Gov’t Advisory Warns of Pipedream Malware Aimed at ICS

The U.S. government this week tried to get ahead of possible attacks on industrial control systems (ICS), particularly in the energy sector, via the recently discovered Pipedream malware, a modular ICS attack framework that is equally dangerous to industrial software like Omron and Schneider Electric controllers and industrial technologies like Modbus, CODESYS and OPC UA.

That’s an awful lot of industrial systems around the globe that could be targets of attack.

“Certain advanced persistent threat (APT) actors have exhibited the ability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices,” the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI said in a joint Cybersecurity Advisory (CSA).

“ICS SCADA and IoT devices are honeypots for threat actors as they represent soft targets. Such systems are often managed by the facilities team and not always at the latest firmware levels and, consequently, seldom fully compliant with Purdue MEP NIST 800-53 frameworks,” said Raju Pimplasker, CEO at Dispersive Holdings, Inc.

Marty Edwards, vice president of OT security at Tenable who served as president Obama’s CERT director, called the alert “concerning,” particularly since “the actors are apparently capable of directly interacting and manipulating the OT devices If attackers are successful.”

And “the consequences of such intrusions are vast and can be potentially devastating. When your adversary is using advanced tools to potentially disrupt your system, then organizations must have the people, processes and technology in place beforehand to harden their environments and detect any malicious activity.”

Noting that the bad actors have created “custom-made tools” that target ICS/SCADA devices, the agencies said they can “scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.”

If that’s not bad enough the miscreants “can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the government said. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment and disrupt critical devices or functions.”

The government is particularly worried about organizations in the energy sector.

The modular architecture and ability to conduct highly automated exploits against devices make Pipedream particularly dangerous, although there is no evidence of compromise just yet. “The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device,” the alert explained. “Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”

The APT actors can “scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents and modify device parameters,” the agencies noted.

“The APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel,” they said. “Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.”

The government alert could be responding “to recent reports from ESET, Microsoft and CERT-UA about a new variant of the Industroyer malware in Ukraine,” said Silas Cutler, principal reverse engineer at Stairwell. “Both Industroyer and Pipedream highlight the continued targeting of critical infrastructure by foreign adversaries through cyberwarfare.”

Cutler said that “while critical infrastructure is generally considered off-limits for cyber operations because of the risk of endangering consumers, we’ve seen attacks against both communication infrastructure (Viasat) and Ukraine’s electrical grid in the midst of this conflict.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson