The feds have discovered a “Swiss army knife” for hacking industrial control systems

- Advertisement -

Malicious software designed to targeted industrial control systems such as power grids, factories, water utilities, and oil refineries are a rare form of digital evil. So when the United States government warns of a piece of code that targets not just one of these industries, but potentially all of them, critical infrastructure owners around the world should take heed.

- Advertisement -

On Wednesday, the Department of Energy, the Cyber ​​and Infrastructure Security Agency, the NSA, and the FBI jointly released advisory about a new set of hacking tools with the potential to interfere with a wide range of industrial control systems equipment. Larger than any previous industrial control hacking toolkit, this malware contains a set of components designed to disrupt or take control of devices, including programmable logic controllers (PLCs) sold by Schneider Electric and OMRON that are designed to for use as an interface between traditional computers and actuators and sensors in industrial environments. Another component of the malware is designed to attack Open Platform Communications Unified Architecture (OPC UA) servers, the computers that communicate with these controllers.

- Advertisement -

“This is the most extensive tool for attacking industrial control systems that anyone has ever documented,” says Sergio Caltagirone, vice president of threat intelligence at industrial cybersecurity company Dragos, who contributed to the research for a consulting and published its own malware report. Researchers from Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the recommendations. “It’s like a Swiss army knife with a huge amount of detail.”

Dragos says malware can hijack targeted devices, disrupt or block operators from accessing them, block them permanently, or even use them as a springboard to give hackers access to other parts of an industrial control system network. He notes that while the toolkit Dragos calls “Pipedream” appears to be designed specifically for Schneider Electric and OMRON PLCs, he does so by using the underlying software in those PLCs, known as Codesys, which is much more widely used. in hundreds of other types of PLCs. PLC. This means that malware can be easily adapted to work in almost any industrial environment. “This set of tools is so large that it’s practically free for everyone,” says Caltagirone. “There’s enough here for everyone to have something to worry about.”

- Advertisement -

The CISA bulletin mentions an unnamed “APT actor” who developed the malware suite, using the common acronym APT for advanced persistent threat, a term for government-sponsored hacker groups. It’s far from clear where government agencies found the malware or what country the hackers originated it from, although the release dates are listed below. warnings from the Biden administration that the Russian government is taking preparatory steps to launch subversive cyberattacks in the midst of its invasion of Ukraine.

Dragos also declined to comment on the origin of the malware. But Caltagirone says it has apparently not been used against the victim — or at least it hasn’t yet caused any real physical impact on the victim’s industrial control systems. “We have high confidence that it has not yet been applied to destructive or disruptive activities,” says Caltagirone.

While the toolkit’s adaptability means it can be used in virtually any industrial environment, from manufacturing to water treatment, Dragos notes that the apparent focus on Schneider Electric and OMRON PLCs suggests hackers could have built it with power grids and refineries. especially natural gas liquefaction plants, given the widespread use of Schneider in the power industry and the widespread adoption of OMRON in the oil and gas sector. Caltagirone suggests that the ability to send commands to servo motors in these petrochemical plants via OMRON PLCs would be particularly dangerous, as it could lead to “destruction or even death.”

The CISA bulletin does not list any specific vulnerabilities in devices or software that the Pipedream malware targets, though Caltagirone says it exploits several zero-day vulnerabilities — previously unpatched software flaws that can be hacked — that are still being patched. . However, he notes that even fixing these vulnerabilities will not interfere with most of Pipedream’s capabilities, as it is largely designed to capture the intended functionality of target devices and send legitimate commands in the protocols they use. CISA recommendations include list of measures measures that infrastructure operators must take to protect their operations, from restricting network connections of industrial control systems to implementing monitoring systems for ICS systems, in particular that send alerts of suspicious behavior.

When WIRED contacted Schneider Electric and OMRON, a Schneider spokesperson responded in a statement that the company worked closely with the US government and security firm Mandiant and that together they “identified and developed protective measures to protect against” the newly discovered set of attack tools. . “This is an example of successful collaboration to prevent threats in critical infrastructure before they occur, and further highlights how public-private partnerships play an important role in proactively detecting and countering threats before they can be deployed,” added to the company. OMRON did not immediately respond to WIRED’s request for comment.

The detection of the Pipedream malware suite is a rare addition to the small number of malware samples found in the wild that target industrial control systems (ICS) software. The first and still most famous example of such malware is Stuxnet, code created by the United States and Israel that was discovered in 2010 after being used to destroy nuclear enrichment centrifuges in Iran. More recently, Russian hackers known as Sandworm, part of the Kremlin’s GRU military intelligence agency, deployed a tool called Industroyer or Crash Override to provoke a blackout in the Ukrainian capital Kyiv at the end of 2016..

The following year, Kremlin-linked hackers infected the systems of the Petro Rabigh refinery in Saudi Arabia with malware known as Triton or Trisis, which was designed for its security systems – with potentially catastrophic physical consequences – but instead caused two plant shutdowns. Then, just last week, Russian Sandworm hackers were discovered using a new variant of their Industroyer code to attack a regional electricity company in Ukraine, although Ukrainian officials say they succeeded in detecting the attack and preventing the power outage.

However, Pipedream’s recommendation is a particularly disturbing new entry in ICS’ rogue malware gallery given the breadth of its functionality. But its revelation – presumably before it could be used for devastating effects – comes in the midst of wider crackdown by the Biden administration about potential threats of hacking of critical infrastructure systems, especially from Russia. For example, last month the Department of Justice uncovered indictments against two Russian hacker groups with experience attacking power grids and petrochemical systems. One indictment makes the first mention of one of the hackers allegedly responsible for the Triton malware attack in Saudi Arabia, and accuses him and his associates of attacking US oil refineries. In the second indictment, three agents of the Russian FSB intelligence service are named as members of a notorious hacking group known as Berserk Bear, responsible for decades of power grid hacks. And then earlier this month, the FBI moved to disrupt a botnet of network devices controlled by Sandwormso far the only known hackers in history to have caused power outages.

Even though the government has taken steps to identify and even disarm these subversive hackers, Pipedream is a powerful suite of malware in unknown hands that infrastructure operators must take action to protect themselves from, Caltagirone said. “It’s not a small thing,” he says. “This is a clear and present danger to the safety of industrial control systems.”

More Great WIRED Stories


Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox