The Rise of Ready-Made ICS Hacking Tools

In a report published by FireEye, a worrying trend has emerged. The use of ready-made Industrial Control System (ICS) hacking tools has been on the rise lowering the skill entry barrier, not only for state-sponsored groups but novice and unskilled hackers as well to exploit and cause major disruptions. The number of these tools has been steadily growing resulting in the problem becoming more of an issue, with the threat demanding more attention to combat.

Industrial control systems can be defined as an information system designed with the specific purpose of controlling industrial processes. These processes include manufacturing, product handling, production, and distribution. Attacks on these systems can be particularly damaging as they have the potential to disrupt modern services we take for granted, be it the generation of electricity or water sanitation. Attacks on infrastructure can be disastrous but for businesses, they can result in massive losses. In April 2019, the now infamous Triton malware was used to target a petrochemical plant in Saudi Arabia.

The malware was specifically designed to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric. Triton targets very specific processes within the controller with the aim of shutting them down. This results in potential damage to equipment and machinery as the systems governing safety processes are comprised and may not shut down when it is unsafe to continue.

rise of ics hacking tools

The use of such malware was rare as it could only be successfully used by well-funded and skilled hackers. Often the malware would be built from the ground up with a very specific purpose which in turn had to be done by those well-skilled. This generally meant that attacks on ICS were done by state-sponsored groups who are well-funded and highly skilled. FireEye noted that over the years more hacking tools are being developed to target ICS and ICS vendors which are effectively lowering the bar so that more hackers are able to carry out attacks like the one mentioned above. FireEye noted,

“As ICS is a distinct sub-domain to information and computer technology, successful intrusions and attacks against these systems often requires specialized knowledge, establishing a higher threshold for successful attacks. Since intrusion and attack tools are often developed by someone who already has the expertise, these tools can help threat actors bypass the need for gaining some of this expertise themselves, or it can help them gain the requisite knowledge more quickly. Alternatively, experienced actors may resort to using known tools and exploits to conceal their identity or maximize their budget.”

Most of the tools used for this purpose were created around 2004 but only saw the majority of their development from 2010. Most of these tools were vendor-agnostic created in order to scan for generic indicators found across a broad spectrum of ICS networks. However, tools have also been developed that target specific ICS vendors, suggesting they were explicitly created to hack into a particular system. Tools have been discovered that target products from Schneider Electric, GE, ABB, Digi International, Rockwell Automation, and Wind River Systems. According to FireEye’s research, the most targeted ICS vendor was Siemens, with 60% of the vendor-specific tools targeting its products.

Software Exploit Modules

Much of the security firms report details the use of what the firm calls “software exploit modules”. These modules are developed to take advantage of a specific vulnerability while simultaneously automating the exploitation process. The specific module is then added to a framework that consists of a number of these modules for targeting a wide variety of vulnerabilities, networks, and devices. The modules studied were associated with three of the most popular penetration testing frameworks at the time of writing, those being Metasploit, Core Impact, and Immunity Canvas. These frameworks were developed to help security researchers pinpoint security flaws within company networks but also proved to be popular tools in the hands of hackers as they remove much of the guesswork and work required in conducting a successful attack. Despite being rather generic in scope, these tools can be used to test the security of industrial networks via ICS-specific exploitation modules. Researchers noted,

“Given the simplicity and accessibility of exploit modules, they are attractive to actors with a variety of skill levels. Even less sophisticated actors may take advantage of an exploit module without completely understanding how a vulnerability works or knowing each of the commands required to exploit it. We note that, although most of the exploit modules we track were likely developed for research and penetration testing, they could also be utilized throughout the attack lifecycle.”

Currently, FireEye tracks ICS-specific modules for these three frameworks that are linked back to more than 500 vulnerabilities. Of the three most popular frameworks listed above Immunity Canvas has the most ICS-specific modules. However, companies are warned to also take special note of Metasploit as it is an open-source project meaning that it is not locked behind a license or paywall, often with strict vetting processes. This, in turn, will make it far more appealing to hackers as it is easier to acquire. Further, since 2017, more ICS-specific modules have been developed in the open-source community with a focus on vulnerabilities found almost exclusively in ICS environments. Some of the most notable ICS-specific pen-testing frameworks include Autosploit, Industrial Exploitation Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.

For the most part, the tools focus on ICS discovery and vulnerability exploitation, however, the tools had a wide array of uses. For example, researchers found tools for scanning networks for ICS-specific devices, tools for exploiting vulnerabilities in ICS equipment, tools for interacting with mesh radio networks usually employed for inter-connecting ICS devices, and various others. The wide array of tools meant that attackers can create a complete offensive arsenal with publically available tools. This would further allow hackers with a basic knowledge of ICS the ability to conduct attacks. There is also the possibility that hackers with no knowledge about these systems could conduct a successful attack by merely clicking on a few buttons. This will, in all likelihood, place greater strain on those employed to defend networks as before it was only state-sponsored groups they would have to track and defend against, now the attack surface is increased exponentially.

Consider the Warnings

In concluding researchers of the US-based cybersecurity firm warned,

“ICS-specific cyber operation tools often released by researchers and security practitioners are useful assets to help organizations learn about ongoing threats and product vulnerabilities. However, as anything publicly available, they can also lower the bar for threat actors that hold an interest in targeting OT networks. Although successful attacks against OT environments will normally require a high level of skills and expertise from threat actors, the tools and exploit modules discussed in this post are making it easier to bridge the knowledge gap…Awareness about the proliferation of ICS cyber operation tools should serve as an important risk indicator of the evolving threat landscape. These tools provide defenders with an opportunity to perform risk assessments in test environments and to leverage aggregated data to communicate and obtain support from company executives. Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.”

FireEye’s warning follows a warning issued by the FBI in February of this year. The warning specifically details attacks against software supply-chains in order to compromise corporate networks. However, the warning does mention the danger posed to businesses reliant on ICS for daily operations, stating

“Software supply chain companies are believed to be targeted to gain access to the victim's strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution,”

The two warnings should be heeded as the recent past has provided a number of examples illustrating how damaging these attacks can be. The BlackEnergy attack on Ukraine’s power network is one such example. In 2016 reports emerged that the Western Ukrainian power company Prykarpattyaoblenergo reported on outage. An investigation later determined that attackers had leveraged a Microsoft Excel document containing malicious macros to compromise an employee’s workstation and inject BlackEnergy malware into the company’s network. The malware provided “interference” while the attackers cut off power to the affected region. In the same year, the US Department of Justice accused an Iranian state-sponsored group of compromising the network of the Bowman Avenue Dam. The attackers never gained access to the dam controls but did gain a significant amount of knowledge concerning how the structure operates. The dam is used is for flood control, any attack then that could gain access to the flood controls could cause significant physical damage and harm.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal