Authorities warn dangerous new malware can shut down, sabotage industrial sites

Dive Brief:

Federal authorities, including the Cybersecurity and Infrastructure Security Agency, FBI and Department of Energy on Thursday urged critical infrastructure providers to take immediate cyber mitigation efforts, as certain advanced persistent threat actors developed custom-made tools that can take over certain industrial devices.
Mandiant researchers working with the firm Schneider Electric warned state-sponsored threat actors developed a set of tools it calls Incontroller, which can be used to shut down, sabotage a facility or disable safety controllers at various industrial sites including power plants. The firm compared the capabilities of this toolset to the 2017 Triton industrial attack and the 2010 Stuxnet worm used against an Iranian nuclear site.
The company warned the tools pose the greatest threat to sites in Ukraine, NATO member states and other countries actively opposing the Russian invasion.

Dive Insight:

Federal officials have openly questioned for weeks the limited amount of cyber activity targeted at the U.S. following the launch of the Ukraine war. However, they have not made any specific attribution to the current threat activity.

President Biden warned repeatedly that an attack against the U.S. or NATO allies would be met with a robust response, as the U.S. is known to have significant offensive cyber warfare capabilities.

Mandiant officials called the capabilities of Incontroller tools "exceptionally rare and dangerous." The company cannot definitively attribute the malware to a specific country, but Nathan Brubaker, director, intelligence analysis at Mandiant, said the activity is consistent with Russia's historic interest in industrial control systems.

The Incontroller tools were designed to target certain Schneider Electric and Omron devices embedded in different machinery across different industries, according to Brubaker.

Researchers at Dragos said the new malware, which it calls Pipedream, is the seventh publicly-known malware aimed at industrial control systems. Dragos said the malware was developed by a state actor that it called Chernovite, but when asked whether a specific nation-state was behind it, Dragos officials said it does not make assessments about attribution,

Robert Lee, co-founder and CEO of Dragos, said the malware initially targeted Schneider Electric and Omron controllers, but cautioned there aren't vulnerabilities specific to those product lines. Initial targeting appears to be liquid natural gas and electric community sites.

Federal authorities said the specific devices vulnerable to the malware tools include Schneider Electric programmable logic controllers, Omron Sysmac NEX PLCs and Open Platform Communication Unified Architecture servers.

Schneider Electric provided a security bulletin with mitigation measures that can be used to protect systems.

CISA officials said the advisory, which also involves the National Security Agency, is designed to provide important information about the threat and recommended mitigations for critical infrastructure providers.

"We know that threat actors continue to conduct reconnaissance for vulnerable industrial control system (ICS) internet connected devices, leverage custom-made tools and exploit known vulnerabilities," said Eric Goldstein, executive assistant director, cybersecurity at CISA, in a statement,