"US Warns of State-Backed Malware Designed to Hijack Critical Infrastructure Systems"
An advisory, recently published jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, NSA, and the Department of Energy, warns that threat actors have developed a custom toolkit that enables them to scan for, compromise, and control ICS devices once they’re connected to the operational technology (OT) network. The advisory noted that the tools are specifically designed to target programmable logic controllers (PLCs) made by Schneider Electric and Omron. The hackers also have malware that leverages an exploit to target Windows systems with ASRock motherboards to execute malicious code and move laterally to and disrupt IT or OT environments. The U.S. government agencies warned that by compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions. The federal agencies did not share any additional information on the hacking tools and malware mentioned in the advisory. The U.S. government agencies urged critical infrastructure organizations, particularly those involved in energy, to take measures such as multi-factor authentication and consistent password changes to protect their control systems. Security intelligence company Mandiant said it had been analyzing the ICS-oriented attack tools, which it has named Incontroller, since early 2022. The researchers stated that Incontroller represents an exceptionally rare and dangerous cyberattack capability comparable to Triton, Student, and Industroyer. The researchers at Mandiant noted that Incontroller could be used to shut down critical machinery, sabotage industrial processes, and disable safety controllers, and it is “very likely” to be state-sponsored given its complexity and its “limited utility in financially motivated operations.”