Energy sector in crosshairs of 'rare, dangerous' state-sponsored malware threat

US critical infrastructure operators are working with federal agencies and private cybersecurity experts to bolster their cyber defenses against a new malware threat with the potential to disrupt and sabotage industrial equipment critical to oil, gas and power operations.

The US government April 13 warned industry that certain threat actors now possess the ability to "gain full system access" to multiple devices embedded within supervisory control and data acquisition (SCADA) and industrial control systems (ICS) used across the energy arena to monitor and automate operations.

With custom-made tools, those threat actors can "scan for, compromise, and control affected devices once they have established initial access to the operational technology network," the Department of Energy, Cybersecurity and Infrastructure Security Agency, National Security Agency and Federal Bureau of Investigation said in a joint cybersecurity advisory.

Cybersecurity firms Dragos and Mandiant, who have been tracking the new ICS-tailored malware since early 2022, believe it was crafted by a state-sponsored actor who has yet to deploy it to targeted networks.

"Specifically, the initial targeting appears to be liquid natural gas and electric community specific," Dragos CEO Robert Lee said in a statement. "However, the nature of the malware is that it works in a wide variety of industrial controllers and systems."

Dubbed Pipedream by Dragos, the seventh-ever ICS-specific malware can subvert industrial control programmable logic controllers manufactured by Japan's Omron and France's Schneider Electric and servers using an open-source framework for exchanging data between sensors and cloud applications.

Lee pointed out that there are not vulnerabilities specific to those product lines. Rather, "Pipedream takes advantage of native functionality in operations, making it more difficult to detect."

Mandiant, which tracks the malware under the moniker Incontroller, acknowledged that the malware's capabilities could compromise products from a variety of original equipment manufacturers, but said it highly doubted that Schneider and Omron devices were targeted at random.

"It is more likely they were chosen because of reconnaissance into specific target environments," Mandiant said in a blog post, which described the malware as "exceptionally rare and dangerous" as it "contains capabilities related to disruption, sabotage, and potentially physical destruction."

'Talent gap'

The news comes as the cybersecurity firm Trellix released a global cyber readiness report April 14 that asserted a "cybersecurity talent gap is slowing the implementation of defensive technologies despite the current threat landscape, availability of private sector innovations, and greater willingness to invest."

The report surveyed 900 cybersecurity professionals from organizations with 500 or more employees across critical infrastructure industries.

As part of the survey, 75% of respondents from the oil and gas sector admitted they had not yet fully deployed multifactor authentication, and 55% of oil and gas sector respondents blamed a lack of in-house cyber skills for why their cyber defenses were not fully deployed.

"The Pipedream malware demonstrates again that ICS is a focus of skilled threat actors attempting to disrupt the operations of a nation's critical infrastructure," Christiaan Beek, lead scientist of threat research at Trellix Threat Labs, said in an email. "The way the malware operates and its capabilities demonstrate that it can be widely used to attack code, protocols and platforms."

Bryan Palma, CEO of Trellix, added in a statement that "we need to scale security skills to prevent understaffed critical infrastructure from falling victim to cyberattacks."

Mitigation, discovery methods

Because this malware has not yet been employed, "this provides defenders a unique opportunity to defend ahead of the attacks," Lee said.

The US government, Dragos, Mandiant and others have offered a range of mitigations and discovery methods that the oil, gas and power sectors can deploy to protect themselves.

Among the most urgent steps recommended by DOE, CISA, NSA and the FBI were to enforce multifactor authentication for all remote access to ICS networks; change all passwords to ICS/SCADA devices to device-unique strong passwords to mitigate password brute force attacks; and leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.

Lee said that "applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS-specific incident response plan, and ICS network monitoring [would] provide a robust defense against this threat."

Schneider Electric released a security bulletin detailing protective measures to defend against this malware that it identified and developed in collaboration with Mandiant and the departments of Energy and Homeland Security.

"This is an instance of successful collaboration to deter threats on critical infrastructure before they occur and further underscores how public-private partnerships are instrumental to proactively detect and counter threats before they can be deployed," Schneider Electric said.

Russian threat

A new threat group Dragos identifies as Chernovite is believed to be behind the development of the malware. While Lee expressed "high confidence" that Chernovite is a state actor intent on "disruptive or destructive operations against ICS," Dragos otherwise does not make assessments regarding attribution of malicious cyber activity.

Mandiant pointed to "the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations" to make its determination that a state-sponsored group was behind this threat.

It went a step further to say that the activity at issue was "consistent with Russia's historical interest in ICS" as well as with cyberattacks Russia employed that caused blackouts in Ukraine in 2015 and 2016.

"While our evidence connecting Incontroller to Russia is largely circumstantial, we note it given Russia's history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America," Mandiant said.

The cyberthreat to US energy assets has been heightened by the possibility of retaliatory cyberattacks from Russian actors as the US, along with European leaders, continues to ratchet up sanctions and tighten penalties on Russian President Vladimir Putin's inner circle over the invasion of Ukraine.

"Our members have adopted a 'Shields Up' posture, implementing CISA, FBI, and TSA recommendations and tightening security protocols, and will remain in this heightened security posture for as long as necessary," Maggie O'Connell, director of security, reliability and resilience for the Interstate Natural Gas Association of America, said in an email April 14.

She added that INGAA members "examine these advisories for specific products affected and apply the detection and mitigation measures, as necessary," with a primary goal of maintaining operational safety and reliability.

Scott Aaronson, senior vice president for security and preparedness at the Edison Electric Institute, said the "National Security Council's 100-day sprint for [ICS] cybersecurity" left the US electric power industry with "incredibly sophisticated threat monitoring tools in place."

Further, action taken to allow for information sharing among industry and government stakeholders "in near real-time means that actionable intelligence is quickly making its way into the hands of system operators," he said.