US warns of govt hackers targeting industrial control systems:
A joint cybersecurity advisory issued by CISA, NSA, FBI, and the Department of Energy (DOE) warns of government-backed hacking groups being able to hijack multiple industrial devices using a new ICS-focused malware toolkit.
The federal agencies said the threat actors could use custom-built modular malware to scan for, compromise, and take control of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices.
"The APT actors' tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities," the joint advisory reads.
"The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters."
ICS/SCADA devices at risk of being compromised and hijacked include:
- Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs)
- Omron Sysmac NJ and NX PLCs, and
- Open Platform Communications Unified Architecture (OPC UA) servers
DOE, CISA, NSA, and the FBI also found that state-sponsored hackers also have malware that leverages CVE-2020-15368 exploits to target Windows systems with ASRock motherboards to execute malicious code and move laterally to and disrupt IT or OT environments.
The federal agencies recommend network defenders start taking measures to protect their industrial networks from attacks using these new capabilities and malicious tools.
They advise enforcing multifactor authentication (MFA) for remote access to ICS networks, changing default passwords to ICS/SCADA devices and systems, rotating passwords, and using OT monitoring solutions to detect malicious indicators and behaviors.
Additional mitigation measures can be found within today's advisory, with more information provided by CISA and the Department of Defense on blocking attacks targeting OT systems [PDF], layer network security via segmentation, and reducing exposure across industrial systems.
"APT actors are targeting certain ICS/SCADA devices and could gain full system access if undetected," the NSA said.
Related Stories
The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.
The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.
[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.
[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.
[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.
[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.
Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231
"state actors" search on SoylentNews for even more: https://soylentnews.org/search.pl?threshold=0&query=state+actors
(Score: 1, Touché) by Anonymous Coward on Friday April 15 2022, @02:30PM (3 children)
What goes around comes around... it's called karma, baby.
(Score: 0) by Anonymous Coward on Friday April 15 2022, @09:53PM (2 children)
Yes, because Iran is a murderous totalitarian regime hell bent, among other things, on the complete anihilation of another nation.
And the US is a democracy. A highly disfunctional one, but a democracy nonetheless.
Enough with your fucking false equivalence bullshit. If given the choice between living in Iran or the US, 95% of the world's population would chose the US. And 100% of women.
(Score: 0) by Anonymous Coward on Saturday April 16 2022, @01:22PM (1 child)
Hey dopey... USA is a republic, not a democracy.
(Score: 0) by Anonymous Coward on Saturday April 16 2022, @11:26PM
USA is a collection of fiefdoms
(Score: 0) by Anonymous Coward on Friday April 15 2022, @03:33PM
I mean, no brainer right!
(Score: 2) by MIRV888 on Friday April 15 2022, @03:58PM (3 children)
Being able to destroy industrial equipment remotely and at the time of your choosing can be catastrophic to large industrial operations (Ala uranium centrifuges).
Definitely not good.
(Score: 1, Insightful) by Anonymous Coward on Friday April 15 2022, @04:17PM (2 children)
Take them off the internet. Don't have any remote access.
(Score: 3, Insightful) by HiThere on Friday April 15 2022, @04:35PM
That's really the best answer, but it's inconvenient for the managers.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 5, Interesting) by RS3 on Friday April 15 2022, @05:17PM
Many small manufacturers barely have an IT staff, if at all. They might use an outside IT firm, who mostly only know desktops, servers, routers- they wouldn't know much about PLCs (ICS), if anything at all.
(Too) many of the PLCs / SCADA systems rely on a larger network, and some things may need Internet connection. That does _not_ necessarily mean open incoming ports, but they might have them for many reasons.
Another problem: to allow remote access many systems have a special ICS-type of WiFi module. Again, most factory equipment technicians, and/or generic IT people wouldn't know anything about it, and likely would not even know it's in a machine.
Much (most) of this stuff is quite specialized, so even if factory staff knew about and the vulnerabilities, they'd have to pay very big $ to get the OEM and/or ICS specialists to check / fix the problems.
Sigh, I know, I'm a plant engineer / hands-on technician in a small factory.
