The U.S. Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned on Wednesday that hacking groups now have access to advanced “cyber tools” that could allow them to gain control of critical industrial control systems.
In a joint cybersecurity advisory, the U.S. agencies announced hacking groups known as advanced persistent threat (APT) actors have “exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices.”
The agencies said the cyber tools allow hackers “to scan for, compromise, and control affected devices” once they have gained initial access to a particular operational technology (OT) network.
The joint advisory warns that these hacking tools can be used against Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.
PLCs are small computers that can be programmed to receive data inputs and send operating instructions. They can be used to control automated machinery.
Open Platform Communications Unified Architecture (OPC UA) servers oversee the exchange of data between sensors and cloud-computing applications. They are another tool that can be used for industrial automation.
The U.S. cybersecurity firm Mandiant helped discover the new hacking tools through a partnership with Schneider Electric, one of the companies whose equipment could be targeted with the hacking tools. On Wednesday, Mandiant researchers said the hacking tools, which they dubbed INCONTROLLER (aka PIPEDREAM), “represent an exceptionally rare and dangerous cyber attack capability.” Mandiant said INCONTROLLER “is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.”
Mandiant said INCONTROLLER bears a resemblance to a hacking tool used to disable an industrial safety system in 2017, called TRITON. The INCONTROLLER tool is also similar to INDUSTROYER. TechCrunch reported a hacking group known as “Sandworm” used INDUSTROYER against Ukraine in 2016, causing a power outage that left hundreds of thousands of people without electricity. Sandworm is believed to be a cyber warfare unit working for Russia’s Main Intelligence Directorate (abbreviated in Russian as GRU).
INCONTROLLER is also similar to STUXNET, a hacking tool developed by the NSA and used to target and disrupt Iran’s nuclear program in 2010.
Robert Lee, the CEO and co-founder of the industrial cybersecurity firm Dragos, told the cybersecurity publication The Daily Swig that INCTONTROLLER “takes advantage of native functionality in operations, making it more difficult to detect.” The hacking tools can also spread from one infected device to another.”
Lee said the hacking tools have not yet been employed against any target networks, meaning the threat has been detected before it could become a problem.
“This provides defenders a unique opportunity to defend ahead of the attacks,” Lee told TechCrunch.
The joint cybersecurity advisory from the U.S. government agencies provided instructions for users of vulnerable systems to mitigate risks of the hacking tools being used against them.
The U.S. government advisory comes as Russia has reportedly employed several hacking efforts during its invasion of Ukraine.
Last month, President Joe Biden’s administration issued its own advisory to protect against cyber attacks. Last week, the U.S. Department of Justice and U.S.-software company Microsoft announced they had also taken actions to disrupt Russian cyberattacks in Ukraine.