Russian-Linked Malware Targets U.S. Critical Infrastructure

Key Points 

• PIPEDREAM is a malware with wartime capabilities, specifically built to target two popular programmable logic controllers (PLCs) that are predominantly used in the industrial control systems (ICSs) of U.S. electric, oil, and gas companies.
• While it was developed to target protocols in two specific PLCs, slight modifications have made it adaptable to a far wider range of PLCs with varying protocol languages, making it a threat to all critical infrastructure sectors rather than just energy alone.
• Although it was discovered before being executed in the wild, patching known vulnerabilities is a minimally effective defense against these attacks because this malware is intended to hijack devices and send legitimate commands in the protocols they use. 
• This next-level capability exposes a vulnerability in design, signaling a problem within the ICS architecture rather than its software.

Summary

In the early stages of the war in Ukraine in 2022, PIPEDREAM, a known malware was quietly on the brink of wiping out a handful of critical U.S. electric and liquid natural gas sites. PIPEDREAM is an attack toolkit with unmatched and unprecedented capabilities developed for use against industrial control systems (ICSs). 

The malware was built to manipulate the network communication protocols used by programmable logic controllers (PLCs) leveraged by two critical producers of PLCs for ICSs within the critical infrastructure sector, Schneider Electric and OMRON. 

The resources and technical expertise required to develop this malware with this level of sophistication, coupled with its limited financially motivated utility and wartime application, indicate that a state-sponsored hacking group was likely the creator [1]. The target, as well as the timing, tactics, techniques, and procedures (TTPs) of PIPEDREAM strongly imply the Russian state is the culprit [1]. 

Tactics, Techniques, and Procedures

PIPEDREAM was inherently built to target electric grids and oil refineries, particularly liquified natural gas facilities [2]. Such targets are consistent with Russian interests, and the country has a history of using cyberattacks against ICS assets. Havex, Black Energy 2, Industroyer, Triton, and Industroyer 2 are five of the six known ICS-tailored attack frameworks, all of which have been attributed to Russia [3]. Lastly, the circumstantial timing of the invasion of Ukraine, Russia’s position against Europe and North America, and the White House’s timely warning about the risk of disruptive Russian cyberattacks help seal their linkage to PIPEDREAM [2].

When networks on different devices communicate, they must have agreed-upon protocols that allow them to transfer data across the network in an effective and organized manner. Industrial automation operations have their own set of network protocols that allow the many computers and other equipment that speak different languages to seamlessly communicate with one another. 

The translator between the networks is the vulnerability that PIPEDREAM was built to exploit. This is a vulnerability in the architecture itself. The problem is not the software; however, it is the design. This new-age malware is so dangerous because, in order to alienate the threat, you must fix the whole system rather than simply patching the software vulnerability, a feat that is much more costly, impractical, and time-consuming [3]. 

PIPEDREAM has three components, each targeting different protocols in the industrial automation process: 

1. TAGRUN targets the protocol that assists in the communication between assets and servers, allowing attackers to perform reconnaissance by monitoring production systems and control processes. 
2. CODECALL provides attackers with a method to connect to devices, load and execute commands, brute force login credentials, delete or retrieve files, disconnect sessions, and crash systems. 
3. OMSHELL grants backdoor access to carry out payload or command executions, device resets, memory wipes, process shutdowns, network traffic captures, and data configurations, restorations, or backups [1].

Conclusion

Since being discovered in March 2022, no known disruptive or destructive attacks leveraging PIPEDREAM have been carried out on ICSs in the U.S. [4]. Upon its discovery, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, National Security Agency, and Department of Energy jointly published an advisory detailing the actions that should be taken to mitigate ongoing risks and vulnerabilities. 

Despite zero reports of this malware having been deployed in the wild, this does not mean that the risks are not present. Malware could still be sitting stealthily in ICS devices waiting to be executed or newer, more dangerous versions could be in development. 

Moreover, an overlooked danger of PIPEDREAM is that the main proactive defense of patching exploitable vulnerabilities offers minimal protection, as the nature of the malware is intended to hijack devices through the inherent protocols built into their design [4]. The inability to properly anticipate and avoid these risks could be catastrophic. If PIPEDREAM or malware with similar capabilities was deployed against a country’s critical infrastructure, it could result in blackouts, the inaccessibility of water systems, hazardous conditions at nuclear sites, and more.

Schneider and Omron PLCs are used beyond the electric, oil, and gas sectors, and the numerous alternative PLCs using differing protocols could also become susceptible to malware of this magnitude with slight alterations and adaptations. 

Future malware with the expansive capabilities seen in the PIPEDREAM toolkit poses a danger to all critical industries, including power grids, factories, water utilities, and oil refineries [4]. A threat capable of shutting down U.S. critical infrastructure would have been detrimental and should be a lesson moving forward. 

For more information about PIPEDREAM malware or emerging threats, please contact the Ankura Cyber Investigations & Incident Response team. 

NEVER MISS CRITICAL CYBER INTELLIGENCE UPDATES

Sign up for the Ankura FLASH Update today to get access to weekly threat intelligence to help prepare your business for encountering emerging cyber threats.

[1] https://www.mandiant.com/resources/blog/incontroller-state-sponsored-ics-tool

[2] https://www.wired.com/story/pipedream-ics-malware/

[3] https://www.darkreading.com/vulnerabilities-threats/pipedream-response-shows-best-case-for-industrial-security

[4] https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/

[5] https://www.dragos.com/threat/chernovite/

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.