The design of the tool, which allows full system access to certain operational technology in environments such as power plants and water treatment facilities, can also be used by less sophisticated attackers.
A yet unnamed advanced persistent threat actor has designed a way to penetrate devices used in industrial control systems, federal agencies warned Wednesday, urging related entities—particularly in the energy sector—to mitigate potential attacks.
“Certain advanced persistent threat actors have exhibited the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices,” reads an alert issued Wednesday from the Cybersecurity and Infrastructure Security Agency, in collaboration with the FBI, the National Security Agency and the Department of Energy.
The specific devices include programmable logic controllers from Schneider Electric and Omron, as well as servers from Open Platform Communications Unified Architecture.
The devices are the kind of operational technology that caused Colonial Pipeline—fearing compromise—to shut down its operations last May “out of an abundance of caution” after ransomware perpetrators breached their information technology systems.
Now, the agencies say, “The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise and control affected devices once they have established initial access to the operational technology network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology or OT environments … By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment and disrupt critical devices or functions.”
Severing connections between the external internet and the targeted devices was the first mitigation control the agencies urged.
“DOE, CISA, NSA and the FBI recommend all organizations with ICS/SCADA devices … isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters,” they wrote.
Other mitigations include, among other things, the enforcement of multi-factor authentication, consistently changing all passwords to ICS/SCADA devices and systems, and maintaining backups offline with the use of hashing and integrity checks on firmware and controller configuration files to ensure their validity.
The alert notes that the advanced actor developed the tool in a way that would allow its use more broadly, and offer less sophisticated hackers a menu of attack options.
“The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities,” according to the alert.
Sharing the warning on the malware—being referred to as PIPEDREAM—Robert Lee, CEO of Dragos, a cybersecurity firm working with the Department of Energy to protect industrial control systems, praised the agencies’ work with private sector partners, which also included Schneider Electric and Microsoft as well as Mandiant and Palo Alto Networks, according to the alert.
“PIPEDREAM is the seventh ever ICS specific malware. It's highly capable and worth paying attention to,” he tweeted. “This is the first time, I'm aware of, that an industrial cyber capability has been found *prior* to its deployment for intended effects. This capability was designed to be disruptive/destructive in nature—and we're actually a step ahead of the adversary.”