Several US government agencies have issued a joint alert announcing the discovery of malicious cyber tools capable of gaining “full system access” to multiple industrial control systems
By FRANK BAJAK AP Technology Writer
Apr 13, 2022 11:12 p.m
• 4 minutes reading time
Share on FacebookShare on TwitterEmail this article
BOSTON — Multiple U.S. government agencies issued a joint alert on Wednesday that a number of malicious cyber tools developed by unnamed advanced threat actors have been discovered and are capable of sabotaging the energy sector and other critical industries.
The public alert from Energy and Homeland Security, the FBI and the National Security Agency did not name those involved or give details of the find. But their private-sector cybersecurity partners said the evidence suggests Russia is behind the tools disrupting the industrial control system — and that they have been configured to initially target North American energy companies.
One of the cybersecurity firms involved, Mandiant, called the tools “exceptionally rare and dangerous”.
A report said the tools’ functionality was “consistent with malware used in Russia’s previous physical attacks,” although it acknowledged that the evidence linking it to Moscow was “largely circumstantial.”
Another government partner’s CEO, Robert M. Lee of Dragos, agreed that a state actor almost certainly created the malware, which he says was originally configured to target liquefied natural gas and electricity sites in North America.
Referring questions to the US government about the state actor’s identity, Lee did not explain how the malware was discovered, other than saying it was intercepted “prior to an attempted attack.”
“We’re actually a step ahead of our opponents. None of us want them to understand where they went wrong,” Lee said. “Big win.”
The Cybersecurity and Infrastructure Security Agency, which issued the alert, declined to identify the threat actor.
The US government has warned the critical infrastructure industry of possible cyberattacks from Russia in retaliation for severe economic sanctions imposed on Moscow in response to its February 24 invasion of Ukraine.
Officials have said Russian hackers are particularly interested in the US energy sector, and CISA in a statement Wednesday urged it to pay particular attention to mitigation measures recommended in the alert. Last month, the FBI issued an alert that Russian hackers have been scanning at least five unnamed energy companies for vulnerabilities.
Lee said the malware was “designed as a framework to track many different types of industries and be used multiple times. Based on configuration, initial targets would be LNG and Electric in North America.”
Mandiant said the tools posed the greatest threat to Ukraine, NATO members and other states aiding Kyiv in its defense against Russian military aggression.
The malware could be used to shut down critical machines, sabotage industrial processes, and disable safety controls, which could result in physical destruction of machines that could result in loss of human life. It compared the tools to Triton, a malware traced to a Russian government research institute that targeted critical security systems and twice forced an emergency shutdown of a Saudi oil refinery in 2017, and to Industroyer, the malware that Russian military hackers used the previous year to trigger a Power failure in Ukraine.
Lee said the newly discovered malware, named Pipedream, is only the seventh such malicious software identified designed to target industrial control systems.
Lee said Dragos, which specializes in protecting industrial control systems, identified and analyzed its capabilities in early 2022 as part of its normal business research and in collaboration with partners.
He did not want to give any further details. In addition to Dragos and Mandiant, the US government thanks Microsoft, Palo Alto Networks and Schneider Electric for their contributions.
Schneider Electric is one of the manufacturers listed in the alert whose devices are affected by the malware. Omron is another.
Mandiant said it analyzed the tools with Schneider Electric in early 2002.
In a statement, Wendi Whitmore, chief executive officer of Palo Alto Networks, said: “We have been warning for years that our critical infrastructure is under constant attack. Today’s warnings show how sophisticated our adversaries have become.”
Microsoft had no comment.
—-
AP writer Alan Suderman contributed from Richmond, Virginia