(Score: 2, Insightful) by Anonymous Coward on Friday April 15 2022, @04:40PM (4 children)
a friendly reminder not connect your solar harvesting devices to the intarwebz.
you wouldn't setup, configure and check a 500 megawatt nuclear reactor thru a absolete-in-3-years device with cloud connection would you?
in the same manner, all it takes are 100'000 intarwebz connected solar harvester with cloud dependancies and a zero-day to off-line the same 500 megawatt capacity.
best to keep a air-gap and in-line a old skool, robust, dumb and non-techno "spinny disk" meter to observe your energy harvesting progress...not thru wifi2000(tm) and latest fad i-android.
(Score: 5, Informative) by RS3 on Friday April 15 2022, @05:27PM (3 children)
I agree with your wisdom. Unfortunately far too many technical decisions are made by non-technical managers. It seems everyone latches on to "put it in the cloud" and "needs an app" mentality. When engineers try to encourage and exercise caution, we're told to get with the times, called backward, regarded as obstructing progress, and sometimes laid-off / fired. Too often we read of the vulnerabilities in all of the new (unnecessary) "features".
All that said, I do some occasional work in the nuclear power industry, in a small specialized segment, and I'm not allowed to deviate from the 40-year old design. (which IMHO could use a little refining, but it does work...)
(Score: 1, Interesting) by Anonymous Coward on Saturday April 16 2022, @04:41PM (2 children)
thanks for reply and info.
i just wanted to add that newer solar inverters can "play" with cos phi (not a covid variant), that is leading/lagging reactive power.
so tho off-lineing 500 megawatt is prolly bad, what could be even worse is zero-day-configuring 500 solar megawatts to mess with reactif.power ... which could have ripple.effects ... maybe all the way back to a ... nuke reactor?
anyways, air-gap your infinite personal energy source. i wouldn't want to have to trust its security to a external agent.
(Score: 2) by RS3 on Saturday April 16 2022, @06:12PM
Interesting. As far as grid sync, I suppose as an EE I'm biased (no pun intended!) but I think that's best left to the local electronics. IE, the circuits should keep the generated / synthesized sine wave in sync with the grid, period. Monitoring / reporting phase lead/lag is perfectly okay, but not variable / configurable by any external influence.
Definitely air-gap, but ideally _all_ grid-tied generators would be part of a large controllable network to balance load demands and maintain grid voltage stability. But therein lies the problem: how do you do that safely? I keep thinking VPN, but over the years we've seen today's best security / encryption algorithm gets hacked tomorrow.
But let's say VPN should be okay, with software to detect break-in attempts, DDOS, etc., and just disconnect from the network and keep generating power if said software detects attacks.
A few years ago I installed some PV systems and we often used inverters that had no software interface, let alone Internet connection. Just an LCD display and a few buttons to cycle through the display. You could add a data module, but I never looked into those, nor did boss nor customers.
Point is, the things just work, and they're extremely sensitive to the grid, and will instantly disconnect themselves if they sense any grid-tie anomaly.
Downside is those inverters won't power your house (or whatever) without grid. There's much more that can be done, like local batteries, 1 grid-tied inverter, 2nd inverter for local power supply (backup generation), and that's all pretty easy to do with today's available electronics. For example, a VFD (Variable Frequency Drive) motor controller takes incoming AC (1 or 3 phase), rectifies / filters (capacitors) into DC, from which it synthesizes sine waves. So you'd have your PV / wind generation, batteries, grid-tied inverter, and VFDs to make house AC power from the DC of the PV / wind / batteries.
(Score: 2) by RS3 on Saturday April 16 2022, @06:25PM
Meant to add: even if the entire grid destabilized, the nuke reactor is perfectly fine. Both electrical and reactor control systems will disconnect it and shut down the reactor. That's all part of basic design safety requirements.
(Score: 2) by Username on Friday April 15 2022, @04:48PM
We already knew that for years since Snowden. They even openly used it against Tucker and O'Keefe the past year.
At least they're admitting it now. Even though it's shrouded in false flag political BS.
(Score: 3, Insightful) by bzipitidoo on Friday April 15 2022, @05:03PM (1 child)
At heart, business hates having to spend. And security is an expense. While there are security measures that aren't worth the expense, in these cases, the cost/benefit ratio greatly favors putting in a little more effort not to have so very many security lapses. As in, in some cases, they don't have any security at all. No passwords. Worse than a door without a lock, it's like there isn't even a door.
