{"id":7352,"date":"2022-04-19T21:35:33","date_gmt":"2022-04-19T21:35:33","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=7352"},"modified":"2022-04-20T08:21:22","modified_gmt":"2022-04-20T08:21:22","slug":"nation-state-threat-actors","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/nation-state-threat-actors\/","title":{"rendered":"Nation-State Threat Actors are an Actual Menace, According to CISA"},"content":{"rendered":"<p style=\"text-align:justify\">On<strong> April 13<\/strong>, the US government (specifically, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation) made a <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-103a\" target=\"_blank\" rel=\"nofollow noopener\">warning<\/a> about<strong> nation-state threat actor<\/strong>s using specialized malware to access <strong>industrial control systems<\/strong> (ICS) and <strong>supervisory control and data acquisition<\/strong> (SCADA) devices.<\/p>\n<h2 style=\"text-align:center\">Nation-State threat actors in a governmental warning notification<\/h2>\n<p style=\"text-align:justify\">The advanced persistent threat actors, as the alert states, use custom-made software to attack ICS and SCADA devices. These instruments allow finding the targeted devices, compromising them, and taking control over them once the access to operational technology network is established.<\/p>\n<p style=\"text-align:justify\">The specially tailored tools are designed specifically to attack <strong>Open Platform Communications Unified Architecture<\/strong> (OPC UA) servers, Schneider Electric <strong>programmable logic controllers<\/strong> (PLCs,) and OMRON Sysmac NEX PLCs.<\/p>\n<p style=\"text-align:justify\">According to the document, the threat actors can also infiltrate the Windows-based engineering workstations of informational and operational technology networks. That is possible with the usage of an exploit of <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-15368\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2020-15368<\/a> vulnerabilities related to AsrDrv103.sys motherboard driver. The driver can be compromised, leading to the execution of malicious code in the Windows core. The infiltrators aim to escalate privileges and, moving laterally within the industrial control system\u2019s networks, create diversions in <strong>electricity <\/strong>and <strong>natural gas <\/strong>supply and distribution.<\/p>\n<h2 style=\"text-align:center\">Dragos report and scale of the threat<\/h2>\n<p style=\"text-align:justify\">The specialists at <strong>Dragos<\/strong>, an industrial cybersecurity company, have described<span id='easy-footnote-1-7352' class='easy-footnote-margin-adjust'><\/span><span class='easy-footnote'><a href=\"https:\/\/gridinsoft.com\/blogs\/nation-state-threat-actors\/#easy-footnote-bottom-1-7352\" title=\"In their dedicated &lt;a href=&quot;https:\/\/hub.dragos.com\/whitepaper\/chernovite-pipedream&quot;&gt;report&lt;\/a&gt;.\"><sup>1<\/sup><\/a><\/span> the recently revealed <strong>PIPEDREAM <\/strong>malware as a modular attack framework that can cause \u201cdisruption, degradation, and possibly even destruction, depending on targets and the environment.\u201d<\/p>\n<p style=\"text-align:justify\"><strong>Robert M. Lee<\/strong>, CEO at Dragos, has stated that PIPEDREAM is connected to the nation-state actor under the moniker CHERNOVITE. Lee claims that it is the first time malicious software with such destructive capabilities has been discovered before its actual usage.<\/p>\n<p style=\"text-align:justify\">The PIPEDREAM is a complex program whose five constituent elements are responsible for different objectives. The malware is designed to detect and hijack devices, compromise the programmable logic controllers, and disrupt them, jeopardizing the correct work of industrial objects. If PIPEDREAM were used against existing industrial systems, the consequences would be unpredictable up to catastrophic.<\/p>\n<h3 style=\"text-align:center\">Pipedream is malware aimed a physical destruction<\/h3>\n<p style=\"text-align:justify\">The malware in question uses various-function exploits automatized to a high degree. Different modules of PIPEDREAM inject noxious configurations into devices, alter their parameters, and manage devices\u2019 contents.<\/p>\n<p style=\"text-align:justify\"><strong>CODESYS<\/strong>, a development environment for controller programs, proved to have at least seventeen vulnerabilities potentially exploitable by hackers. PIPEDREAM is capable of compromising CODESYS as well.<\/p>\n<p style=\"text-align:justify\">The very possibility of hijackers tampering with the settings of the industries\u2019 programmable controllers is appalling. Dragos warns about an option for the terrorists to destabilize the operational environment by <strong>disabling the emergency shutdown<\/strong>. If that occurred, the attacked system would go critical and unstable.