Government of USA issued a warning that APT actors have new capabilities to gain full system access to multiple ICS and SCADA using multiple tools.
The joint advisory issued by the Department of Energy, DHS, CISA, FBI details tools targeting specific systems. The tools enable the threat actors to scan for, compromise and control affected devices once access has been established in the operational technology network.
These custom made tools not even stops within OT environments, they also compromise Windows based engineering systems that may be present in IT or OT environments. The attacks compromise an ASRock motherboard driver with known vulnerabilities.
The alert notes that the custom tools have been found to be able to scan, compromise and control certain ICS and SCADA devices, including:
- Schneider Electric MODICON and MODICON Nano PLCs, including but potentially not be limited to TM251, TM241, M258, M238, LMC058, and LMC078;
- OMRON Sysmac NJ and NX PLCs, including but also potentially not be limited to NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
- OPC Unified Architecture (OPC UA) servers.
All organizations with ICS and SCADA devices are recommended to implement mitigations in an effort to protect systems. These include isolating those systems and networks from corporate and internet networks, enforcing MFA for all remote access and changing passwords on all those devices and systems on a consistent schedule.
Organizations are recommended to have a incident response plan and exercise it regularly and maintain known good offline backups for faster recovery should an attack occur.