APT Cyber Tools Targeting ICS/SCADA Devices


This Joint Cybersecurity Advisory—coauthored
by the Department of Energy (DOE), the Cybersecurity and
Infrastructure Security Agency (CISA), the National Security Agency (NSA),
and the Federal Bureau of Investigation (FBI) is being released to warn
that certain advanced persistent threat (APT) actors have exhibited the
capability to gain full system access to multiple industrial control system
(ICS)/supervisory control and data acquisition (SCADA) devices, including:


  • Schneider
    Electric programmable logic controllers (PLCs)
    Sysmac NEX PLCs
  • Open
    Platform Communications Unified Architecture (OPC UA) servers


The APT actors have developed
custom-made tools for targeting ICS/SCADA devices. The tools enable them to
scan for, compromise, and control affected devices once they have
established initial access to the operational technology (OT) network.
Additionally, the actors can compromise Windows-based engineering
workstations, which may be present in information technology (IT) or OT
environments, using an exploit that compromises an ASRock motherboard driver
with known vulnerabilities. By compromising and maintaining full
system access to ICS/SCADA devices, APT actors could elevate privileges,
move laterally within an OT environment, and disrupt critical devices or


This Joint Cybersecurity
Advisory contains technical details, recommended mitigation measures,
additional references, and is being provided to assist agencies and
organizations in guarding against the persistent malicious actions of cyber
criminals. DOE, CISA, NSA, and the FBI urge critical infrastructure
organizations, especially Energy Sector organizations, to implement the
detection and mitigation recommendations provided in this Joint
Cybersecurity Advisory to detect potential malicious APT activity and
harden their ICS/SCADA devices.