{
	"id": "699a6c9c-78c8-48d3-89ab-2c77e0e80231",
	"created_at": "2026-04-06T01:29:53.491654Z",
	"updated_at": "2026-04-10T03:31:51.275229Z",
	"deleted_at": null,
	"sha1_hash": "a0878617bd0018912df4fe4c68eae468bbdae68b",
	"title": "APT Cyber Tools Targeting ICS/SCADA Devices | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101111,
	"plain_text": "APT Cyber Tools Targeting ICS/SCADA Devices | CISA\r\nPublished: 2022-05-25 · Archived: 2026-04-06 00:51:24 UTC\r\nSummary\r\nActions to Take Today to Protect ICS/SCADA Devices:\r\n• Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.\r\n• Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default\r\npasswords, to device-unique strong passwords to mitigate password brute force attacks and to give defender\r\nmonitoring systems opportunities to detect common attacks.\r\n• Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and\r\nbehaviors.\r\nThe Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National\r\nSecurity Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity\r\nAdvisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain\r\nfull system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA)\r\ndevices, including:\r\nSchneider Electric programmable logic controllers (PLCs),\r\nOMRON Sysmac NEX PLCs, and\r\nOpen Platform Communications Unified Architecture (OPC UA) servers.\r\nThe APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to\r\nscan for, compromise, and control affected devices once they have established initial access to the operational\r\ntechnology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations,\r\nwhich may be present in information technology (IT) or OT environments, using an exploit that compromises an\r\nASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to\r\nICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt\r\ncritical devices or functions.\r\nDOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations,\r\nto implement the detection and mitigation recommendations provided in this CSA to detect potential malicious\r\nAPT activity and harden their ICS/SCADA devices. \r\nClick here for a PDF version of this report. \r\nTechnical Details\r\nAPT actors have developed custom-made tools that, once they have established initial access in an OT network,\r\nenables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 1 of 8\n\nSchneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251,\r\nTM241, M258, M238, LMC058, and LMC078;\r\nOMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and\r\nOPC Unified Architecture (OPC UA) servers.  \r\nThe APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits\r\nagainst targeted devices. The tools have a virtual console with a command interface that mirrors the interface of\r\nthe targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled\r\ncyber actors to emulate higher-skilled actor capabilities.\r\nThe APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details,\r\nupload malicious configuration/code to the targeted device, back up or restore device contents, and modify device\r\nparameters. \r\nIn addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed\r\nmotherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows\r\nkernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment\r\nand disrupt critical devices or functions.\r\nAPT Tool for Schneider Electric Devices  \r\nThe APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols\r\nand Modbus (TCP 502). Modules may allow cyber actors to:\r\nRun a rapid scan that identifies all Schneider PLCs on the local network via User Datagram Protocol\r\n(UDP) multicast with a destination port of 27127 (Note: UDP 27127 is a standard discovery scan used by\r\nengineering workstations to discover PLCs and may not be indicative of malicious activity);\r\nBrute-force Schneider Electric PLC passwords using CODESYS and other available device protocols via\r\nUDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other\r\nCODESYS-based devices depending on individual design and function, and this report will be updated as\r\nmore information becomes available);\r\nConduct a denial-of-service attack to prevent network communications from reaching the PLC;\r\nSever connections, requiring users to re-authenticate to the PLC, likely to facilitate capture of credentials;\r\nConduct a ‘packet of death’ attack to crash the PLC until a power cycle and configuration recovery is\r\nconducted; and\r\nSend custom Modbus commands (Note: this capability may work against Modbus other than in Schneider\r\nElectric PLCs).\r\nRefer to the appendix for tactics, techniques, and procedures (TTPs) associated with this tool.\r\nAPT Tool for OMRON \r\nThe APT actors’ tool for OMRON devices has modules that can interact by:\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 2 of 8\n\nScanning for OMRON using Factory Interface Network Service (FINS) protocol;\r\nParsing the Hypertext Transfer Protocol (HTTP) response from OMRON devices;\r\nRetrieving the media access control (MAC) address of the device;\r\nPolling for specific devices connected to the PLC;\r\nBacking up/restoring arbitrary files to/from the PLC; and\r\nLoading a custom malicious agent on OMRON PLCs for additional attacker-directed capability.