Newly discovered malware capable of disrupting critical infrastructure incorporates learnings from high-profile energy sector cyberattacks and presents a new level of threat, according to industrial cybersecurity firm Dragos Inc.

Pipedream is the latest cyberweapon specifically designed to target industrial control systems, or ICS, which control industrial operations. The rise of ICS-focused malware has long raised concerns about devastating and deadly attacks on energy infrastructure, following successful disruptions to the Ukrainian electric grid, which the U.S. attributed to Russian nation-state actors.

The U.S. issued a warning April 13 that Pipedream has the ability to compromise widely used ICS equipment made by Schneider Electric SE and Omron. However, Dragos believes Pipedream can target controllers from hundreds of other vendors, many of which rely on a few common communication protocols.

"We haven't seen a tool set like this before that is so easy to use, and it can affect so many different devices," Dragos principal malware analyst Jimmy Wylie said during an April 26 webinar. "None of the malware that we've seen up until this point sort of has that broad range of capabilities."

The malware's most likely targets are liquefied natural gas and electric power facilities, according to Dragos. Its discovery follows warnings that Moscow could launch cyberattacks in retaliation for U.S. sanctions over Russia's invasion of Ukraine. It also dovetails with plans to increase U.S. LNG shipments to Europe as the continent aims to reduce its reliance on Russian gas.

Dragos believes that Pipedream is the work of a new activity group dubbed Chernovite, which is likely sponsored by a state actor. Based on its analysis of Pipedream, Dragos assessed that Chernovite is likely well-funded, well-versed in ICS protocols and intrusion techniques and skilled in software development, Wylie said.

Malware built for easy, long-term use

Pipedream is a toolkit of at least five pieces of malware, according to Dragos. Two of those tools, Evilscholar and Badomen, target programmable logic controllers, which receive data from industrial equipment and send instructions on how to respond to the data. That response could include shutting down the system if the data indicates unsafe operating conditions.

Evilscholar and Badomen are easy to use, indicating that Chernovite designed Pipedream for use by less capable attackers, according to Dragos. Pipedream is also modular, meaning Chernovite can essentially put new tools into the toolkit. Its modular nature signals that Chernovite plans to support its development for a long time, Dragos said.

Currently, attackers could use Pipedream to carry out 38% of known attack techniques on ICS, according to Dragos. Wylie expects Chernovite to add new modules and plug-ins to enable attackers to target a growing range of devices, something that Dragos has not previously observed.

One of the existing plug-ins allows attackers to manipulate small motors known as servos that run on a protocol called EtherCAT. Among their many uses, servos can adjust pressure control valves to regulate the flow of natural gas in pipelines, Wylie said.

Another tool within Pipedream, Mousehole, allows attackers to manipulate Open Platform Communications Unified Architecture, or OPC UA, servers, which facilitate data exchanges. Using Mousehole, attackers can scan operational technology networks to find an OPC UA server, break into the server to search for targets and manipulate operations of industrial systems, according to Dragos vulnerability analyst Sam Hanson.

"If implemented properly, this tool could be turned into an automated destructive capability," Hanson said.

Pipedream marks evolution of ICS malware

Pipedream is also the first malware observed by Dragos that shows an activity group learned from another ICS-focused group. Dragos said Mousetrap is essentially an upgrade of CrashOverride, the malware deployed by Electrum to disrupt power to Kyiv in 2016.

CrashOverride was impressive because it used files that speak four different protocols to disrupt a Ukrainian substation, demonstrating a breadth of protocol knowledge, Wylie said. But the malware code was sloppy and Electrum did not appear to have a deep understanding of the protocols, he said. By contrast, the Trisis malware attack on a Middle East industrial facility in 2017 demonstrated a deep understanding of protocol, used to research and attack an industrial safety system, he said.

Pipedream is "a big deal" because it combines CrashOverride's breadth of protocol knowledge with Trisis's deep understanding, Wylie said. "So in that sense, you really do get a good sense of adversary development over time, right?" he said. "In six years, we've gone from something that was sloppy and effective to something that's professionally made and easy to use."

The last two components of Pipedream, Dusttunnel and Lazycargo, target Microsoft Windows and demonstrate a goal to conduct full-scale cyberattacks. They would allow attackers to penetrate information technology systems, and then pivot to operational technology systems, where they could deploy the other three tools.

Wylie does not believe that Chernovite developed Pipedream for use in ransomware attacks. The resources that went into developing the malware were substantial, and attackers would not need such a sophisticated tool to merely hold data ransom, he said.

This is the first time that Dragos has identified state-sponsored, ICS-focused malware before it was deployed. According to Wylie, an undisclosed partner passed on information to Dragos that contributed to its discovery.

Mitigation

Companies can begin mitigating the threat posed by Pipedream by changing passwords, restricting access to Schneider and Omron devices, disabling certain features and monitoring programmable logic controllers for new connections, Dragos said.

Companies should also follow best practices for securing operational technology networks and ensure they are ready to respond to attacks, according to Dragos. That includes implementing and rehearsing incident response plans and preparing access to spare parts and inventory.

S&P Global Commodity Insights produces content for distribution on S&P Capital IQ Pro.