Getty Images

US government, security vendors warn of new ICS malware

As attacks on critical infrastructure increase, experts warn that threat actors have developed new malware designed to take control of ICS and SCADA systems in the energy sector.

The U.S. government announced the discovery of new malware designed to target industrial control systems in the energy sector.

In a joint alert Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency and the Department of Energy warned that unnamed advanced persistent threat (APT) actors developed "custom-made tools" that are capable of gaining full access to ICS and supervisory control and data acquisition devices. The agencies urged critical infrastructure organizations, especially those in the energy sector, to strengthen their defenses.

The alert named Schneider Electric programmable logic controllers, Omron Sysmac NEX PLCs and Open Platform Communications Unified Architecture servers as targets of the new ICS malware.

After establishing initial access in an operational technology (OT) network, the new tools enable actors to scan for, compromise and control those devices. Attacks could lead to the disruption of "critical devices or functions," according to CISA.

"The APT actors' tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices," the alert said.

One exploit takes advantage of flaws in an ASRock motherboard driver that would enable actors to "compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments."

The newly observed tactics and techniques allow lower-skilled actors to deploy more sophisticated operations, according to the alert.

Following the joint alert, ICS security vendor Dragos provided more information in a threat report Wednesday, which referred to the new malware as "Pipedream." Dragos attributed Pipedream to a threat group it calls "Chernovite," which the company has tracked since 2021 and noted "unique tool development" as one of its identifiers.

The company said Pipedream is a modular ICS attack framework that contains several components designed to give threat actors control of such systems, and either disrupt the environment or disable safety controls.

While the ICS malware could be leveraged to cause disruption and even destruction of industrial systems, Dragos said it "assesses with high confidence that Pipedream has not yet been employed in the wild for destructive effects." The company further explained in a white paper on the ICS malware that "Pipedream was found before the adversary could deploy it so there are no known targeted environments currently and the adversary's goal may or may not be safety focused."

It's unclear how the ICS malware was first discovered. SearchSecurity asked CISA for additional information on the discovery, but the agency declined to comment. However, a CISA spokesperson said the agency and its partners are not aware of the malware being used in the wild.

Dragos said "Chernovite is specifically targeting Schneider Electric and Omron PLCS," but warned that the focus should be placed on the adversary's tactics and techniques, as Pipedream could "work across hundreds of different controllers."

Dragos told SearchSecurity that Pipedream can affect a significant percentage of industrial assets worldwide, and noted the depth and breadth of the toolkit.

"While Dragos identifies the most probable targets include electric and oil and gas, any industrial environment running any one of these ubiquitous technologies is at risk," the company said in an email to SearchSecurity.

Cybersecurity vendor Mandiant published its own blog on the ICS malware Wednesday, which it dubbed "Incontroller." Mandiant researchers warned that it poses a "critical risk to organizations leveraging the targeted equipment."

More notably, Mandiant compared it to other high-threat-level malware strains. The first was Triton, a malware that was leveraged in destructive attacks against the energy sector in 2017. Last month, the U.S. unsealed an indictment against Evgeny Viktorovich Gladkikh, a member of the Russian Ministry of Defense who was accused of deploying Triton against ICS systems, specifically a plant in Saudi Arabia.

Mandiant also compared Incontroller to Stuxnet, the infamous worm that caused physical damage to nuclear development facilities in Iran, and Industroyer, a malware used in a Russian state-sponsored attack on Ukraine's energy grid in 2016. Like Dragos and CISA, Mandiant also believes the ICS malware is state-sponsored due to its complexity. However, Mandiant went a step further and named Russia as the potential nation behind this latest threat. The blog noted that its "activity is consistent with Russia's historical interest in ICS," of which Triton is one example.

"While our evidence connecting Incontroller to Russia is largely circumstantial, we note it given Russia's history of destructive cyber attacks, its current invasion of Ukraine, and related threats against Europe and North America," the blog said.

Those consistencies led Mandiant to believe that Incontroller "poses the greatest threat" to nations offering support to Ukraine.

Last month, the White House announced that the Russian government was "exploring" possible cyber attacks on U.S. critical infrastructure as a retaliatory measure for Western support of Ukraine. The warning was based on "evolving intelligence" rather than activity detected in the wild.

All three advisories recommend network segmentation, efficient monitoring and implementing detection capabilities as mitigation steps. As critical infrastructure attacks increase, however, enterprises might have to rethink strategy as well.

"Due to the historic and expansive nature of PIPEDREAM, mitigating the CHERNOVITE threat will require a robust strategy, and not simply applying cybersecurity fundamentals," Dragos wrote in the report.

Rob Caldwell, director of ICS and OT at Mandiant, cautioned that some ICS and OT networks are increasingly vulnerable to cyber attacks.

"One key point to note is that there are many business pressures moving towards more connection to these networks rather than less," Caldwell said in an email to SearchSecurity. "We seldom see truly air-gapped OT networks, and there is a broad movement towards more connectivity of these to the IT networks."

Senior security news writer Shaun Nichols contributed to this article.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing