APT Cyber Tools Targeting ICS/SCADA Devices


Actions to Acquire Right now to Safeguard ICS/SCADA Units:
• Implement multifactor authentication for all distant accessibility to ICS networks and gadgets every time attainable.
• Transform all passwords to ICS/SCADA equipment and programs on a constant plan, specifically all default passwords, to system-exceptional strong passwords to mitigate password brute pressure assaults and to give defender monitoring programs alternatives to detect prevalent attacks.
• Leverage a effectively mounted constant OT checking solution to log and inform on destructive indicators and behaviors.

The Division of Electricity (DOE), the Cybersecurity and Infrastructure Protection Agency (CISA), the National Stability Company (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to alert that selected state-of-the-art persistent risk (APT) actors have exhibited the capacity to obtain entire program access to many industrial control technique (ICS)/supervisory control and facts acquisition (SCADA) units, together with:

  • Schneider Electric powered programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open up System Communications Unified Architecture (OPC UA) servers.

The APT actors have produced custom made-built instruments for targeting ICS/SCADA gadgets. The equipment help them to scan for, compromise, and regulate influenced equipment the moment they have set up preliminary accessibility to the operational technological innovation (OT) network. On top of that, the actors can compromise Windows-centered engineering workstations, which may perhaps be existing in information and facts technological innovation (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with acknowledged vulnerabilities. By compromising and maintaining comprehensive technique obtain to ICS/SCADA products, APT actors could elevate privileges, shift laterally inside of an OT setting, and disrupt important products or capabilities.

DOE, CISA, NSA, and the FBI urge crucial infrastructure businesses, in particular Electricity Sector companies, to put into action the detection and mitigation recommendations delivered in this CSA to detect opportunity destructive APT action and harden their ICS/SCADA products. 

Simply click here for a PDF edition of this report. 

Complex Information

APT actors have created custom-manufactured applications that, as soon as they have recognized preliminary access in an OT network, allows them to scan for, compromise, and management sure ICS/SCADA devices, which includes the next:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may possibly not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078
  • OMRON Sysmac NJ and NX PLCs, like (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT and 
  • OPC Unified Architecture (OPC UA) servers.  

The APT actors’ equipment have a modular architecture and help cyber actors to carry out remarkably automatic exploits towards targeted gadgets. The applications have a virtual console with a command interface that mirrors the interface of the focused ICS/SCADA system. Modules interact with focused units, enabling operations by decreased-qualified cyber actors to emulate better-skilled actor capabilities.

The APT actors can leverage the modules to scan for specific devices, perform reconnaissance on system specifics, add malicious configuration/code to the specific unit, back up or restore product contents, and modify product parameters. 

In addition, the APT actors can use a tool that installs and exploits a identified-susceptible ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute destructive code in the Home windows kernel. Profitable deployment of this software can make it possible for APT actors to move laterally inside an IT or OT surroundings and disrupt crucial equipment or capabilities.

APT Tool for Schneider Electrical Units  

The APT actors’ tool for Schneider Electric devices has modules that interact by way of ordinary administration protocols and Modbus (TCP 502). Modules may well make it possible for cyber actors to:

  • Operate a speedy scan that identifies all Schneider PLCs on the local network via Person Datagram Protocol (UDP) multicast with a destination port of 27127 (Notice: UDP 27127 is a normal discovery scan applied by engineering workstations to uncover PLCs and may not be indicative of destructive activity)
  • Brute-force Schneider Electric powered PLC passwords making use of CODESYS and other obtainable product protocols via UDP port 1740 in opposition to defaults or a dictionary phrase listing (Notice: this ability may well get the job done in opposition to other CODESYS-primarily based units depending on individual structure and perform, and this report will be updated as extra info gets to be obtainable) 
  • Perform a denial-of-service assault to reduce community communications from achieving the PLC
  • Sever connections, demanding people to re-authenticate to the PLC, likely to facilitate seize of credentials 
  • Carry out a ‘packet of death’ assault to crash the PLC until a ability cycle and configuration recovery is carried out and 
  • Send out customized Modbus instructions (Take note: this capacity might work from Modbus other than in Schneider Electrical PLCs).

Refer to the appendix for techniques, approaches, and treatments (TTPs) connected with this tool.

APT Instrument for OMRON 

The APT actors’ device for OMRON products has modules that can interact by:

  • Scanning for OMRON utilizing (Factory Interface Network Services (FINS) protocol
  • Parsing the Hypertext Transfer Protocol (HTTP) response from OMRON products
  • Retrieving the media entry management (MAC) handle of the system
  • Polling for distinct equipment connected to the PLC
  • Backing up/restoring arbitrary files to/from the PLC and
  • Loading a custom made malicious agent on OMRON PLCs for extra attacker-directed ability.

