The newly discovered Pipedream malware is aimed at American energy companies’ critical networks with alarming precision. Though it was caught before it could be used, the hacking tool’s emergence against the backdrop of war in Ukraine has drawn stark warnings from the U.S. and its allies.
MIAMI BEACH — Former U.S. Air Force cyber warfare officer Robert M. Lee has a message for the state-sponsored hacking crew behind the latest cyberthreat menacing industrial control systems: “You’re an asshole, and none of us like you.”
Lee, now CEO of ICS-focused cybersecurity firm Dragos, took to the stage here at the S4 industrial security conference to shed light on the mysterious Pipedream malware — but he also took a jab at those who built it.
“I know very well that there are plenty of adversaries out there that watch these videos — you’re sitting around in your office, you think you’re clever,” Lee said, referring to a threat group Dragos is tracking as “Chernovite.”
“I just want to let you know that you are an embarrassment, and the fact is that we found your capability before you even got a chance to use it,” he said at the conference, which draws hundreds of top ICS security professionals and cybersecurity executives to Miami Beach each year but was delayed due to the coronavirus pandemic.
The Pipedream malware framework, also known as Incontroller, is designed to worm deep into operational technology networks, triggering disruptive payloads for victims that use Schneider Electric and Omron industrial devices in tandem. Its focus on programmable logic controllers — rugged devices that can be found everywhere from nuclear power stations to soda manufacturing plants— sets it apart from run-of-the-mill threats like ransomware. And while details surrounding its genesis and intended targets are still murky, Pipedream’s potential to hit U.S. liquefied natural gas and electricity providers has put top U.S. cybersecurity officials on edge.
“These control systems can break things and have physical effects on systems that underpin our daily lives,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, told README on the sidelines of S4. “Actors are rarely going after these systems unless there is some end goal with disruption or corruption or manipulation or destruction in mind, and we worry a lot about that.”
CISA issued a warning today alongside cybersecurity authorities in Australia, Canada, New Zealand and the U.K. that cites Russia’s potential to “disrupt critical industrial control systems (ICS)/OT functions by deploying destructive malware.” While the U.S. hasn’t attributed the latest Pipedream threat to Moscow, the alert cites “evolving intelligence” that Russia could be gearing up for cyberattacks beyond Ukraine’s borders.
At S4, Easterly announced a flurry of actions to help secure U.S. critical infrastructure, from plans to hire nearly two dozen control system security specialists at CISA to expanding the civilian cybersecurity agency’s Joint Cyber Defense Collaborative to feature ICS vendors and experts.
“We’re going to tap into the ingenuity, the innovation, the expertise of this particular community — the ICS/OT community,” Easterly told S4 founder Dale Peterson in an onstage interview this morning.
Pressed by Peterson on her agency’s “shields up” stance bracing for constant cyberthreats, Easterly acknowledged the risk of burnout and “vigilance fatigue” but stood by the need for caution.
“My folks and a lot of the folks in this room probably need a friggin’ break,” she said. “We’re not there yet, though.”
A “new era” for energy security
Pipedream contains a range of modular components that can be tweaked to target a wide range of industrial environments worldwide, according to Dragos’ analysis.
But it was developed with both Schneider Electric and Omron products in mind, offering clues as to its intended victims.
“These control systems are in much wider places than are being discussed,” Lee said. “There’s real concern when you find this exact [Schneider Electric and Omron] configuration not in small manufacturing environments, but you’ll find these in backup auxiliary units for nuclear power plants.”
Dragos and cybersecurity firm Mandiant, which is also analyzing Pipedream/Incontroller, have declined to share how they unearthed the malware tool before it could be deployed. Mandiant Intelligence Director Nathan Brubaker said the company has picked up on evidence of a “Russia nexus” for Incontroller but the investigation is still ongoing.
“There’s quite a lot of code and it’s really complex,” he said onstage on Tuesday at S4. “It probably would have taken a team of engineers and subject matter experts many months if not more to write.”
For its part, Schneider Electric issued a security bulletin on the Pipedream threat and has separately joined the new ICS-focused CISA defense collaborative.
“While our sector and the broader technology industry were already sensitive to growing cybersecurity vulnerabilities, we now find ourselves in a new era of energy security concerns and a greater need to bolster and protect the critical energy infrastructure of the customers we serve,” Schneider Electric’s North America President and CEO Annette Clayton said in a blog post today detailing the industrial automation company’s response.
She cited President Biden’s March 21 statement warning of the increased risk of malicious cyber activity in U.S. critical infrastructure. “I can say with certainty that we at Schneider Electric have seen such an increase and we remain vigilant in protecting our company and customers,” Clayton added.
Pipedream has failed to launch in any U.S. critical infrastructure networks, let alone cause physical damage, according to Dragos and Mandiant. Still, cybersecurity experts and CISA have urged energy companies to take a close look at their networks for signs of suspicious activity linked to the threat, which is one of just seven malware strains ever found to have ICS-specific functionality.
“Every time one [ICS threat] comes out we go, ‘hey, we have six, we have seven’ — we measure it in months and years. We’ve probably had seven new catastrophic bugs in enterprise this week,” said Ron Fabela, co-founder and CTO of industrial asset and network monitoring startup SynSaber.
“With Incontroller, they’re being kind of coy as to how and where they found it,” Fabela told README. “But the fact that it wasn’t deployed and it had no impact… That to me is a huge win.”
