American cyber intelligence agencies are warning that unnamed advanced threat actors now have the ability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices.
The alert issued Wednesday by the U.S. Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), the NSA and the FBI is particularly aimed at energy providers. But it also applies to any organization that uses ICS and SCADA devices.
The alert says the threat groups have the capability to access a number of devices but particularly:
- Schneider Electric programmable logic controllers (PLCs);
- OMRON Sysmac NEX PLCs;
- Open Platform Communications Unified Architecture (OPC UA) servers.
The threat actors have developed custom-made tools for targeting ICS/SCADA devices., the alert says. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. In addition, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities.
By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions, the report emphasizes.
From The Shadows Emerges Knowledge