A new Cybersecurity Advisory (CSA) warns that advanced persistent threat (APT) actors have unleashed new malware to gain full system access to industrial control systems (ICS). Industrial organizations and critical infrastructure are at risk. The CSA was issued jointly by the Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).
Security researchers from ESET, Dragos, and Mandiant have released details on the new malware, dubbed Industroyer2 and Incontroller. Like Industroyer (aka CrashOverride), Triton, and Stuxnet, this new malware is weaponized to inflict critical damage on industrial control networks, including physical destruction. Here we’ll summarize the attack methods and how to mitigate risk with Cisco Cyber Vision and Cisco Secure Firewall.
ESET and CERT-UA analyzed an attack against a Ukraine-based energy utility launched on April 8, 2022. They uncovered several malware families, including a new variant of Industroyer, which the Sandworm APT group used to target the Ukrainian energy sector in December 2016. That attack led to a power blackout in Kiev. The new variant, Industroyer2, uses the IEC-104 protocol to target high-voltage electrical substations.
Where Industroyer used an external file for its configuration, Industroyer2’s configuration is directly embedded in the malware binary. The configuration string contains IP addresses of target devices along with IEC-104 parameters such as application service data units (ASDUs), information object addresses (IOAs), and timeout values. These values are linked to a specific target environment and need to be tailored for each victim.
To cover their tracks, the attackers deployed a new version of CaddyWiper on the same machine where they executed Industroyer2. CaddyWiper renders the machine unbootable by erasing the extended information of the drive’s partitions. The analysts believe that CaddyWiper was probably deployed via a Group Policies Object (GPO) on an Active Directory server, and that the GPOs were enumerated using a dedicated PowerShell script. An earlier version of CaddyWiper was executed against a Ukrainian bank on March 14, 2022 and a Ukrainian government entity on April 1, 2022.
In addition to Industroyer, the researchers also uncovered Linux and Solaris malware on the energy utility’s network. A worm tries to connect to all hosts on the local network using SSH over specific TCP ports (22, 2468, 24687, 522), iterating through a set of credentials probably gathered before the attack. When the worm reaches a new host, it launches a wiper to destroy the content of disks attached to the system.
Analysts have not yet discovered the initial attack vector, nor have they discovered the exploitation chain used to pivot from the IT network to the OT network. Analysis is still underway to determine the full capabilities of Industroyer2, but researchers believe it allows bad actors to maliciously control electrical equipment and inflict damage on the targeted electrical substations.
The following network IOCs have been disclosed for Industroyer2:
Cisco Cyber Vision supports deep packet inspection (DPI) of the IEC-104 protocol, the main OT vector used by Industroyer2. This will give you visibility into IEC-104 devices connected to the network. Cyber Vision calculates risk scores for these devices, helping you set priorities for strengthening your security posture.
Setting a Cyber Vision baseline will help detect attacks in progress by identifying suspicious IEC-104 activities—for example, control commands issued by hosts that do not normally issue them. Similarly, Cyber Vision can detect SSH scans performed by the worm, which appear as unusual SSH activities originating from the infected machine.
Mandiant and Schneider have analyzed Incontroller malware, which targets Omron and Schneider control devices and OPC-UA servers. These are widely deployed in many industries. Incontroller is a collection of tools that attackers use to identify, enumerate, and crash controllers and attack Windows hosts. Mandiant believes that Incontroller is most likely state-sponsored. Its activity is consistent with Russia’s past cyberattacks, and it might be linked to the current invasion of Ukraine and related threats against Europe and North America.
Incontroller is a set of five tools:
- Component that can discover, manipulate, and crash Schneider PLCs using a Codesys library
- Component that can discover and manipulate Omron PLCs and servo drives
- Tool that can interface with OPC-UA servers to perform enumeration, read/write node data, and execute brute-force attacks to guess credentials
- Custom remote implant that performs reconnaissance and acts as a command-and-control server
- Windows executable that exploits a vulnerable driver to inject an unsigned driver.
All in all, Incontroller uses 83% of the tactics within the MITRE ATT&CK ICS matrix, a knowledge base of adversary tactics. From this we can deduce that its creators intend it for end-to-end attacks, starting with an initial foothold in the IT network and moving to lower levels of the OT network.
Incontroller targets identified to date are:
- Schneider: Modicon M251, Modicon M258, and Modicon M221 Nano PLCs
- Omron: NX1P2 and NJ501 PLCs as well as R88D-1SN10F-ECT servo drive
The Codesys library used by Incontroller can also be used to attack other controllers.
Mitigations for Incontroller
Use Cisco Cyber Vision to identify equipment that Incontroller targets—Schneider, Omron, and OPC-UA servers. Cyber Vision supports Schneider’s Modbus/UMAS protocol and Omron’s FINS protocol, enabling it to extract detailed device information, such as model name, reference, and firmware version. Cyber Vision also shows whether vulnerable devices communicate with targeted PLCs using the unsecure protocols (Telnet and HTTP) that Incontroller exploits. If so, switching to secure protocols will strengthen your security posture.
Cyber Vision baselines can highlight activities consistent with the malware’s lateral movement and reconnaissance. It also detects suspicious HTTP and Telnet traffic targeting OT devices, as well as Modbus, Omron FINS, and Codesys activities that deviate from your baseline.
More visibility into malicious activity associated with Incontroller can be provided by the Snort intrusion detection system (IDS) part of Cyber Vision and Cisco Secure Firewall. The Talos research group has released multiple Snort rules providing coverage for Incontroller. We encourage you to activate rules with the following SIDs: 59587-59596, 59598-59599, and 59601-59605.
For additional guidance on how to best protect your industrial environment, read our previous blog post detailing 3 actions to take ASAP.