But private security experts working in parallel with government agencies to analyze the system said it would likely be Russian that its top target was likely liquefied natural gas production facilities, and that it would take months or years to develop strong defenses against it.
This combination makes the discovery of the system, dubbed Pipedream by industrial control security experts Dragos, the recognition of the worst fears of longtime cybersecurity experts. Some compared it to Stuxnet, which the United States and Israel used more than a dozen years ago to damage equipment used in Iran’s nuclear program.
The program manipulates equipment found in virtually every complex industrial plant instead of exploiting unknown faults that can be easily corrected so that almost any plant can fall victim, investigators said.
“This is going to take years to recover,” said Sergio Caltagirone, vice president of threat intelligence at Dragos and a former global technical director at the National Security Agency.
The first report on the discovery of the system came in a joint warning issued by the National Security Agency, the Ministry of Energy, the Cybersecurity and Infrastructure Security Agency and the FBI. The agencies urged the energy sector and others to install monitoring programs and require multifactor authentication for remote login, among other steps.
“The tools have a modular architecture and enable cyber actors to perform highly automated exploits against targeted devices,” the advisory said.
Dragos said the malicious computer code was likely aimed at liquefied natural gas plants because its most detailed methods of attack appeared to be aimed at targeting equipment that would be in such facilities.
In particular, the programs include methods for undermining controllers made by French Schneider Electric and Omron in Japan, as well as open source framework for moving data from sensors to applications, called OPC Unified Architecture.
The software is designed to take advantage of long-standing problems that make it difficult to defend control systems. These include industry requirements for compatibility between products manufactured by different vendors, which means that data flowing from one type of equipment to the next must make it unencrypted.
Another systemic flaw is that it is difficult to monitor what is going on inside physical equipment.
Perhaps the most troubling aspect of the software was its apparent efforts to target the way most industrial facilities protect themselves from cyber attacks by keeping aspects of the operation separate from each other.
Pipedream can target hundreds of types of so-called programmable logic controllers or PLCs that connect operations. A couple of previous industrial attacks, including one attributed by Western intelligence to Russia against energy plants, attacked a specific kind of PLC used in security equipment.
Two years ago, the United States sanctioned a Russian laboratory that it said was behind the software, called Triton or Trisis, that was used in the 2017 attack on a Saudi petrochemical plant. That attack cost millions of dollars for factory production, but could have been far worse if it had worked as designed.
Pipedream goes further by using the ubiquitous code in PLCs to break through layers and probe deeper into the heart of a facility.
Largely based on previous attacks, security firm Mandiant said Russia was likely behind the new system and that those most at risk in the short term included Ukraine and NATO countries protecting it from Russia’s attacks.
The attack kit “contains features related to disruption, sabotage and potential physical destruction. Although we are not able to definitively attribute the malware, we note that the activity is in line with Russia’s historical interest,” said Mandiant Director of Intelligence Analysis Nathan Brubaker.
Liquefied natural gas, including from the United States, is playing a growing role as an alternative to Russian oil and gas imports, which the EU has promised to reduce due to the invasion.