The Department of Energy, Cybersecurity and Infrastructure Security Agency, National Security Agency and Federal Bureau of Investigation are warning that certain advanced persistent threat actors have shown the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices.
Those devices include Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers, the agencies said in an alert.
The actors have developed custom-made tools for targeting industrial control system/supervisory control and data acquisition devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.
Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities, the agencies said.
By compromising and maintaining full system access to industrial control system/supervisory control and data acquisition devices, these actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
The agencies urged critical infrastructure organizations, especially energy sector organizations, to implement the detection and mitigation recommendations provided in the alert to detect potential malicious advanced persistent threat activity and harden their industrial control system/supervisory control and data acquisition devices.
The alert is available here.