[1] It is believed to have been developed by state-level Advanced Persistent Threat actors.
[3][4] It has been compared with the Industroyer toolkit used in the December 2015 Ukraine power grid cyberattack.
[5] The toolkit consists of custom-made tools that, once they have established initial access in an operational technology (OT) network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:[6] The toolkit has a modular architecture and enables cyber actors to conduct highly automated exploits against targeted devices.
[6] In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel.
Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.