US warns of state-backed malware designed to hijack critical infrastructure systems

U.S. government agencies are warning that state-backed hackers have developed custom malware that enables them to compromise and hijack commonly used industrial control system (ICS) devices.

The advisory, published jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, NSA and the Department of Energy, warns that threat actors have developed a custom toolkit that enables them to scan for, compromise and control ICS devices once they’re connected to the operational technology (OT) network. The tools are specifically designed to target programmable logic controllers (PLCs) made by Schneider Electric and Omron, neither of which returned our request for comment.

The hackers also have malware that leverages an exploit to target Windows systems with ASRock motherboards to execute malicious code and move laterally to and disrupt IT or OT environments.

“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” the advisory warns.

While the federal agencies did not share any additional information on the hacking tools and malware mentioned in the advisory, security intelligence company Mandiant said it had been analyzing the ICS-oriented attack tools, which it has named Incontroller, since early 2022.

“Incontroller represents an exceptionally rare and dangerous cyber attack capability,” Mandiant wrote in its analysis of the threat, adding that it is comparable to Triton, Student and Industroyer. 

The latter was used by the Russia-backed Sandworm APT group to cut power in Ukraine in 2016, which left hundreds of thousands of customers without electricity two days before Christmas. A modified variant, dubbed “Industroyer2”, was recently deployed by the same attackers in an attempt to take down a Ukrainian energy provider, but the effort was successfully disrupted by the Computer Emergency Response Team of Ukraine (CERT-UA).

Mandiant added that Incontroller — which it says could be used to shut down critical machinery, sabotage industrial processes and disable safety controllers — is “very likely” to be state-sponsored, given its complexity and its “limited utility in financially motivated operations.” The cybersecurity firm said it couldn’t connect the malware with a known group, but said its activity is “consistent with Russia’s historical interest in ICS”.

Industrial cybersecurity startup Dragos has also been tracking the toolkit as “Pipedream”, which it said was created by a state-backed threat group called Chernovite that developed the malware in order to carry out “disruptive or destructive operations against ICS.”

Robert Lee, CEO and co-founder of Dragos, said that while the targeted controllers are common across a variety of industries, researchers believed the hackers’ intended targets were liquefied natural gas and electric facilities. However, he added that, to date, the malware has not been employed in target networks.

“This provides defenders a unique opportunity to defend ahead of the attacks,” Lee told TechCrunch, adding that Pipedream is only the seventh ever publicly known ICS-specific malware.

The U.S. government agencies urged critical infrastructure organizations, particularly those involved in energy, to take measures such as multi-factor authentication and consistent password changes to protect their control systems.