This is an alert for critical infrastructure organizations regarding APT cyber tools targeting ICS/SCADA devices.
On 4/13/2022, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory (CSA) AA22-103A titled “APT Cyber Tools Targeting ICS/SCADA Devices” to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices.
Tools have been weaponized which will enable Advanced Persistent Threat actors (APTs) to:
- Scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.
- Compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments
By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.
DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices. https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
For additional technical details, the cybersecurity research firm Mandiant has provided a writeup of what their researchers know thus far regarding this threat. https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
If you have any concerns, don’t hesitate to reach out to the experts at K logix: info@klogixsecurity.com 617-860-6485
