Researchers discovered a new malware that is designed to target Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA), bringing the total number of publicly known malwares to do this up to seven.

The new malware is called PIPEDREAM or INCONTROLLER and uses tools to scan, compromise, and control affected devices after establishing initial access to the operational technology (OT) network.

In a security bulletin released this week, Schneider Electric said it had worked with the U.S. Department of Energy (DOE), the U.S. Department of Homeland Security, and cybersecurity firm, Mandiant, to identify and develop protective measures to defend against INCONTROLLER. Schneider said it partnered with Mandiant in early 2022 to analyze “novel” attack tools built to target machine automation devices—which they called a framework.

“While we are not aware, at the date of this publication, of any confirmed or potential targets leveraging INCONTROLLER, the framework poses a critical risk to organizations using the targeted devices,” Schneider said. “The framework has capabilities related to disruption, sabotage, and potentially physical destruction.”

We've published a blog post on our analysis of the INCONTROLLER framework, covering how new state-sponsored cyber attack tools target multiple industrial control systems. Thanks to @SchneiderElec & our partners for their contribution. Full post 👇 #ICShttps://t.co/ZKl3vJ3w5C

— Mandiant (@Mandiant) April 13, 2022

The security bulletin listed Schneider products that could be targeted, as well as mitigation actions for its customers to “immediately implement” to protect their devices. These include updating software and firmware, replacing default accounts and passwords, updating firmware, and more.

“You should pay special attention to features and cybersecurity devices that help to restrict access to authorized users only,” Schneider said. “This includes examples as Intrusion Detection System, network firewalls, secure remote access, device authentication, device firewall, disabling/filtering unsecure or programmable protocols.”

In research published on Wednesday, Mandiant said INCONTROLLER is “very likely” state-sponsored and is comparable to “TRITON, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a power outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010.” 

Mandiant shared three cyber physical attack scenarios that could be the result of an INCONTROLLER attack, including an incident that would result in a facility shutting down operations, sabotaging an industrial process, or disabling safety controllers to cause physical destruction.

“The loss of safety protection could allow the process to enter an unsafe state either naturally or through the attacker’s manipulation of the process,” Mandiant explained. “This could cause impacts to human safety, the environment, or damage to equipment, depending on the physical constraints of the process and the facility design.”

The discovery of INCONTROLLER/PIPEDREAM also prompted the DOE, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) to issue a joint cybersecurity advisory, which detailed that in addition to Schneider Electric’s products, the malware could be used against OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

“Additionally, the actors can compromise Window-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the advisory explained. “By compromising and maintaining a full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

The advisory urged critical infrastructure organizations, especially those in the energy sector, to implement detection and mitigation recommendations provided in the alert to detect potential malicious APT activity and harden their devices. These steps include enforcing multifactor authentication for all remote access to ICS networks and devices when possible, changing passwords, and leveraging continuous monitoring.

A unique aspect of the announcements this week is that they come ahead of PIPEDREAM/INCONTROLLER being used to target ICS/SCADA networks, said Dragos CEO and Co-Founder Robert M. Lee in a statement shared with Security Management.

This is the first time, I'm aware of, that an industrial cyber capability has been found *prior* to its deployment for intended effects. This capability was designed to be disruptive/destructive in nature - and we're actually a step ahead of the adversary.

— Robert M. Lee (@RobertMLee) April 13, 2022

“This provides defenders a unique opportunity to defend ahead of the attacks," Lee said. "While the malicious capability is sophisticated with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS-specific incident response plan, and ICS network monitoring provide a robust defense.”

Dragos began analyzing PIPEDREAM in early 2022 and found that it demonstrates “significant adversary research and development focused on disruption, degradation, and potentially destruction of industrial environment and physical processes,” the company detailed in a whitepaper published on Wednesday. 

“We track its developers as the threat group CHERNOVITE, which we assess with high confidence to be a state actor that developed the PIPEDREAM malware for use in disruptive or destructive operations against ICS,” Lee said. “Specifically, the initial targeting appears to be liquid natural gas and electric community. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.”

Lee added that the malware initially targets Schneider Electric and Omron controllers, but clarified that there are no vulnerabilities specific to these product lines.

“PIPEDREAM takes advantage of native functionality in operations, making it more difficult to detect,” he said. “It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols, such as ModbusTCP and OPC UA.”

Malware designed specifically to target ICS/SCADA is still rare, but it is behind some of the most impactful cyber incidents of the 21st century. In Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, journalist Kim Zetter detailed the first known instance of malware being used in this way in an effort to sabotage Iran’s nuclear program. In Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, WIRED senior writer Andy Greenberg explored the group behind a series of cyberattacks—including Sandworm’s deployment of a tool that triggered a blackout in Kyiv, Ukraine, in 2016. 

“The PIPEDREAM advisory serves as a particularly troubling new entry in the rogue’s gallery of ICS malware, however, given the breadth of its functionality,” Greenberg wrote for WIRED. “But its revelation—apparently before it could be used for disruptive effects—comes in the midst of a larger crackdown by the Biden administration on potential hacking threats to critical infrastructure systems, particularly from Russia.”

Besides the geopolitical ramifications, this crackdown could be important for ensuring the security and integrity of critical infrastructure as more groups begin targeting their systems. Previous research from Dragos found that there was a noticeable uptick in new groups targeting ICS in 2021.

“Currently, Dragos tracks 18 worldwide threat groups, with three of the newest groups discovered during 2021,” according to the report. “Two of the new activity groups—KOSTOVITE and ERYTHRITE—demonstrate Stage 2 ICS Cyber Kill Chain intrusions with a focus on access operations and data theft over disruption. This shows that adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes.”