Agencies are warning organizations in the energy sector that advanced persistent threat groups (APTs) have developed custom tools that allow them to compromise industrial control system (ICS) devices. Pictured: Transmission towers and power lines lead to a substation after a snow storm on Feb. 16, 2021, in Fort Worth, Texas. (Photo by Ron Jenkins/Getty Images)

Four federal agencies are warning organizations in the energy sector that multiple advanced persistent threat groups (APTs) have developed custom tools that allow them to compromise and hijack commonly used industrial control system (ICS) devices.

The advisory, published jointly by the Cybersecurity and Infrastructure Security Agency, the FBI, NSA and Department of Energy, names multiple versions of Schneider Electric MODICON and MODICON Nano programmable logic controllers, OMRON programmable logic controllers and OPC Unified Architecture servers.

The tools, which were developed with a modular architecture, allow the groups to initiate highly automated and highly custom attacks against targeted devices. They are typically deployed after an actor gains initial access to an IT networks and include a console that mimics the interface used for ICS devices. This makes it easier for “lower skilled cyber actors to emulate higher skilled actor capabilities.”

“The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters,” the agencies warned.

The advisory does not specify which APT groups have the capability or how recently they acquired it, nor does it explicitly state whether the warning is derived from ongoing or active intelligence about a forthcoming attack, as previous joint alerts have done. U.S. officials and the private sector have been on high alert for much of the year as they brace for the possibility of cyber spillover or retaliation from the Russia-Ukraine war.

Among the 13 recommendations the agencies provide are to isolate ICS and SCADA systems from the rest of the IT and OT networks, limit those systems’ access to specific management and engineering workstations as needed, change passwords to ICS/SCADA devices on a regular schedule and monitor systems to catch “unusual drivers,” particularly ASRock drivers.

Many "aren't new mitigations but they help critical infrastructure defenders prevent disruptions stop threat actors from their objectives," said Rob Joyce, the NSA's director of cybersecurity.

Private organizations help identify "PIPEDREAM" malware targeting energy sector

The advisory also notes that private companies Dragos, Mandiant, Microsoft, Palo Alto Networks and Schneider Electric contributed to the underlying technical research.

While it does not attribute the capabilities to a specific actor or group, Dragos CEO and founder Rob Lee said his firm had “high confidence” that the malware, which they are calling "PIPEDREAM,” was developed by a state actor with an intent to disrupt key infrastructure. It’s a surprisingly flexible and adaptive piece of malware. According to a white paper from Dragos, it’s capable of executing 38% of known ICS attack techniques and 83% of known ICS attack tactics measured against the MITRE ATT&CK for ICS malicious behavior matrix.

“The PIPEDREAM malware initially targets Schneider Electric and Omron controllers. However, there are not vulnerabilities specific to those product lines,” Lee said in a statement. “PIPEDREAM takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA.”

Keith Lunden, a manager at Mandiant Intelligence, said the malware, which they are tracking under the name INCONTROLLER, is “actually three separate malware families designed to work in concert to cause a cyber physical impact.”

Lee noted that after the discovery of Industroyer2 this past week, it represents just the seventh piece of ICS-specific malware that security researchers have discovered thus far. It's one that is “highly capable and worth paying attention to.”

“This is the first time, I'm aware of, that an industrial cyber capability has been found prior to its deployment for intended effects. This capability was designed to be disruptive/destructive in nature - and we're actually a step ahead of the adversary,” Lee said on Twitter after the advisory was published.