CISA Alert (AA22-103A): APT Cyber Tools Targeting ICS/SCADA Devices

04/15/2022

As recently reported by CISA (The Cybersecurity and Infrastructure Security Agency – a division of the U.S. Department of Homeland Security), a set of tools have been discovered that can be used to compromise Industrial Control Systems. Unfortunately, the report also incorrectly suggested that the tools compromise OPC UA Servers.
https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

This claim is not accurate.

To clarify, the tools do not compromise OPC UA Servers but rather use OPC UA as it was intended, albeit with passwords that were improperly acquired through other means. Furthermore, the risk from these tools is greatly reduced when OPC UA Server security features are configured correctly by the asset owner.

A white paper that describes the best practices when deploying OPC UA servers can be found here:
https://opcfoundation.org/UA/Security/BestPractices.pdf

These kinds of threats are a reminder to everyone that simply isolating a factory network is often not enough.
The attack surface can be greatly reduced by using OPC UA to restrict network access to only those peers known to be trusted.

[Added 2022-05-04]
The German “Federal Office for Information Security” (BSI) published its own alert in German. It makes it clear that OPC UA was only used intended and there are no exploits that compromise OPC UA.

Dragos, the source of the information put in the CISA alert, has updated their whitepaper to make it clear that enabling OPC UA security and configuring it properly is a way to protect systems against the Chernovite malware.