103A – APT Cyber Tools Targeting ICS/SCADA Devices.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Zero Three Alpha.

​​Original release date: April Thirteenth, twenty twenty two.

Certain APT actors have demonstrated the ability to gain full system access to multiple ICS/SCADA devices, including: Schneider Electric programmable logic controllers, OMRON Sysmac programmable logic controllers, and Open Platform Communications Unified Architecture servers.

The APT has developed custom tools for targeting these devices that enable them to scan for, compromise, and control affected devices once they have initial access into the OT network.

The APT’s tools have a modular architecture and allow cyber actors to conduct automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted device. Modules interact with targeted devices and enable operations by low-skilled actors that emulate high-skilled capabilities.

The APT can leverage the modules to scan for and conduct reconnaissance on targeted devices, upload malicious configuration files and code, back-up or restore device contents, and modify device parameters.

Additionally, the actors can compromise Windows-based workstations in the network environment using an exploit that targets an ASRock motherboard driver with known vulnerabilities. This exploit executes malicious code at the kernel level. By compromising and maintaining system access to these devices, APT actors could elevate privileges, move laterally within an OT or IT environment, and disrupt critical devices or functions.

Initial steps to protect your OT devices and networks are to…

First, enforce multifactor authentication for remote access to OT networks and devices.

Second, change all passwords to OT devices and systems on a consistent schedule and use device-unique strong passwords to mitigate brute force attacks and give monitoring systems an opportunity to detect common attacks.

Third, install a continuous OT monitoring solution to log and alert on malicious indicators and behaviors.

DOE, CISA, NSA, and the FBI urge all critical infrastructure organizations, especially those from the Energy Sector, to implement the detection and mitigation recommendations in the alert documentation. A link can be found in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.