Malware designed to target industrial control systems such as power grids, factories, water utilities, and oil refineries represents a rare form of digital badness. So when the United States government warns of a piece of code that targets not just one of those industries, but potentially all of them, critical infrastructure owners worldwide need to pay attention.
On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA and the FBI jointly issued a recommendation on a new hacker toolset that may be capable of interfering with a wide variety of industrial control system equipment. More than any previous toolkit for hacking into industrial control systems, the malware contains a series of components designed to disrupt the operation of devices or take control of them, including programmable logic controllers (PLCs) sold by Schneider Electric and OMRON. and that are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers, the computers that communicate with those controllers.
“This is the most comprehensive industrial control systems attack tool anyone has ever documented,” said Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report on the malware. † Researchers from Mandiant, Palo Alto Networks, Microsoft and Schneider Electric also contributed to the advice. “It’s like a Swiss army knife with a huge number of pieces on it.”
Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, block them permanently, or even use them as a foothold to allow hackers to access other parts of an industrial operating system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to be aimed specifically at PLCs from Schneider Electric and OMRON, it does so by leveraging underlying software in those PLCs known as Codesys, which much more widely used in hundreds of other types of PLCs. This means that the malware can be easily modified to work in almost any industrial environment. “This toolset is so big that it’s basically free for everyone,” says Caltagirone. “There’s plenty here to worry about.”
The CISA advisory refers to an unnamed “APT actor” who developed the malware toolkit, using the generic acronym APT for Advanced Persistent Threat, a term for state-sponsored hacker groups. It’s far from clear where government agencies found the malware or what country’s hackers got it from, though the advice’s timing follows warnings from the Biden administration that the Russian government is taking preparatory steps to launch disruptive cyberattacks during the invasion of Ukraine.
Dragos also declined to comment on the malware’s origin. But Caltagirone says it doesn’t appear to have actually been used against a victim — or at least hasn’t caused any actual physical effects on a victim’s industrial control systems yet. “We are confident that it has not yet been deployed for disruptive or destructive effects,” Caltagirone said.
This post Pipedream Malware: FBI Discovers ‘Swiss Army Knife’ for Hacking Industrial Systems
was original published at “https://www.wired.com/story/pipedream-ics-malware”
