The U.S. government on Wednesday warned of nation-state actors deploying specialized malware to maintain access to industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

"The APT actors have developed custom-made tools for targeting ICS/SCADA devices," multiple U.S. agencies said in an alert. "The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network."

The joint federal advisory comes courtesy of the U.S. Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI).

The custom-made tools are specifically designed to single out Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

On top of that, the unnamed actors are said to possess capabilities to infiltrate Windows-based engineering workstations across IT and OT networks by making use of an exploit that compromises an ASRock-signed motherboard driver (AsrDrv103.sys) with known vulnerabilities (CVE-2020-15368) to execute malicious code in the Windows kernel.


The intent, the agencies said, is to leverage the access to ICS systems to elevate privileges, move laterally within the networks, and sabotage mission-critical functions in liquified natural gas (LNG) and electric power environments.

Industrial cybersecurity company Dragos, which has been tracking the malware under the name "PIPEDREAM" since early 2022, described it as a "modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment."

Dragos CEO Robert M. Lee attributed the malware to a state actor dubbed CHERNOVITE, assessing with high confidence that the destructive toolkit has yet to be employed in real-world attacks, making it possibly the first time "an industrial cyber capability has been found *prior* to its deployment for intended effects."

PIPEDREAM features an array of five components to accomplish its goals, enabling it to conduct reconnaissance, hijack target devices, tamper with the execution logic of controllers, and disrupt PLCs, effectively leading to "loss of safety, availability, and control of an industrial environment."

Boasting of a wide range of functionality, PIPEDREAM allows for highly automated exploits against targeted devices, with the modules supporting the ability to upload malicious configuration to the controllers, back up or restore device contents, and modify device parameters.

The versatile malware is also known to take advantage of CODESYS, a third-party development environment for programming controller applications and which has been uncovered to contain as many as 17 different security vulnerabilities in the past year alone.

"Capabilities to reprogram and potentially disable safety controllers and other machine automation controllers could then be leveraged to disable the emergency shutdown system and subsequently manipulate the operational environment to unsafe conditions," Dragos cautioned.


Coinciding with the disclosure is another report from threat intelligence firm Mandiant, which characterized PIPEDREAM as a "set of novel industrial control system (ICS)-oriented attack tools" aimed at machine automation devices from Schneider Electric and Omron.

The state-sponsored malware, which it has named INCONTROLLER, is designed to "interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries" by means of industrial network protocols such as OPC UA, Modbus, and CODESYS.

Schneider Electric, in an independent security notification, said it has not identified any weakness or vulnerability being exploited and that it's not aware of any confirmed targets that have been victimized by the PIPEDREAM attack toolset.

However, the company forewarned that "the framework poses a critical risk to organizations using the targeted devices," adding it "has capabilities related to disruption, sabotage, and potentially physical destruction."

That said, it's unclear as yet how the government agencies as well as Dragos and Mandiant found the malware. The findings come a day after Slovak cybersecurity company ESET detailed the use of an upgraded version of the Industroyer malware in a failed cyberattack directed against an unnamed energy provider in Ukraine last week.

The discovery of PIPEDREAM makes it the seventh publicly-known ICS-specific malware orchestrated to tamper with industrial processes, following Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, and Industroyer2.

"INCONTROLLER [aka PIPEDREAM] represents an exceptionally rare and dangerous cyber attack capability," Mandiant said. "It is comparable to Triton, which attempted to disable an industrial safety system in 2017; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged the Iranian nuclear program around 2010."

To mitigate potential threats and secure ICS and SCADA devices, the agencies are recommending organizations to enforce multi-factor authentication for remote access, periodically change passwords, and continuously be on the lookout for malicious indicators and behaviors.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.