The U.S. government has issued a security warning regarding the utilization of specialized malware by state-sponsored actors targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. This advisory highlights the increasing sophistication of cyber threats against critical infrastructure.
According to alerts from multiple U.S. agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), advanced persistent threat (APT) groups have created custom tools specifically aimed at ICS/SCADA systems. These tools facilitate scanning, compromising, and controlling vulnerable devices once initial access to operational technology (OT) networks has been achieved.
Particularly at risk are Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. The threat actors reportedly exploit a vulnerability tied to a motherboard driver signed by ASRock, allowing unauthorized access to Windows-based engineering workstations across both IT and OT environments.
This joint advisory was coordinated by the U.S. Department of Energy (DoE), CISA, the National Security Agency (NSA), and the FBI, emphasizing the critical need for immediate attention from organizations reliant on these essential systems. The security threat is significant, as it suggests motivations to elevate privileges within networks, enabling lateral movement and potential sabotage of critical functions in sectors such as liquefied natural gas (LNG) and electric power.
Cybersecurity firm Dragos has been monitoring this malware, referred to as “PIPEDREAM,” since early 2022. This modular ICS attack framework provides adversaries with the ability to disrupt, degrade, and potentially destroy industrial operations ranging from safety controls to operational processes, underscoring the threat it poses to safety and availability within industrial environments.
Dragos has linked the malware to a state-sponsored actor they identify as CHERNOVITE, noting with high confidence that this destructive capability has not yet been deployed in real-world attacks. This represents a concerning precedent whereby an industrial cyber capability has been identified prior to its intended use, raising alarms about the potential impact on industrial safety systems.
PIPEDREAM comprises five key components that empower attackers to conduct reconnaissance, hijack devices, and disrupt program logic. Its design enables highly automated exploitation, which may include uploading malicious configurations, modifying device parameters, and executing destructive commands that threaten the integrity of industrial systems.
Schneider Electric has addressed concerns stating it has not confirmed exploitation of any vulnerabilities nor identified specific targeted victims. However, the company cautioned that the malware presents a critical risk due to its inherent capabilities for disruption and sabotage.
The emergence of PIPEDREAM marks the seventh known ICS-specific malware designed to manipulate industrial processes, joining the ranks of notorious threats like Stuxnet and Industroyer. As cybersecurity threats evolve, the agencies urge organizations to implement multi-factor authentication for remote access and remain vigilant for signs of malicious activity across their networks.
