Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities

Schneider Electric says there is no evidence that Incontroller/Pipedream malware exploits vulnerabilities

The US government and cybersecurity firms on Wednesday released details of new malware designed to manipulate and disrupt industrial processes by hacking into industrial control systems (ICS).

The malware, described as a modular ICS attack framework and collection of bespoke tools, can be used by threat actors to target ICS and SCADA devices, including Schneider Electric Programmable Logic Controllers (PLCs). and Omron, and OPC UA servers.

Reviews and blog posts describing the toolset have been published by industrial cybersecurity firm Dragos, which tracks it as Pipedream, threat intelligence and incident response firm Mandiant, which tracks the malware under the name Incontroller, as well as CISA, FBI, NSA and the Department of Energy. government organizations issued a joint notice.

Incontroller/Pipedream can be used by a malicious actor who has access to the targeted organization’s operational technology (OT) network to seek out ICS and SCADA devices and take control of those systems. The toolset also includes a tool that can be used to target Windows devices by exploiting a vulnerability in an ASRock motherboard driver (CVE-2020-15368).

The malware relies on widely used technologies to achieve its goals, allowing attackers to move laterally, elevate their privileges, or disrupt critical functions or devices, all without requiring advanced hacking skills.

Dragos follows the threat actor who developed Pipedream as a Chernovite, but he hasn’t released any attribution-related information, other than that it’s likely a state-sponsored group. .

The company believes the malware hasn’t been deployed in the wild – its carrier likely plans to use it in future operations. Based on Dragos’ analysis, Pipedream was designed to target electric power and liquefied natural gas (LNG) facility equipment, but it could easily be adapted to other types of environments, as well as to devices other than Schneider and Omron PLCs.

Learn more about industrial threats at SecurityWeek’s ICS Cybersecurity Conference

Dragos tracks the various Pipedream components like EvilScholar, BadOmen, DustTunel, MouseHole, and LazyCargo.

Mandiant said he found no links to known threat groups, but his experts also believe the toolset was developed by a state-sponsored threat actor, possibly a Russian group, given the country’s “historical interest in the ICS”.

“While our evidence linking Incontroller to Russia is largely circumstantial, we note this given Russia’s history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe. and North America,” Mandiant said.

The company tracks Incontroller components like TagRun, CodeCall, and OmShell. According to Mandiant, these components could allow hackers to crash PLCs, send unauthorized commands to PLCs in an attempt to alter the physical behavior of field devices, and disable security systems in an attempt to cause destruction. physical.

In a notice on Wednesday, Schneider Electric said it began investigating the APT toolset in early 2022 with Mandiant. The industrial giant noted that Incontroller/Pipedream appears to abuse legitimate features to achieve its goals and does not exploit any vulnerabilities.

“While we are not aware, as of the date of this publication, of any confirmed or potential targets leveraging Incontroller, the framework poses a critical risk to organizations using the targeted devices. The framework has capabilities related to disruption, sabotage and potentially physical destruction,” Schneider warned.

The malicious framework can target several models of Schneider PLCs, as it has the ability to communicate with all versions of Modbus and CODESYS devices, including those managed with EcoStruxure Machine Expert and SoMachine software.

Schneider said an attacker could take advantage of the framework to scan the network for potential targets, make devices inaccessible, connect to PLCs to brute-force their passwords, upload and download files, launch attacks DoS and perform read/write operations on the OPC. – AU server.

The company advised organizations to ensure the software and firmware running on their devices is up to date, set strong passwords and replace default accounts, disable unused protocols and check controllers for s ensure that the application running on them has not been tampered with.

Omron and the OPC Foundation do not appear to have issued any opinions or statements regarding the new malware.

The Incontroller/Pipedream alert comes just days after ESET and Ukraine CERT announced the discovery of new malware that hackers unsuccessfully attempted to use to cause a power outage in Ukraine. The new malware, named Industroyer2, has been linked to a Russian group known as Sandworm, which has been linked to the Russian military intelligence agency GRU.

Industroyer2, used in an attack targeting high-voltage electrical substations, is also designed to interact with ICS to cause disruption. Industroyer2 came with several wipers intended to erase tracks and make recovery more difficult.

Related: ICS Patch Tuesday: Siemens and Schneider Fix Multiple Critical Vulnerabilities

Related: Fixed high-severity vulnerabilities in Omron’s PLC programming software

Related: Thousands of industrial companies targeted in attacks using short-lived malware

Related: BlackCat Ransomware Targets Industrial Companies

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:

About Marco C. Nichols

Check Also

10 Hidden Locations In Mario Games That Most Players Never Find

Few things are as satisfying as completing a game, especially ones that are peppered with …