“Pipedream” Malware Targets ICS: What Critical Infrastructure Owners Need to Know

Troubling new malware designed to facilitate attacks on a wide array of critical infrastructure – from oil refineries and power plants, to water utilities and factories – is raising concerns for its versatility. The malware, named Pipedream by Dragos and Incontroller by Mandiant, who have both tracked and researched the toolkit, is potentially capable of gaining full system access to multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

Fortunately, there is no evidence yet that the malware has been successfully deployed in the wild, but the threat it poses to critical infrastructure is severe enough to warrant an advisory from multiple federal government agencies. This joint advisory was issued by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). It says:

APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

There have only been a handful of known and credible malware threats designed to specifically target critical infrastructure. The first such example is Stuxnet, which was uncovered in 2010 and was developed and used by the U.S. and Israeli governments to destroy nuclear enrichment centrifuges in Iran. In 2016, Industroryer (also known as Crash Override) was used by Russian actors to target electrical infrastructure and force blackouts in Kiev, Ukraine. Triton or Trisis was discovered in 2017, and again used by Russians to target Saudi Arabian oil refineries. Most recently, Ukrainian security officials detected a new variant of Industroyer linked with the current Russian offensive, just a few weeks ago.

Since Stuxnet opened the door to malware targeting critical infrastructure more than a decade ago, these are the most prevalent instances to be uncovered. And without even recording proof of it being deployed in the wild, Pipedream/Incontroller already stands apart because it can manipulate such a wide variety of industrial control programmable logic controllers (PLC) and industrial software used across industries.

In their joint advisory, DOE, CISA, NSA, and the FBI urge critical infrastructure organizations to implement a series of detection and mitigation recommendations to strengthen their security posture against the Pipedream/Incontroller threat. Among the 13 recommended steps outlined, XONA already naturally provides organizations with eight of them, including:

For more information on how XONA natively includes these protections for its customers and to learn how our technology can protect your organization, visit our resources page or reach out to schedule a demo.