Skip to content ↓ | Skip to navigation ↓

Agencies of the US Government have issued a joint warning that hackers have revealed their capability to gain full system access to industrial control systems that might help enemy states sabotage critical infrastructure.

In a joint cybersecurity advisory issued by the Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI, a warning is given that unidentified hackers have created specialist malware that can cause major damage to industrial operations, and that the energy sector in particular should follow advice on how to defend and mitigate against the threat.

The advisory explains that custom-made tools have been created that target industrial control programmable logic controllers (PLCs) from OMRON and Schneider Electric, and servers from the open-source OPC Foundation.

As the advisory describes, the tools developed by the hackers enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network.

Furthermore, the attackers can exploit a vulnerability (CVE-2020-15368) in an ASRock motherboard driver to compromise Windows workstations used in IT or OT environments, helping them to move laterally through an organisation.

What does all this mean? It means that an adversary could disrupt, degrade, or even potentially destroy control systems used in industrial environments, potentially sabotaging operations involving electric power and liquified natural gas.

Security firm Dragos says it has been tracking the malware, which it has called “PIPEDREAM”, since early 2022.

The firm warns that “PIPEDREAM can affect a significant percentage of industrial assets worldwide.”

And it’s clear that the threat is serious, with the government’s warning – for instance – describing some of the ways in which the malware can impact Schneider PLCs:

  • Conduct a denial-of-service attack to prevent network communications from reaching the PLC
  • Sever connections, requiring users to re-authenticate to the PLC, likely to facilitate capture of credentials
  • Conduct a ‘packet of death’ attack to crash the PLC until a power cycle and configuration recovery is conducted

The following ICS/SCADA devices are said to be at risk from the custom tools deployed by the hackers:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078
  • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT
  • OPC Unified Architecture (OPC UA) servers

Security response teams are being advised to ensure that multi-factor authentication is enforced for all remote access to ICS networks and devices whenever possible, that unique, strong passwords are in place, and that monitoring systems are deployed to log and alert on malicious indicators and behaviours.

The warning from the US Government arrives in the wake of a series of attacks which have been linked to the Russian invasion of Ukraine.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc

Mastering Configuration Management Across the Modern Enterprise