On April 13, the US government (specifically, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation) made a warning about nation-state threat actors using specialized malware to access industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.
Nation-State threat actors in a governmental warning notification
The advanced persistent threat actors, as the alert states, use custom-made software to attack ICS and SCADA devices. These instruments allow finding the targeted devices, compromising them, and taking control over them once the access to operational technology network is established.
The specially tailored tools are designed specifically to attack Open Platform Communications Unified Architecture (OPC UA) servers, Schneider Electric programmable logic controllers (PLCs,) and OMRON Sysmac NEX PLCs.
According to the document, the threat actors can also infiltrate the Windows-based engineering workstations of informational and operational technology networks. That is possible with the usage of an exploit of CVE-2020-15368 vulnerabilities related to AsrDrv103.sys motherboard driver. The driver can be compromised, leading to the execution of malicious code in the Windows core. The infiltrators aim to escalate privileges and, moving laterally within the industrial control system’s networks, create diversions in electricity and natural gas supply and distribution.
Dragos report and scale of the threat
The specialists at Dragos, an industrial cybersecurity company, have described1 the recently revealed PIPEDREAM malware as a modular attack framework that can cause “disruption, degradation, and possibly even destruction, depending on targets and the environment.”
Robert M. Lee, CEO at Dragos, has stated that PIPEDREAM is connected to the nation-state actor under the moniker CHERNOVITE. Lee claims that it is the first time malicious software with such destructive capabilities has been discovered before its actual usage.
The PIPEDREAM is a complex program whose five constituent elements are responsible for different objectives. The malware is designed to detect and hijack devices, compromise the programmable logic controllers, and disrupt them, jeopardizing the correct work of industrial objects. If PIPEDREAM were used against existing industrial systems, the consequences would be unpredictable up to catastrophic.
Pipedream is malware aimed a physical destruction
The malware in question uses various-function exploits automatized to a high degree. Different modules of PIPEDREAM inject noxious configurations into devices, alter their parameters, and manage devices’ contents.
CODESYS, a development environment for controller programs, proved to have at least seventeen vulnerabilities potentially exploitable by hackers. PIPEDREAM is capable of compromising CODESYS as well.
The very possibility of hijackers tampering with the settings of the industries’ programmable controllers is appalling. Dragos warns about an option for the terrorists to destabilize the operational environment by disabling the emergency shutdown. If that occurred, the attacked system would go critical and unstable.
Mandiant report and Pipedream origins
Mandiant, a threat intelligence company, provided a report that matches the one by Dragos. In its message, Mandiant describes PIPEDREAM (aka INCONTROLLER) as malware designed to target specifically Schneider Electric and Omron automation systems.
Schneider Electric, in turn, reported2 that there was neither evidence of vulnerabilities that could have been exploited by PIPEDREAM nor detected assaults on the company’s devices. However, the enterprise admitted that the threat level was troubling and added the “recommended mitigations” section to the notification for all customers to comply.
The trace leads to Russia
Apparently, the origin of the information about PIPEDREAM is the Russo-Ukrainian war. The clash takes place not solely on the ground but also on the Network3. After an unsuccessful hacker attack on a Ukrainian energy provider, cybersecurity company ESET4 has given a thorough description of how the INDUSTROYER2 malware worked. Possibly, that information helped Dragos and Mandiant detect and dissect another malicious program – PIPEDREAM.
The disputed malware now stands in one row with Stuxnet, Havex, Industroyer 1 and 2, Triton, and BlackEnergy2 – malicious tools designed against vital industrial control systems.
As a countermeasure against possible threats, cybersecurity agencies strongly advise industrial control organizations to increase all safety measures. These are well-known rules: 2-factor-authentication, no passwords auto-filling, changing passwords, and overall vigilance against potential invasive actions.
- In their dedicated report.
- Schneider Electric Security Bulletin on APT Cyber Tools Targeting ICS/SCADA Devices (April 13, 2022).
- The war against the Russian hackers the US has been waging has seemingly entered a more intense phase as the war in Ukraine broke out. The decisive steps in this struggle are police operations seizing RaidForums, a large hacking community forum, and the Hydra, a Russian-language outlaw darknet market. In addition, the US has abandoned cooperation with Russia on eradicating ransomware.
- CERT, the Computer Emergency Response Team of Ukraine, thanked ESET for helping it repel the hacking offensive in its report about the failed cyberattack on March 23, 2022.