<\/p>\n<h2 style=\"text-align:center\">Mandiant report and Pipedream origins<\/h2>\n<p style=\"text-align:justify\">Mandiant, a threat intelligence company, provided a report that matches the one by Dragos. In its message, Mandiant describes PIPEDREAM (aka INCONTROLLER) as malware designed to target specifically Schneider Electric and Omron automation systems.<\/p>\n<p style=\"text-align:justify\">Schneider Electric, in turn, reported<span id='easy-footnote-2-7352' class='easy-footnote-margin-adjust'><\/span><span class='easy-footnote'><a href=\"https:\/\/gridinsoft.com\/blogs\/nation-state-threat-actors\/#easy-footnote-bottom-2-7352\" title=\"Schneider Electric &lt;a href=&quot;https:\/\/download.schneider-electric.com\/files?p_Doc_Ref=SESB-2022-01&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Security Bulletin&lt;\/a&gt; on APT Cyber Tools Targeting ICS\/SCADA Devices (April 13, 2022).\"><sup>2<\/sup><\/a><\/span> that there was neither evidence of vulnerabilities that could have been exploited by PIPEDREAM nor detected assaults on the company\u2019s devices. However, the enterprise admitted that the threat level was troubling and added the \u201crecommended mitigations\u201d section to the notification for all customers to comply.<\/p>\n<h3 style=\"text-align:center\">The trace leads to Russia<\/h3>\n<p style=\"text-align:justify\">Apparently, the origin of the information about PIPEDREAM is the Russo-Ukrainian war. The clash takes place not solely on the ground but also on the Network<span id='easy-footnote-3-7352' class='easy-footnote-margin-adjust'><\/span><span class='easy-footnote'><a href=\"https:\/\/gridinsoft.com\/blogs\/nation-state-threat-actors\/#easy-footnote-bottom-3-7352\" title=\"The war against the Russian hackers the US has been waging has seemingly entered a more intense phase as the war in Ukraine broke out. The decisive steps in this struggle are police operations seizing &lt;a href=&quot;\/blogs\/raid-forums-shutdown\/&quot;&gt;RaidForums&lt;\/a&gt;, a large hacking community forum, and the &lt;a href=&quot;\/blogs\/hydra-shut-down\/&quot;&gt;Hydra&lt;\/a&gt;, a Russian-language outlaw darknet market. In addition, the US has &lt;a href=&quot;\/blogs\/the-us-wont-cooperate-with-russia-on-ransomware-anymore\/&quot;&gt;abandoned cooperation&lt;\/a&gt; with Russia on eradicating ransomware.\"><sup>3<\/sup><\/a><\/span>. After an unsuccessful hacker attack on a Ukrainian energy provider, cybersecurity company <strong>ESET<\/strong><span id='easy-footnote-4-7352' class='easy-footnote-margin-adjust'><\/span><span class='easy-footnote'><a href=\"https:\/\/gridinsoft.com\/blogs\/nation-state-threat-actors\/#easy-footnote-bottom-4-7352\" title=\"CERT, the Computer Emergency Response Team of Ukraine, thanked ESET for helping it repel the hacking offensive in its &lt;a href=&quot;https:\/\/cert.gov.ua\/article\/39518&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt; report&lt;\/a&gt; about the failed cyberattack on March 23, 2022.\"><sup>4<\/sup><\/a><\/span> has given a thorough description of how the <strong>INDUSTROYER2 <\/strong>malware worked. Possibly, that information helped Dragos and Mandiant detect and dissect another malicious program &#8211; PIPEDREAM.<\/p>\n<p style=\"text-align:justify\">The disputed malware now stands in one row with Stuxnet, Havex, Industroyer 1 and 2, Triton, and BlackEnergy2 \u2013 malicious tools designed against vital industrial control systems.<\/p>\n<p style=\"text-align:justify\">As a countermeasure against possible threats, cybersecurity agencies strongly advise industrial control organizations to <strong>increase all safety measures<\/strong>. These are well-known rules: 2-factor-authentication, no passwords auto-filling, changing passwords, and overall vigilance against potential invasive actions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On April 13, the US government (specifically, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation) made a warning about nation-state threat actors using specialized malware to access industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. Nation-State threat actors in [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":7354,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[201,29,28,423],"class_list":{"0":"post-7352","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-cisa","9":"tag-hackers","10":"tag-malware","11":"tag-national-security-agency"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/04\/NSTA.jpg","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/7352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=7352"}],"version-history":[{"count":13,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/7352\/revisions"}],"predecessor-version":[{"id":7385,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/7352\/revisions\/7385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/7354"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=7352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=7352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=7352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}