Malware designed to targeted industrial control systems such as power grids, factories, water utilities, and oil refineries represent a rare breed of digital evil. So when the United States government warns about a piece of code designed to target not just one of these industries, but potentially all of them, owners of critical infrastructure around the world should take notice.
On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA and the FBI jointly released advisories about a new set of hacking tools potentially capable of interfering with a wide range of industrial control systems equipment. More than any previous toolkit for hacking industrial control systems, the malware contains a range of components designed to disrupt or take control of the operation of devices, including programmable logic controllers (PLCs) sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers – the computers that communicate with these controllers.
“This is the most far-reaching attack tool against industrial control systems that anyone has ever documented,” said Sergio Caltagirone, vice president of threat intelligence at industry-focused cybersecurity firm Dragos, which contributed research to the consultancy and published its own report for malware. Researchers from Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the consultation. “It’s like a Swiss Army knife with a huge number of parts to it.”
Dragos says the malware has the ability to hijack targeted devices, disrupt or prevent operators from accessing them, block them permanently, or even use them as a foothold to give hackers access to other parts of an industrial system’s network for control. He notes that while the toolset, which Dragos calls “Pipedream,” appears to target Schneider Electric and OMRON PLCs specifically, it does so by using underlying software in those PLCs known as Codesys, which is used much more widely. widely in hundreds of other PLC types. This means that malware can easily be adapted to work in almost any industrial environment. “This set of tools is so large that it’s practically free for everyone,” says Caltagirone. “There’s enough here for everyone to worry about.”
CISA’s recommendations refer to an unnamed “APT participant” who developed the malware toolkit using the common acronym APT, which stands for Advanced Persistent Threat, a term for state-sponsored hacking groups. It’s far from clear where government agencies discovered the malware or which country hackers from created it — though the timing of the advice follows warnings from the Biden administration that the Russian government was taking preparatory steps to launch devastating cyberattacks in the midst of its invasion of Ukraine .
Dragos also declined to comment on the origin of the malware. But Caltagirone says it doesn’t appear to have been actually used against a victim — or at least it hasn’t yet triggered actual physical effects on the victim’s industrial control systems. “We have a lot of confidence that it has not yet been deployed to disruptive or disruptive effects,” Caltagirone says.
