CISA, DOE, NSA, and FBI Warn of Pipedream Malware for Hacking ICS

While the toolkit’s adaptability means that it could be used against practically any industrial environment, from manufacturing to water treatment, Dragos points out that the apparent focus on Schneider Electric and OMRON PLCs does suggest that the hackers may have built it with power grid and oil refineries—particularly liquified natural gas facilities—in mind, given Schneider’s wide use in electric utilities and OMRON’s broad adoption in the oil and gas sector. Caltagirone suggests that the ability to send commands to servo motors in those petrochemical facilities via OMRON PLCs as particularly dangerous, with the ability to cause “destruction or even loss of life.”

The CISA advisory doesn’t point to any particular vulnerabilities in the devices or software the Pipedream malware targets, though Caltagirone says that it does exploit multiple zero-day vulnerabilities—previously unpatched hackable software flaws—that are still being fixed. He notes, however, that even patching those vulnerabilities won’t prevent most of Pipedream’s capabilities, as it’s designed largely to hijack the intended functionality of target devices and sends legitimate commands in the protocols they use. The CISA advisory includes a list of measures that infrastructure operators should take to protect their operations, from limiting industrial control systems’ network connections to implementing monitoring systems for ICS systems in particular that send alerts for suspicious behavior.

When WIRED reached out to Schneider Electric and OMRON, a Schneider responded in a statement that the company closely collaborated with the US government and security firm Mandiant, and that they together “identified and developed protective measures to defend against” the newly revealed attack toolkit. “This is an instance of successful collaboration to deter threats on critical infrastructure before they occur and further underscores how public-private partnerships are instrumental to proactively detect and counter threats before they can be deployed,” the company added. OMRON didn’t immediately respond to WIRED’s request for comment.

The discovery of the Pipedream malware toolkit represents a rare addition to the handful malware specimens found in the wild that target industrial control systems, or ICS, software. The first and still most notorious example of that sort of malware remains Stuxnet, the US- and Israeli-created code uncovered in 2010 after it was used to destroy nuclear enrichment centrifuges in Iran. More recently, the Russian hackers known as Sandworm, part of the Kremlin’s GRU military intelligence agency, deployed a tool called Industroyer or Crash Override to trigger a blackout in the Ukrainian capital of Kyiv in late 2016.

The next year, Kremlin-linked hackers infected systems at the Saudi Arabian oil refinery Petro Rabigh with a piece of malware known as Triton or Trisis, which was designed to target its safety systems—with potentially catastrophic physical consequences—but instead triggered two shutdowns of the plant’s operations. Then, just last week, Russia’s Sandworm hackers were detected using a new variant of their of Industroyer code to target a regional electrical utility in Ukraine, though Ukrainian officials say they managed to detect the attack and avert a blackout.

The Pipedream advisory serves as a particularly troubling new entry to the rogue’s gallery of ICS malware, however, given the breadth of its functionality. But its revelation—apparently before it could be used for disruptive effects—comes in the midst of a larger crackdown by the Biden administration on potential hacking threats to critical infrastructure systems, particularly Russian ones. Last month, for instance, the Justice Department unsealed indictments against two Russian hacker groups with a history of targeting power grids and petrochemical systems. One indictment named for the first time one of the hackers allegedly responsible for the Triton malware attack in Saudi Arabia, and also accused him and coconspirators of targeting US refineries, too. A second indictment named three agents of Russia’s FSB intelligence agency as members of a notorious hacker group known as Berserk Bear, responsible for years of electric utility hacking. And then early this month, the FBI took measures to disrupt a botnet of networking devices controlled by Sandworm, still the only hackers in history known to have triggered blackouts.

Even as the government has taken measures to call out and even disarm those disruptive hackers, however, Pipedream represents a powerful malware toolkit in unknown hands—and one from which infrastructure operators need to take measures to protect themselves, says Caltagirone. “This is not a small deal,” he says. “It’s a clear and present danger to the safety of industrial control systems.”

More Great WIRED Stories

Leave a Reply