When they're hacked, they throw up all this smoke that the perps are diabolical genius hackers, or state level espionage agencies, when actually, it was some 15 year old script kiddie just trying doors.
> changing default passwords
See? See?? That's just what I mean. Couldn't be bothered to set the password to something a teensy bit more obscure. Didn't want to pay for an IT person to set a few passwords.
(Score: 3, Interesting) by zafiro17 on Friday April 15 2022, @05:54PM
Commerce, industry, and manufacturing all respond to regulation and regulatory mandates. They will spend knowing their competitors are held to the same standards.
The fact that the DOE is in on this announcement tells you the worry is about the power grid.
Every major geopolitical power at present surely has a collection of zero-days they use to exploit and control. Every one of them.
Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey
(Score: 2) by HammeredGlass on Friday April 15 2022, @05:14PM (2 children)
And the authoritarians are wetting their Depends at the thought
(Score: 1, Informative) by Anonymous Coward on Friday April 15 2022, @06:40PM (1 child)
What are the Mercers, Sacklers and GOP kiddie diddlers gonna do???
(Score: 2) by HammeredGlass on Friday April 15 2022, @10:36PM
You should bring some equality to your condemnations.
(Score: 5, Insightful) by istartedi on Friday April 15 2022, @07:00PM
Another guy said air-gap, and I agree but if that's not practical you should default deny everything, and I do mean EVERYTHING. I went through this exercise quite some time ago for work, and it was fascinating. There are so many protocols and services people don't even know about, and seeing the attempted connections and interactions was high geek entertainment. What? The printer is trying to talk to us? We didn't even know it could until we looked. All those obscure protocols. You can't get obliterated by some ancient FTP variant if you default deny everything, including all IPs. Then you open up ONLY the protocols you need, to the IPs that you can verify need access.
It's not as secure as air-gapping or doing it the old fashioned way with some bored dude on site; but it would solve so many problems.
I'm flabbergasted that attackers are even able to scan ports at these facilities. That should simply not be possible.
If an attacker from some un-registered IP gets anything other than 100% dropped packets at your edge router, you're making mistakes. It's so simple. Even the Russians know this. I saw a mil.ru link on some Tweet, and decided to hit it for grins and giggles. Everything dropped, as I assume they block all USA IPs. The last router to return pings was in the Netherlands.
Appended to the end of comments you post. Max: 120 chars.
(Score: 4, Funny) by Snotnose on Friday April 15 2022, @08:46PM
It was a thing in the Usenet days of the 80s. It warned of these very same vulnerabilities and attack vectors. Yet nothing was done.
Folks like me who wrote ethernet drivers and had a side hustle of putting companies on the internet back in the 90s were "Um, yeah. Not a good idea".
But they paid me to put them on the internet, ignored my "um, yeah, about this", and gave me money.
So, yeah. I might be part of the problem. But if I hadn't gotten paid they would have just hired someone else, without paying me, to do the very thing I was saying "um, yeah, here there be issues".
It's just a fact of life that people with brains the size of grapes have mouths the size of watermelons. -- Aunty Acid
(Score: 2) by Mojibake Tengu on Saturday April 16 2022, @01:07AM
OPC/UA is Windows. Originally based on COM/DCOM OLE object model. Probably most stupid thing in computing ever, invented by Bill Gates himself.[1]
https://en.wikipedia.org/wiki/OPC_Unified_Architecture [wikipedia.org]
It's mostly Siemens deployed in the wilderness.
Considering unmentioned state sponsored attackers... I do not think those camp barracks in Xinjiang really are what you think and tout they are. Those Uighur girls are many in numbers, all of them look very pretty at Baike and they are also very good programmers.
The girls usually use just Typescript[2] to hack your funny Java industrial junk from their Apple workstations.
Everyone gets what is deserved. My blessings to the young.
[1] https://news.microsoft.com/1998/04/21/microsoft-and-the-baan-company-deliver-on-a-common-vision-for-the-integrated-enterprise-with-the-digital-nervous-system/ [microsoft.com]
[2] https://en.wikipedia.org/wiki/TypeScript [wikipedia.org]
Rust programming language offends both my Intelligence and my Spirit.
(Score: 0) by Anonymous Coward on Saturday April 16 2022, @01:39AM
I use Kaspersky Antivirus