US warns hackers now have tools to hijack critical industrial systems

The U.S. Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned on Wednesday that hacking groups now have access to advanced “cyber tools” that could allow them to gain control of critical industrial control systems.

In a joint cybersecurity advisory, the U.S. agencies announced hacking groups known as advanced persistent threat (APT) actors have “exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices.”

The agencies said the cyber tools allow hackers “to scan for, compromise, and control affected devices” once they have gained initial access to a particular operational technology (OT) network.

The joint advisory warns that these hacking tools can be used against Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

PLCs are small computers that can be programmed to receive data inputs and send operating instructions. They can be used to control automated machinery.

Open Platform Communications Unified Architecture (OPC UA) servers oversee the exchange of data between sensors and cloud-computing applications. They are another tool that can be used for industrial automation.

The U.S. cybersecurity firm Mandiant helped discover the new hacking tools through a partnership with Schneider Electric, one of the companies whose equipment could be targeted with the hacking tools. On Wednesday, Mandiant researchers said the hacking tools, which they dubbed INCONTROLLER (aka PIPEDREAM), “represent an exceptionally rare and dangerous cyber attack capability.” Mandiant said INCONTROLLER “is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.”

Mandiant said INCONTROLLER bears a resemblance to a hacking tool used to disable an industrial safety system in 2017, called TRITON. The INCONTROLLER tool is also similar to INDUSTROYER. TechCrunch reported a hacking group known as “Sandworm”…