US uncovers “Swiss Army knife” for hacking industrial control systems

It's rare to find digital badness that targets industrial control systems like power grids, factories, water utilities, and oil refineries. When the United States government warns of a piece of code built to target not just one of those industries, but potentially all of them, critical infrastructure owners worldwide should take notice.

The Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the FBI released an advisory about a new hacker who could potentially affect a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, this one contains an array of components designed to disrupt or take control of the functioning of devices, including the Schneider Electric and OMRON Programmable Logic Controllers, which are sold by both companies. The computers that communicate with the controllers of the Open Platform Communications Unified Architecture (OPC UA) server are the target of another component of the malware.

"This is the most expansive industrial control system attack tool that anyone has ever documented," says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it.” Advertisement

According to Dragos, the software can hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. While the toolkit appears to target Schneider Electric and OMRON, it does so by exploiting underlying software in thosePLCs, which is used far more broadly. Caltagirone says that the toolset is so big that it is a free-for-all.

The common acronym APT means advanced persistent threat and is used by state-sponsored hacker groups. The timing of the advisory follows warnings from the Biden administration about the Russian government making preparations to carry out disruptive cyberattacks.

There was no comment on the origin of the malware. Caltagirone says that it doesn't appear to have been used against a victim or triggered physical effects on a victim's industrial control systems.