An “exceptionally rare and dangerous” advanced persistent threat (APT) malware kit, containing custom-made tools designed to target some of North America’s industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices, appears to have been caught before it could be let loose on America’s oil refineries and power grids.
Multiple US federal government agencies, including the FBI, NSA, and CISA, have released a joint advisory about this kit dubbed PipeDream. It features one-of-a-kind tools designed to work against systems belonging to Schneider Electric, OMRON, and the Open Platform Communications Unified Architecture (OPC UA).
While CISA has declined to name the state actor behind the tools, Mandiant and Dragos, two cybersecurity companies specializing in advanced persistent threats (APTs) that partnered with the agency, said that the tools’ behavior pointed to Russia as the likely source. However, this link, they say, is “largely circumstantial”.
Once inside ICS/SACADA operational technology (OT) networks, PipeDream can gain full system access to target devices, allowing them to scan, control, and compromise Windows-based engineering workstations using an exploit. Having full access also enables threat actors to elevate privileges, move laterally within the OT environment, and disrupt critical systems. Such disruptions could lead to machinery getting physically destroyed and, worse, loss of human lives.
Since the invastion of Ukraine began, President Biden has urged businesses to strengthen their security against possible Russian cyberattacks. However, cyberthreats against vital US infrastructure have been a concern for years, not least since Stuxnet successfully compromised nuclear centrifuges in Iran more than a decade ago.
ICS attacks—scary, but very hard to do
The outcome of a successful attack against vital infrastructure—such as a power grid, power station or water treatment plant—could be very bad indeed. And although we have yet to learn of a nation state successfully attacking one in the US, we can get a glimpse of the possible disruption by looking at other, similar forms of attack.
For example, a ransomware attack against Colonial Pipeline in 2021 caused it to halt operations for six days. Long lines of US motorists began queuing up at gas stations to panic buy fuel, causing prices to go up on the East Coast. A similar attack happened a month later, against meat processing giant JBS, stirring fear of shortages and price rises.
With catastrophic possibilities forecasted before any actual events ever happen, it is easy to get caught in the hype and assume that a critical infrastructure “big one” will play out sooner than expected. But such a possibility is, in fact, very slim, according to Lesley Carhart, principal threat hunter with Dragos.
Carhart spoke to Malwarebytes podcast host David Ruiz on an episode of the Lock and Code podcast last year all about disaster planning and the slim chance of a critical infrastructure “big one.”
Internet-connected ICS may be easy to find, but they are difficult to exploit in reality. Carhart attests to this. “These systems are honestly so complex and so distributed and so heterogeneous that they are really difficult to attack at scale,” she said.
The problem for attackers is that OT environments are all about risk mitigation. Their designers and operators spend their lives thinking about the risks in their environment and coming up with ways to mitigate them. Even if an attacker can compromise a computer and use it to make an environment do something it’s not supposed to, there are typically controls and operators primed to identify and stop errant systems before they can cause any harm.
“A more sophisticated, determined adversary has to think about how to get around those mitigations,” Carhart added.
A successful attack also demands a lot of time, resources, and preparation. According to Carhart, attackers oftentimes sit in networks for months and even build their own industrial facility to learn more about it. ICS attacks are “astronomically expensive”, she says.
Manufacturers of such systems are also increasingly creating them with security in mind. Despite what you might hear, Carhart does not think the dangers of an ICS “big one” are increasing. “In a lot of ways, people are more aware of the threats,” says Carhart. “They’re deploying more security monitoring, and they’re starting to build incident response plans for their industrial environments specifically. They’re starting to do threat hunting, penetration testing, [and] red teaming in their industrial environments.”
To learn more about the reality of defending critical infrastructure, listen to the podcast, embedded below.