Additionally, the OMRON modules can upload an agent that makes it possible for a cyber actor to join and initiate commands—such as file manipulation, packet captures, and code execution—via HTTP and/or Hypertext Transfer Protocol Protected (HTTPS). 

Refer to the appendix for TTPs affiliated with this device.

APT Device for OPC UA 

The APT actors’ instrument for OPC UA has modules with primary operation to establish OPC UA servers and to link to an OPC UA server using default or previously compromised qualifications. The client can read the OPC UA framework from the server and likely produce tag values offered through OPC UA.

Refer to the appendix for TTPs connected with this device.


Notice: these mitigations are presented to enable community defenders to start off initiatives to secure systems and devices from new abilities. They have not been confirmed versus each and every surroundings and ought to be tested prior to employing.

DOE, CISA, NSA, and the FBI endorse all businesses with ICS/SCADA gadgets implement the adhering to proactive mitigations:

  • Isolate ICS/SCADA programs and networks from corporate and internet networks making use of potent perimeter controls, and restrict any communications moving into or leaving ICS/SCADA perimeters. 
  • Enforce multifactor authentication for all remote accessibility to ICS networks and equipment anytime possible.
  • Have a cyber incident reaction approach, and exercise it on a regular basis with stakeholders in IT, cybersecurity, and operations.
  • Improve all passwords to ICS/SCADA units and systems on a constant schedule, particularly all default passwords, to unit-distinctive powerful passwords to mitigate password brute drive assaults and to give defender monitoring programs opportunities to detect widespread assaults.
  • Keep identified-excellent offline backups for more quickly restoration on a disruptive assault, and carry out hashing and integrity checks on firmware and controller configuration data files to be certain validity of these backups. 
  • Restrict ICS/SCADA systems’ community connections to only precisely authorized administration and engineering workstations.
  • Robustly defend administration systems by configuring System Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) alternatives on these subnets and make certain robust anti-virus file popularity configurations are configured.
  • Carry out sturdy log collection and retention from ICS/SCADA programs and management subnets.
  • Leverage a continual OT monitoring resolution to notify on destructive indicators and behaviors, observing inner programs and communications for identified hostile steps and lateral movement. For enhanced network visibility to probably identify irregular visitors, think about making use of CISA’s open-resource Industrial Manage Units Network Protocol Parsers (ICSNPP).
  • Guarantee all apps are only installed when essential for operation. 
  • Implement theory of the very least privilege. Only use admin accounts when demanded for responsibilities, this sort of as putting in computer software updates. 
  • Look into signs and symptoms of a denial of assistance or connection severing, which show as delays in communications processing, loss of purpose requiring a reboot, and delayed actions to operator responses as indicators of prospective malicious exercise.
  • Monitor methods for loading of strange drivers, primarily for ASRock driver if no ASRock driver is typically employed on the system. 


For extra details on securing OT gadgets, see 


The information in this report is getting furnished “as is” for informational needs only. DOE, CISA, NSA, and the FBI do not endorse any business solution or assistance, which includes any topics of examination. Any reference to certain industrial items, procedures, or products and services by assistance mark, trademark, company, or otherwise, does not represent or imply endorsement, recommendation, or favoring by the DOE, CISA, NSA, or the FBI, and this advice shall not be employed for advertising or product or service endorsement applications.


The DOE, CISA, NSA, and the FBI would like to thank Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric for their contributions to this joint CSA.

Appendix: APT Cyber Tools Tactics, Techniques, and Techniques

See tables 1 by means of 3 for TTPs related with the cyber actors’ applications described in this CSA mapped to the MITRE ATT&CK for ICS framework. See the ATT&CK for ICS framework for all referenced danger actor methods and tactics.

Desk 1: APT Tool for Schneider Electrical ICS TTPs


Table 2: APT Device for OMRON ICS TTPs


Desk 3: APT Device for OPC UA ICS TTPs

Call Facts

All companies should really report incidents and anomalous exercise to CISA 24/7 Functions Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your nearby FBI discipline office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When out there, remember to contain the following data about the incident: date, time, and site of the incident style of action variety of folks impacted type of tools utilised for the activity the identify of the distributing corporation or corporation and a designated point of get hold of. For NSA shopper requirements or normal cybersecurity inquiries, call the Cybersecurity Specifications Middle at 410-854-4200 or Cybersecurity_Requests@nsa.gov. 


April 13, 2022: Initial Edition

This product or service is offered topic to this Notification and this Privacy & Use coverage.