Staff at the Electricity Information Sharing and Analysis Center (E-ISAC) warned this week that Russia’s electronic warfare teams are becoming more aggressive, both in their attacks against Ukraine and in their willingness to punish the country’s perceived allies worldwide.
“They will use a number of tools in their toolkit, including dis- and misinformation, as well as cyber and physical attacks against critical infrastructure, including the grid in North America,” Matthew Duncan, director of intelligence at the E-ISAC, said during Thursday’s regular Talk with Texas RE webinar. “We know this because they have done it before, whether it was in Ukraine in 2015 and 2016, or this week.”
By “this week,” Duncan was referring to the revelation on Wednesday of a new breed of malware with the ability to gain full access to a wide range of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices. The threat was first publicized by cybersecurity firm Dragos, which called the new malware “Pipedream” and its developer “Chernovite”; the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency confirmed the discovery separately in a joint statement with the FBI and National Security Agency.
Pipedream makes use of “custom-made tools for targeting ICS/SCADA devices,” CISA said in its advisory; in particular, the malware targets programmable logic controllers (PLC) from Schneider Electric and Omron Automation, along with Open Platform Communications Unified Architecture (OPC UA) servers. PLCs are computer systems that constantly monitor the state of input devices and control the state of output devices, while OPC UA is an open-source standard for data exchange between sensors and cloud applications.
The malware is deployed once attackers have established a foothold in an operational technology (OT) network. Attackers can use the bug to look up details on the target device, upload malicious configurations and code, backup or restore its contents, and modify its parameters. They can also “move laterally within an IT [information technology] or OT network and disrupt critical devices or functions.”
Dragos believes Pipedream has not yet been deployed in the wild, calling it “a rare case of accessing and analyzing malicious capabilities … before their deployment and … a unique opportunity to prepare in advance.” The same cannot be said of another threat exposed this week by Ukraine’s Computer Emergency Response Team (CERT), an apparent sequel to the Industroyer malware used by Russian attackers to devastating effect against Ukraine’s energy sector in 2016.
In the first Industroyer attack, hackers managed to knock about 20% of Kyiv’s power grid offline for about an hour; the U.S. Department of Justice later brought criminal charges against six Russian military intelligence officers believed to be involved in the attack. (See Six Russians Charged for Ukraine Cyberattacks.) Unlike the earlier incident, this week’s hack — dubbed “Industroyer2” — was apparently foiled before any outages were caused. However, Duncan warned that the incident shows the seriousness of the ongoing threat.
“Analysts reported clear similarities between the components of [the first] Industroyer and the sequel that was announced this week, and they have high confidence that the new malware was created by the same authors: this Sandworm team [from] the Russian military intelligence,” Duncan said. “But the exact capabilities of this new grid-focused malware specimen remain far from clear, and I suspect we will see more information coming out about this in the coming days.”
Against the rising threat level, Duncan praised the U.S. government for ramping up its efforts to disrupt operations against domestic targets; in particular, he pointed to the FBI’s announcement last week that it had shut down a Russian government-operated botnet — a group of thousands of devices with malware that allows hackers to use them for coordinated cyberattacks — before it did any harm. He urged private sector organizations to work with each other and with the government to ensure that threats are spotted quickly.
“It’s good to see that the government is being proactive and engaging the adversary on this, and that’s why it’s really important to share information with government partners [and] with the E-ISAC to make sure we’re [connecting] those dots,” Duncan said.