A joint federal advisory Wednesday says that foreign government-linked hackers are targeting specific industrial processes with tools meant to breach and disrupt them, with one cybersecurity firm noting that the prospective intruders demonstrate an unprecedented “breadth of knowledge” about industrial control systems.
The alert arrives one day after Ukrainian officials and a cyber firm discussed deflecting another ICS-targeting malware that attempted to shut down power in Ukraine. “ICS” is a term that encompasses a number of systems that are especially common in the energy and manufacturing sectors, including a variety known as supervisory control and data acquisition (SCADA).
Cybersecurity company Dragos, which aided in Wednesday’s alert, said it had named the advanced persistent threat (APT) group behind the tools Chernovite, and named the tools themselves Pipedream. Dragos said one potential use of the tools would be to disable an emergency shutdown system. Mandiant, which also aided in the alert, said the malware posed the greatest risk to Ukraine and other nations responding to the Russian invasion.
The Department of Energy, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency joined on the alert.
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” states the advisory, which specifically calls on energy companies to take heed and says the malware could also be used for information-gathering.
By Dragos’ count, it’s the seventh-ever ICS-specific malware identified. It’s also the second this week: Ukraine and ESET on Tuesday talked about efforts to identify and beat back another kind, known as Industroyer2.
“The PIPEDREAM malware initially targets Schneider Electric and Omron controllers,” Rob Lee, CEO and co-founder of Dragos, said in a written statement. However, “there are not vulnerabilities specific to those product lines.”
“Specifically the initial targeting appears to be liquid natural gas and electric community,” Lee said. “However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.”
Mandiant, which said it conducted its analysis of the “exceptionally rare and dangerous tools” with Schneider Electric, dubbed it INCONTROLLER and said it posed the biggest threat to Ukraine, NATO and other nations involved in the response to Russia’s invasion of Ukraine.
“INCONTROLLER is very likely state-sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction,” said Nathan Brubaker, director of intelligence analysis at Mandiant. “While we are unable to definitively attribute the malware, we note that the activity is consistent with Russia’s historical interest in ICS.”
Dragos as a matter of policy doesn’t publicly link APT groups to specific nations. The company said the malware was discovered before deployment by the hackers, but didn’t provide specifics on the nature of the discovery.
“We identified and analyzed PIPEDREAM in early 2022 through the course of our normal business operations, independent research, and partners,” the company said. “Since then, we’ve been working privately to inform the community and prepare our customers.”
The advisory also thanked Microsoft, Palo Alto Networks and Schneider Electric for their contributions.
“The APT actors have developed custom-made tools for targeting ICS/SCADA devices,” according to the alert. “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments.”
The tools are diverse and powerful, according to the Dragos analysis. They can undermine encryption and authentication, or bypass firewalls and threat detection defenses.
“The breadth of knowledge required to develop these tools indicates that CHERNOVITE is highly knowledgeable of ICS protocols, devices, and how to apply this knowledge to achieve an effect,” Dragos said. “It’s likely that they have a budget for acquiring devices in order to test their tool set.”
Said Wendi Whitmore, senior Vice President and head of Unit 42 at Palo Alto Networks: “Today’s alerts detail just how sophisticated our adversaries have gotten – developing custom tools that provide tremendous capabilities for adversaries to attack targeted infrastructure.”
Updated 4/13/22: with additional commentary from Mandiant, Palo Alto Networks and Dragos.