\r\nAdditionally, the OMRON modules can upload an agent that allows a cyber actor to connect and initiate\r\ncommands—such as file manipulation, packet captures, and code execution—via HTTP and/or Hypertext Transfer\r\nProtocol Secure (HTTPS). \r\nRefer to the appendix for TTPs associated with this tool.\r\nAPT Tool for OPC UA \r\nThe APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect\r\nto an OPC UA server using default or previously compromised credentials. The client can read the OPC UA\r\nstructure from the server and potentially write tag values available via OPC UA.\r\nThe threat from this tool can be significantly reduced by properly configuring OPC UA security. Refer to the\r\nMitigations below for more information. \r\nRefer to the appendix for TTPs associated with this tool.\r\nMitigations\r\nNote: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices\r\nfrom new capabilities. They have not been verified against every environment and should be tested prior to\r\nimplementing.\r\nDOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following\r\nproactive mitigations:\r\nIsolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter\r\ncontrols, and limit any communications entering or leaving ICS/SCADA perimeters.\r\nEnforce multifactor authentication for all remote access to ICS networks and devices whenever possible.\r\nHave a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and\r\noperations.\r\nChange all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default\r\npasswords, to device-unique strong passwords to mitigate password brute force attacks and to give\r\ndefender monitoring systems opportunities to detect common attacks.\r\nEnsure OPC UA security is correctly configured with application authentication enabled and explicit trust\r\nlists.\r\nEnsure the OPC UA certificate private keys and user passwords are stored securely.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 3 of 8\n\nMaintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing\r\nand integrity checks on firmware and controller configuration files to ensure validity of those backups.\r\nLimit ICS/SCADA systems’ network connections to only specifically allowed management and\r\nengineering workstations.\r\nRobustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor\r\nCode Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and\r\nensure strong anti-virus file reputation settings are configured.\r\nImplement robust log collection and retention from ICS/SCADA systems and management subnets.\r\nLeverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching\r\ninternal systems and communications for known hostile actions and lateral movement. For enhanced\r\nnetwork visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial\r\nControl Systems Network Protocol Parsers (ICSNPP) .\r\nEnsure all applications are only installed when necessary for operation.\r\nEnforce principle of least privilege. Only use admin accounts when required for tasks, such as installing\r\nsoftware updates.\r\nInvestigate symptoms of a denial of service or connection severing, which exhibit as delays in\r\ncommunications processing, loss of function requiring a reboot, and delayed actions to operator comments\r\nas signs of potential malicious activity.\r\nMonitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is\r\nnormally used on the system. \r\nResources\r\nFor additional guidance on securing OT devices, see \r\nLayering Network Security Through Segmentation,\r\nStop Malicious Cyber Activity Against Connected Operational Technology, and\r\nNSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and\r\nControl Systems.  \r\nFor additional guidance on securing OPC UA enabled devices, see: \r\nPractical Security Recommendations for building OPC UA Applications\r\nFor more information on APT actors’ tools and TTPs, refer to: \r\nMandiant’s Blog – INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple\r\nIndustrial Control Systems\r\nDragos’ Blog – CHERNOVITE'S PIPEDREAM: Malware Targeting Industrial Control Systems\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. DOE, CISA, NSA, and\r\nthe FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to\r\nspecific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 4 of 8\n\nnot constitute or imply endorsement, recommendation, or favoring by the DOE, CISA, NSA, or the FBI, and this\r\nguidance shall not be used for advertising or product endorsement purposes.\r\nAcknowledgements\r\nThe DOE, CISA, NSA, and the FBI would like to thank Dragos, Mandiant, Microsoft, Palo Alto Networks, and\r\nSchneider Electric for their contributions to this joint CSA.