A new malware kit that targets industrial control systems is a major item of concern for United States officials, as it has been linked to state-backed hackers that are likely advanced in capability. The kit apparently does not require advanced skills, however, designed with a “user-friendly” GUI that seems tailored to lower-skilled hackers; this indicates the possibility that some unfriendly nation is preparing to ramp up a large-scale attack of this nature.
Industrial control systems can be “bricked,” Windows workstations taken over
The malware kit has not yet been used to compromise a target, according to a public warning issued by US intelligence agencies, but has extensive capabilities for attacking a wide range of industrial control systems that are currently in use. It also has ties to at least two nation-state threat groups, though the bulletin declined to name them.
The built-in capabilities seem to be designed to allow hackers that are not necessarily familiar with industrial control systems to quickly navigate and take control of them once a compromise has occurred. The malware kit starts by scanning the internet for potentially vulnerable systems and performing automated reconnaissance on them. Once a system is breached, it is able to present the hacker with a simulation of the actual control interface of the device it has compromised; presumably this lets an unfamiliar attacker quickly figure out operations with the aid of a manual.
The attack methods are also automated to a great degree, with options to use password cracking or interruption of connections and capture of credentials. The malware also appears to give attackers the option of shutting down industrial control systems without compromising credentials, by way of distributed denial of service attacks tailored to knock them offline for extended periods.
And attackers will not necessarily be able to play around with industrial control systems, but could also use attached Windows workstations as a foothold into the company network.
US officials have made a number of suggestions for defense of the nation’s industrial control systems, which are largely in private hands: have a system of offline backups in place, isolate this equipment from the company’s general internet connection, and incorporate automated defenses, among other measures.
Malware kit attacks broad range of systems
The malware kit is capable of compromising industrial control systems that incorporate logic controllers manufactured by OMRON and Schneider Electric, and controller communication servers running the Open Platform Communications Unified Architecture. This turns out to be a very broad range of them across numerous industries, many associated with critical infrastructure.
Unlike some other vulnerabilities and attack methods that have been published, this also cannot be fixed with a simple patch. Impacted organizations will need to isolate systems, train employees up, implement new security measures, and possibly even change out hardware to deal with the threat.
As to who is behind the malware, the US agencies only said that two nations had been linked to it. Suspicion will likely go to Russia and possibly Belarus, due to both the present Ukraine invasion situation and Russia’s long history of probing US critical infrastructure for vulnerabilities. The agencies have called for all critical infrastructure companies to take action, but particularly those in the energy sector as they are deemed as being at the greatest immediate risk.