Feds warn about foreign government-connected hackers aiming to disrupt vital industrial systems - CyberScoop
2022-04-13 16:17 (EST) - Tim Starks
Written by Apr 13, 2022 | CYBERSCOOP
A joint federal advisory Wednesday says that foreign government-linked hackers are targeting specific industrial processes with tools meant to breach and disrupt them, with one cybersecurity firm noting that the prospective intruders demonstrate an unprecedented “breadth of knowledge” about industrial control systems.
The alert arrives one day after Ukrainian officials and a cyber firm discussed deflecting another ICS-targeting malware that attempted to shut down power in Ukraine. “ICS” is a term that encompasses a number of systems that are especially common in the energy and manufacturing sectors, including a variety known as supervisory control and data acquisition (SCADA).
Cybersecurity company Dragos, which aided in Wednesday’s alert, said it had named the advanced persistent threat (APT) group behind the tools Chernovite, and named the tools themselves Pipedream. Dragos said one potential use of the tools would be to disable an emergency shutdown system.
The Department of Energy, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency joined on the Wednesday alert .
“By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” states the advisory, which specifically calls on energy companies to take heed and says the malware could also be used for information-gathering.
By Dragos’ count, it’s the seventh-ever ICS-specific malware identified. It’s also the second this week: Ukraine and ESET on Tuesday talked about efforts to identify and beat back another kind, known as Industroyer2.
“The PIPEDREAM malware initially targets Schneider Electric and Omron controllers,” Rob Lee, CEO and co-founder of Dragos, said in a written statement. However, “there are not vulnerabilities specific to those product lines.”
“Specifically the initial targeting appears to be liquid natural gas and electric community,” Lee said. “However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.”
Dragos as a matter of policy doesn’t publicly link APT groups to specific nations. The company said the malware was discovered before deployment by the hackers, but officials didn’t immediately answer questions about how that happened.
The advisory also thanked Mandiant, Microsoft, Palo Alto Networks and Schneider Electric for their contributions.
“The APT actors have developed custom-made tools for targeting ICS/SCADA devices,” according to the alert. “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments.”
The tools are diverse and powerful, according to the Dragos analysis . They can undermine encryption and authentication, or bypass firewalls and threat detection defenses.
“The breadth of knowledge required to develop these tools indicates that CHERNOVITE is highly knowledgeable of ICS protocols, devices, and how to apply this knowledge to achieve an effect,” Dragos said. “It’s likely that they have a budget for acquiring devices in order to test their tool set.”
Said Wendi Whitmore, senior Vice President and head of Unit 42 at Palo Alto Networks: “Today’s alerts detail just how sophisticated our adversaries have gotten – developing custom tools that provide tremendous capabilities for adversaries to attack targeted infrastructure.”
-IN THIS STORY-
Cybersecurity and Infrastructure Security Agency (CISA) , Department of Energy (DOE) , Dragos , energy , ESET , Federal Bureau of Investigation (FBI) , industrial control systems (ICS) , Industroyer2 , Mandiant , Microsoft , National Security Agency (NSA) , Palo Alto Networks , Pipedream , SCADA , Schneider Electric , Ukraine
