top of page
Writer's pictureotw

Round 2 of the Great Cyberwar of 2022: Attacking Russia's Schneider Electric SCADA/ICS Sites

Updated: Dec 28, 2022

Welcome back, my cyber warriors!


Round 1 of the Great Cyberwar of 2022 went to Ukraine and its allies from around the world. Among the many successful attacks were the brief takeover of Russia Today TV, the defacement of multiple websites, and probably most importantly, the massive DDoS of Russia's Internet architecture. We successfully made inaccessible almost 98% of the public-facing websites in Russia including the Moscow Stock Exchange and many military and government sites.


As you know, I expect Russia to attack the industrial infrastructure of the West in Round 2 of this war. The war continues to drag on and Russia's efforts become increasingly desperate and brutal. They are losing thousands of soldiers and untold amounts of tanks and other military hardware.





Attacks against a nation's SCADA/ICS infrastructure is the nuclear option for cyber attacks. If you attack, you can expect a counterattack, in kind. This means that electricity, communications, sewer and water systems may become inoperable. The civilian populations will be impacted and innocent people will die. That's why this is so serious. This option should ONLY be triggered as a response to a Russian SCADA/ICS attack on a non-combatant nation (Poland, Romania, US, Germany, etc.) in this war. To do otherwise risks escalating this war. No one wants that.


Schneider Electric of France is a major producer of industrial control systems. They sell them throughout the world. These include building control systems, manufacturing systems, electrical substations and many more.


Recently, we at Hackers-Arise, scanned Russia to find all of their Schneider Electric based sites. We have compiled a list of 366 sites in Russia . This list includes their city, their GPS coordinates and IP address such as below.




You can download the entire list in csv format below.





These should be among some of the first systems to attack in the event that Russia attacks the infrastructure of non-combatants in this war (Russia has already attacked the infrastructure of Ukraine). Attacks against these systems can include such things as;


  1. Denial of Service (DoS) attack. These systems use port 80 or 502 to manage and administer them. If those ports are overwhelmed with traffic, the administrator can not connect.

  2. Default Passwords

  3. modbus -cli

  4. A variety of exploits in the public domain


Let's take a look at each of these.


DDoS


Like the traditional DDoS attacks, these system interfaces can be overwhelmed with 'junk" traffic. By doing so, you make the interfaces unavailable to the administrator. In most cases, this systems are administered via port 502 but some use an HTTP connection on port 80 or SSH on port 21. Scan the system first and check to see what ports are open and then throw as much junk as you can at them. zmap would be an appropriate tool here as a DoS tool.



Default Passwords


Surprisingly, many system still use default passwords to login. If so, you can take control of the system and shut it down. If you have viewed my SCADA Hacking and Security videos, you will see that I have often been able to login to these systems with default credentials.


Here is a list of some of the default passwords on Schneider systems.





modbus-cli


modbus-cli is simple, command line tool that is capable of sending commands into a modbus-based system through port 502. If one can send commands to the modbus-based PLC, the possibilities become endless. If you know what you are doing, you can wreak havoc on the underlying system. To read how to use this tool. click here.


Exploits


The Schneider Electric systems are notoriously vulnerable to exploitation. Even though they have become more secure in recent years, a simple search of the CVE database shows 4 vulnerabilities in the last year with a CVSS score of 9.3!




I have downloaded the complete list in text file for you to download below.

When we check the exploit-db database, we can find numerous exploits against Schneider systems. One recent one has been ported to Metasploit making it simple and easy to use.



This is the Schneider Electric Pelco Endura NET55XX Encoder exploit from 2019 in Metasploit. Use it wisely.



For more SCADA/ICS Metasploit modules, click here


Update


Team OneFist, a group of volunteer hackers led by Voltage, destroys a gas plant in Russia. To read more about it, click here.




Summary


Remember, do not attack these systems unless Russia attacks first! SCADA/ICS systems are the backbone of a modern economy. They include electrical, communication, energy, water, manufacturing and man other systems. The victims of such an attack are innocent civilians, that is why it is the nuclear option.


For more on this critical field of SCADA/ICS Hacking, click here or join Hackers-Arise and attend our next SCADA/ICS Hacking and Security training.


bottom of page