Back-to-back industrial cyberthreats alarm global energy sector

Cybersecurity officials in the U.S. and Ukraine have exposed two powerful hacking tools aimed at the industrial control systems that underpin critical energy networks. One of the malware strains nearly cut electricity to two million Ukrainians, while the second has never been deployed but still drew stark warnings from U.S. agencies and cybersecurity companies.

The last example of malware tailor-made to twist a knife into critical infrastructure networks’ ICS underbelly emerged in 2017. Now, two ICS-focused malware variants have come to light in the same week, an unprecedented escalation in control system threats that’s ringing alarm bells from Kyiv to Washington.

Unlike the Triton malware, which caused a string of outages at a major Saudi Arabian petrochemical plant in 2017, the latest two ICS cyberthreats, dubbed Industroyer2 and Pipedream, evidently failed to cause disruptions.

“PIPEDREAM could be successful — it’s extremely capable and flexible. It was found before it was deployed in the target networks though,” Robert M. Lee, CEO of industrial cybersecurity firm Dragos, told README, calling its discovery “a huge win for defense.”

The rise of Pipedream and Industroyer2 highlights how quickly changes can wash over the threat landscape for ICS networks, which still tend to be highly specialized, relatively isolated and difficult to target. The back-to-back threats have also appeared as Russia continues its invasion of Ukraine in a hybrid war that has drawn White House warnings about potential cyberattacks on U.S. targets.

Industroyer2, aimed squarely at disrupting Ukraine’s power grid, puts an exclamation point on Russia’s willingness to target Ukrainian civilian networks and could upend some expert assessments about the extent of Moscow’s cyber aggression in the wider conflict. And while Pipedream has not been attributed to the Russian government, its sophistication has drawn comparisons to past Russian attack tools like Triton.

Investigations into the malware samples are ongoing, but both are believed to have been developed by state-backed hackers with deep understanding of control system networks, and Ukraine has attributed Industroyer2 to Russia. ICS and SCADA systems, like those that support power grids worldwide, often use their own sets of arcane protocols and network architectures that vary widely from site to site.

That obscurity is part of the reason ICS-specific cyberthreats are incredibly rare — just seven malware strains have ever been found to specifically target control systems, counting Industroyer2 and Pipedream, according to Dragos.

“Time to focus on ICS/SCADA,” NSA cybersecurity director Rob Joyce said on Twitter, linking to an advisory on the Pipedream toolkit issued by NSA, CISA, FBI and the Energy Department. “Isolating ICS/SCADA networks and limiting connections, along with strong passwords/monitoring, aren’t new mitigations but they help critical infrastructure defenders prevent disruptions stop threat actors from their objectives.”

Electricity in the crosshairs

Ukraine’s Computer Emergency Response Team shared news of the Industroyer2 malware on Tuesday, four days after an attempted cyberattack on a major Ukrainian power provider.

Had it been successful, the attack linked to Russia’s GRU military intelligence agency could have cut off power to roughly two million people, a top Ukrainian energy official said. The Industroyer2 tool had been carefully crafted to match the network parameters of the substations it targeted, building on some of the same source code used in the original Industroyer malware sample triggered in a Ukrainian transmission company’s networks in late 2016.

That Industroyer cyberattack cut off power to over a quarter million people for several hours in the dead of winter. The Ukrainian government, cooperating with Microsoft and the Slovakian cybersecurity firm ESET, was able to prevent Industroyer’s successor from causing a blackout, despite Industroyer2’s enhancements.

“Technically, it was more developed and sophisticated as compared to the version that we came to know back in 2016,” Victor Zhora, deputy head of Ukraine’s State Special Service for Digital Development, Digital Transformations and Digitization, said during a virtual press briefing Tuesday. “The threat was serious, but it was prevented in a timely manner.”

Industroyer2 is a brutish tool replete with disk wipers for Windows, Linux and Solaris operating systems, as ESET researchers wrote in an analysis of the malware. It incorporates the IEC-104 communications protocol used by certain substations and protective relays, which act like circuit breakers for big electricity networks. And it takes pains to cover up its tracks as it manipulates specific ICS components to force a power outage.

‘Exceptionally rare and dangerous’

Pipedream, by contrast, has not been deployed in an actual attack, cybersecurity researchers say. But that doesn’t make it any less menacing.

Cybersecurity company Mandiant, which tracks Pipedream by the name Incontroller, warned in its own analysis today that the tool “represents an exceptionally rare and dangerous cyber attack capability.”

Pipedream zeroes in on programmable logic controllers — a type of rugged computer used for industrial processes like managing the flow of electricity or natural gas — with an eye toward a handful of specific industrial devices produced by Omron and Schneider Electric.

“We highly doubt that the threat actor would target these devices at random,” Mandiant said. “It is more likely they were chosen because of reconnaissance into specific target environment(s).”

The devices themselves could “plausibly be present in a variety of industrial sectors and processes,” Mandiant added, leaving Incontroller’s endgame unclear.

Pipedream “does not require vulnerability exploitation after initial access: It seeks out specific devices and takes control of the programmable logic itself that is built into those devices,” Danielle Jablanski, OT cybersecurity strategist for industrial cybersecurity firm Nozomi Networks, told README.

Held up against Industroyer2, “INCONTROLLER has a broader potential impact given the hijacking of that native functionality of the devices targeted and how many of those devices are out there,” she added. “It’s a highly targeted payload compared to a very sophisticated set of techniques.”