Several U.S. government agencies on Wednesday issued a joint warning about the discovery of malicious cyber tools created by unnamed advanced threat actors, which they said were capable of gaining “full system access” to several industrial control systems.
The public warning from the Department of Energy and Homeland Security, the FBI and the National Security Agency did not name the actors or provide details about the find. But their private-sector cybersecurity partners said the evidence suggests Russia is behind the tools – and that they were configured to target North American energy problems in the first place.
One of the cybersecurity companies involved, Mandiant, said in a report that the functionality of the tools was “consistent with the malware used in Russia’s previous physical attacks”, although it acknowledged that the evidence linking it to Moscow is “largely indicier “.
It called the tools “unusually rare and dangerous”.
Another government partner, Robert M Lee of Dragos, agreed that a state actor almost certainly made the malware, which he said was configured to initially target liquefied natural gas and electric power in North America.
Lee referred questions about the state actor’s identity to the US government and would not explain how the malware was discovered other than to say it was captured “before an attack was attempted”.
“We are actually one step ahead of the opponent. None of us want them to understand where they made it,” Lee said. “Great victory.”
The Cybersecurity and Infrastructure Security Agency (CISA), which published the warning, declined to identify the threat actor.
The US government has warned critical infrastructure industries to guard against possible cyber attacks from Russia in retaliation for severe economic sanctions imposed on Moscow in response to its invasion of Ukraine on 24 February.
Officials have said Russian hackers’ interest in the U.S. energy sector is particularly high, and CISA called in a statement Wednesday to pay particular attention to the mitigating measures recommended in the alarm. Last month, the FBI issued a warning that Russian hackers have scanned at least five unnamed energy companies for vulnerabilities.
Lee said the malware was “designed to be a framework to go after many different types of industries and be exploited multiple times. Based on its configuration, the initial targets would be LNG and electrical in North America.”
Mandiant said the tools pose the greatest threat to Ukraine, NATO members and other states helping Kiev in its defense against Russian military aggression.
It said malware could be used to shut down critical machines, sabotage industrial processes and disable security controllers, leading to the physical destruction of machines that could lead to the loss of human lives. It compared the tools to Triton, the malware tracked by a Russian government research institute that targeted critical security systems and twice forced the emergency shutdown of a Saudi oil refinery in 2017, and to Industroyer, the malware that Russian military hackers used the previous year to trigger a power outage. Ukraine.
Lee said the newly discovered malware, called Pipedream, is only the seventh of such malicious software that has been identified and designed to attack industrial control systems.
Lee said Dragos, which specializes in industrial control system protection, identified and analyzed its capabilities in early 2022 as part of its normal business research and in collaboration with partners.
He would not go into further detail. In addition to Dragos and Mandiant, the U.S. government’s alert offers thanks to Microsoft, Palo Alto Networks and Schneider Electric for their contributions.
Schneider Electric is one of the manufacturers listed in the warning whose equipment is targeted by the malware. Omron is another.
Mandiant said it had analyzed the tools in early 2002 with Schneider Electric.
In a statement, Palo Alto Network Director Wendi Whitmore said: “We have been warning for years that our critical infrastructure is constantly under attack. Today’s warnings describe exactly how sophisticated our opponents have become.”
Microsoft had no comments.