The world’s most advanced industrial malware, PIPEDREAM, could be hiding within critical infrastructure control systems ready to unleash its “wartime capabilities,” a management consultancy has warned.
In a post published this week, global business advisory firm Ankura Consulting Group said a worrying aspect of PIPEDREAM, developed by the Russian-linked threat group Chernovite, is its immunity to patching.
“This new-age malware is so dangerous because, in order to alienate the threat, you must fix the whole system rather than simply patching the software vulnerability, a feat that is much more costly, impractical, and time-consuming.”
In a recent report, industrial cybersecurity firm Dragos said the emergence of PIPEDREAM amounted to “a breakthrough escalation in capabilities” for hacking groups targeting industrial control systems (ICS).
“PIPEDREAM is the first reusable cross-industry capability that impacts native functionality in industrial protocols and a wide variety of devices,” the company wrote.
Pipedream was first identified in early 2022 and Ankura said while there had been no known deployments of the malware in the wild, that did not mean it was not a risk.
“Malware could still be sitting stealthily in ICS devices waiting to be executed or newer, more dangerous versions could be in development. If PIPEDREAM or malware with similar capabilities was deployed against a country’s critical infrastructure, it could result in blackouts, the inaccessibility of water systems, hazardous conditions at nuclear sites, and more.”
In February, Politico reported Dragos CEO Robert M. Lee saying Chernovite had attempted to use PIPEDREAM to take down “around a dozen” U.S. electric and liquid natural gas sites in 2022.
“This is the closest we’ve ever been to having U.S. or European infrastructure, I’d say U.S. infrastructure, go offline,” Lee said.
In its post this week, Ankura said there was sufficient evidence to “strongly imply” the group behind PIPEDREAM was state-sponsored by Russia.
Events in early 2022, including “the circumstantial timing of the invasion of Ukraine, Russia’s position against Europe and North America, and the White House’s timely warning about the risk of disruptive Russian cyberattacks help seal their linkage to PIPEDREAM,” it said.
In February this year, amid concerns about the threats posed by PIPEDREAM and other malware, members of the House Homeland Security Committee asked the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency to provide a briefing on potential cyberattacks that domestic terrorists could deploy against U.S. energy infrastructure.
Lee has noted in the past that PIPEDREAM represents just the seventh piece of ICS-specific malware that security researchers have discovered thus far, one that is “highly capable and worth paying attention to” because of its adaptability.
PIPEDREAM was developed to target protocols in two specific programmable logic controllers (PLCs) manufactured by Schneider Electric and OMRON, both used mainly in the energy sector.
But Ankura warns that even slight modifications can make it adaptable to a far wider range of PLCs with varying protocol languages. Because such controllers are prevalent in many other sectors of critical infrastructure, the potential threat from PIPEDREAM extends far beyond just energy suppliers.
“Schneider and Omron PLCs are used beyond the electric, oil, and gas sectors, and the numerous alternative PLCs using differing protocols could also become susceptible to malware of this magnitude with slight alterations and adaptations,” Ankura says.
“Future malware with the expansive capabilities seen in the PIPEDREAM toolkit poses a danger to all critical industries, including power grids, factories, water utilities, and oil refineries.”
