Dive Brief:
- Federal authorities, including the Cybersecurity and Infrastructure Security Agency, FBI and Department of Energy on Thursday urged critical infrastructure providers to take immediate cyber mitigation efforts, as certain advanced persistent threat actors developed custom-made tools that can take over certain industrial devices.
- Cybersecurity researchers from Mandiant, working with multinational electrical firm Schneider Electric, warned that state-sponsored "threat actors" developed a set of tools it calls Incontroller, which can be used to shut down, sabotage a facility or disable safety controllers at various industrial sites including power plants.
- The company warned the tools pose the greatest threat to sites in Ukraine, NATO member states and other countries actively opposing the Russian invasion of Ukraine. In light of the threat, Schneider Electric provided a security bulletin with mitigation measures that can be used to protect systems.
Dive Insight:
President Biden warned repeatedly that an attack against the U.S. or NATO allies would be met with a robust response, as the U.S. is known to have significant offensive cyber warfare capabilities.
Mandiant officials called the capabilities of Incontroller tools "exceptionally rare and dangerous." The company cannot definitively attribute the malware to a specific country, but Nathan Brubaker, director, intelligence analysis at Mandiant, said the activity is consistent with Russia's historic interest in industrial control systems.
The Incontroller tools were designed to target certain devices from Schneider Electric and Japanese electronics maker Omron embedded in different machinery across different industries, according to Brubaker.
The warning from federal officials comes as the construction industry grapples with increased cyberthreats that may be tied to the war in Ukraine. Raymond Monteith, senior vice president with HUB International Limited’s risk services division, told Construction Dive in March that contractors, especially those that are small- and mid-sized enterprises, are “especially vulnerable” to cyberattacks due to a lack of resources and dedicated teams that can respond to these cyberthreats immediately.
Contech firms, such as Autodesk, are gearing up for these advanced threats as the conflict in Ukraine rages on.
"It does require some investment on behalf of everyone involved in the ecosystem," Sameer Merchant, vice president of product development at Autodesk, told Construction Dive. "But that's a much smaller price to pay than the price you pay if exposed to these attacks. Be prepared to face the upfront investment in order to make sure that downstream you're protected."
Threat actors at work
Robert Lee, co-founder and CEO of industrial cybersecurity firm Dragos, said the malware initially targeted Schneider Electric and Omron controllers, but cautioned there aren't vulnerabilities specific to those product lines. Initial targeting appears to be liquid natural gas and electric community sites.
CISA officials said the advisory, which also involves the National Security Agency, is designed to provide important information about the threat and recommended mitigations for critical infrastructure providers.
"We know that threat actors continue to conduct reconnaissance for vulnerable industrial control system internet connected devices, leverage custom-made tools and exploit known vulnerabilities," said Eric Goldstein, executive assistant director, cybersecurity at CISA, in a statement.
Matthew Thibault contributed to this report.