INCONTROLLER: Acting to Protect Customers from Unknown Threats

INCONTROLLER: Acting to Protect Customers from Unknown Threats

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory(CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to manipulate and disrupt industrial processes. This impacts multiple supervisory control and data acquisition (SCADA) and other industrial control systems (ICS) including: 

  • Schneider Electric programmable logic controllers (PLCs), 
  • OMRON Sysmac NEX PLCs, and 
  • Open Platform Communications Unified Architecture (OPC UA) servers. 

According to information from our partner Mandiant, who began analyzing these attack tools earlier this year, INCONTROLLER is believed to have been developed by a sophisticated nation state threat actor to maliciously manipulate ICS environments. At the moment, INCONTROLLER is not tied to any incident, nor to a specific actor. INCONTROLLER does not contain exploits for new ICS vulnerabilities, but largely seems to be implementing the protocols understood by the targeted controllers, to provide manipulation capabilities to the threat group. At this stage it has not been disclosed where INCONTROLLER was retrieved, but it’s extremely likely that the threat actor had a very thorough understanding of the targeted environments.

The latest Nozomi Networks Threat Intelligence package includes YARA rules to detect the two supporting Windows-based INCONTROLLER tools. We are further investigating to ensure techniques described by CISA, Mandiant and Schneider Electric are adequately covered. Nozomi Networks will provide additional information and coverage once the relevant samples are analyzed in-depth.

Additionally, here are some ways companies can increase their protection:

  • Environments which operate the above stated devices should immediately look for both intrusion indicators and anomalous behavior in their OT networks and consider network segmentation if not already implemented.
  • Real-time network visibility, monitoring, and anomaly detection tools will significantly reduce the likelihood of a threat actor successfully gaining remote access to these devices.
  • If end users do not have visibility into their OT networks, other mitigations listed in the CSA should be top priority such as: isolating affected devices, changing ICS/SCADA passwords, maintaining off-line backups, and implementing an incident response plan to increase network security and resiliency in the event of a cyberattack.

Nozomi Networks will continue to monitor the situation, provide updates on what we are seeing, and make recommendations the OT industry can use to protect their networks.