\r\nAppendix: APT Cyber Tools Tactics, Techniques, and Procedures\r\nSee tables 1 through 3 for TTPs associated with the cyber actors’ tools described in this CSA mapped to the\r\nMITRE ATT\u0026CK for ICS framework. See the ATT\u0026CK for ICS framework for all referenced threat actor tactics\r\nand techniques.\r\nTable 1: APT Tool for Schneider Electric ICS TTPs\r\nTactic Technique\r\nExecution\r\nCommand-Line Interface [T0807]\r\nScripting [T0853]\r\nPersistence\r\nModify Program [T0889]\r\nSystem Firmware [T0857]\r\nValid Accounts [T0859]\r\nDiscovery\r\nRemote System Discovery [T0846]\r\nRemote System Information Discovery [T0888]\r\nLateral Movement\r\nDefault Credentials [T0812]\r\nProgram Download [T0843]\r\nValid Accounts [T0859]\r\nCollection\r\n \r\nMonitor Process State [T0801]\r\nProgram Upload [T0845]\r\nMonitor Process State [T0801]\r\nCommand and Control\r\nCommonly Used Port [T0885]\r\nStandard Application Layer Protocol [T0869]\r\nInhibit Response Function Block Reporting Message [T0804]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 5 of 8\n\nTactic Technique\r\nBlock Command Message [T0803]\r\nDenial of Service [T0814]\r\nData Destruction [T0809]\r\nDevice Restart/Shutdown [T0816]\r\nSystem Firmware [T0857]\r\nImpair Process Control\r\nModify Parameter [T0836]\r\nUnauthorized Command Message [T0855]\r\nImpact\r\nDenial of Control [T0813]\r\nDenial of View [T0815]\r\nLoss of Availability [T0826]\r\nLoss of Control [T0827]\r\nLoss of Productivity and Revenue [T0828]\r\nManipulation of Control [T0831]\r\nTheft of Operational Information [T0882]\r\nTable 2: APT Tool for OMRON ICS TTPs\r\nTactic Technique\r\nInitial Access Remote Services [T0886]\r\nExecution\r\nCommand-Line Interface [T0807]\r\nScripting [T0853]\r\nChange Operating Mode [T0858]\r\nModify Controller Tasking [T0821]\r\nNative API [T0834]\r\nPersistence\r\nModify Program [T0889]\r\nValid Accounts [T0859]\r\nEvasion Change Operating Mode [T0858]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 6 of 8\n\nTactic Technique\r\nDiscovery \r\nNetwork Sniffing [T0842]\r\nRemote System Discovery [T0846]\r\nRemote System Information Discovery [T0888]\r\nLateral Movement\r\nDefault Credentials [T0812]\r\nLateral Tool Transfer [T0867]\r\nProgram Download [T0843]\r\nRemote Services [T0886]\r\nValid Accounts [T0859]\r\nCollection\r\nDetect Operating Mode [T0868]\r\nMonitor Process State [T0801]\r\nProgram Upload [T0845]\r\nCommand and Control\r\nCommonly Used Port [T0885]\r\nStandard Application Layer Protocol [T0869]\r\nInhibit Response Function Service Stop [T0881]\r\nImpair Process Control\r\nModify Parameter [T0836]\r\nUnauthorized Command Message [T0855]\r\nImpact\r\nDamage to Property [T0879]\r\nLoss of Safety [T0837]\r\nManipulation of Control [T0831]\r\nTheft of Operational Information [T0882]\r\nTable 3: APT Tool for OPC UA ICS TTPs\r\nTactic Technique\r\nExecution\r\nCommand-Line Interface [T0807]\r\nScripting [T0853]\r\nPersistence Valid Accounts [T0859]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 7 of 8\n\nTactic Technique\r\nDiscovery\r\nRemote System Discovery [T0846]\r\nRemote System Information Discovery [T0888]\r\nLateral Movement Valid Accounts [T0859]\r\nCollection\r\nMonitor Process State [T0801]\r\nPoint \u0026 Tag Identification [T0861]\r\nCommand and Control\r\nCommonly Used Port [T0885]\r\nStandard Application Layer Protocol [T0869]\r\nImpact\r\nManipulation of View [T0832]\r\nTheft of Operational Information [T0882]\r\nContact Information\r\nOrganizations can also report anomalous cyber activity and/or cyber incidents 24/7 to contact@mail.cisa.dhs.gov\r\n or by calling 1-844-Say-CISA (1-844-729-2472) and/or to the FBI via your local FBI field office or the FBI’s\r\n24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov . When available, please include the following\r\ninformation regarding the incident: date, time, and location of the incident; type of activity; number of people\r\naffected; type of equipment used for the activity; the name of the submitting company or organization; and a\r\ndesignated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the\r\nCybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov . \r\nRevisions\r\nApril 13, 2022: Initial Version|April 14. 2022: Added Resources|May 25, 2022: Added Additional Mitigations and\r\nResources\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-103a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"
	],
	"report_names": [
		"aa22-103a"
	],
	"threat_actors": [
		{
			"id": "091dc6fb-2650-4646-894a-41de0d463f94",
			"created_at": "2023-11-17T02:00:07.594612Z",
			"updated_at": "2026-04-10T02:00:03.455179Z",
			"deleted_at": null,
			"main_name": "Chernovite",
			"aliases": [],
			"source_name": "MISPGALAXY:Chernovite",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438993,
	"ts_updated_at": 1775791911,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0878617bd0018912df4fe4c68eae468bbdae68b.pdf",
		"text": "https://archive.orkl.eu/a0878617bd0018912df4fe4c68eae468bbdae68b.txt",
		"img": "https://archive.orkl.eu/a0878617bd0018912df4fe4c68eae468bbdae68b.jpg"
	}
}