Although attacks targeting industrial companies have steadily increased in the last few years, this growth became exponential in recent weeks. In a global context of rising threats, industrial companies appear to be prime targets and face the proliferation of tools designed specifically to target their OT (Operational Technology) systems.
Among the recorded attacks, a ransomware paralyzed an anonymous natural gas compression installation in February of 2020. According to CISA, which helped this company handle the incident, the attacker gained access to the network through a Spearphishing campaign on the organization’s information system. Then, an unidentified ransomware was deployed on both networks, i.e. IT (Information Technology) and OT. No longer having the capability “to read and aggregate operational data in real time”, and the needs for availability and traceability being significant, it was decided to halt operations for about 2 days A loss of productivity and a financial impact were deplored.
More recently, in relation with the War in Ukraine, new attack tools targeting OT systems, and particularly industrial control systems (ICS), have emerged. Such Advanced Persistent Threats (APT) include INCONTROLLER (aka PIPEDREAM), which targets ICS and supervisory control and data acquisition (SCADA) devices on OT systems, including PLCs from Schneider Electric and Omron.
This set of tools appears to have capabilities for disruption, sabotage, and even physical destruction. The attack capability of this bespoke tool package is similar to that of the TRITON, STUXNET and INDUSTROYER malwares, the latter being the cause of the Ukraine power outage in 2016. A new version of INDUSTROYER, dubbed INDUSTROYER 2, is currently emerging.
INCONTROLLER is made up of three main tools: TAGRUN, CODECALL and OMSHELL.
|TAGRUN||Scans for OPC servers, enumerates OPC structure/tags, brute forces credentials, and reads/writes OPC tag values.||
Framework that communicates using Modbus — one of the most common industrial protocols — and Codesys.
CODECALL contains modules to interact with, scan, and attack at least three Schneider Electric programmable logic controllers (PLCs).
|OMSHELL||Framework with capabilities to interact with and scan some types of Omron PLCs via HTTP, Telnet, and Omron FINS protocol. The tool can also interact with Omron’s servo drives, which use feedback control to deliver energy to motors for precision motion control.||
These bespoke tools allow the attacker to send personalized commands via industrial network protocols (OPC UA, Modbus, Codesys) in order to interrupt connections and force a new authentication of the user, perform denial of service, etc. Combined with two additional tools, currently under analysis, INCONTROLLER can be used to carry out an attack on Windows systems in IT and/or OT environments (exploitation of CVE-2020-15368 and deployment of a backdoor).
The potential impacts of these attacks in the real world, their tangible nature and quick correlation to human and financial losses make those tools interesting for different actors (states, criminals, hacktivists). This increased interest is reflected in the advanced skills of attackers, visible through the exploitation of purely industrial protocols mixed with attacks on IT systems, and explains the significant rise of serious attacks deplored on industrial systems.