US agencies did not identify the threat actors, but cybersecurity firms believe some of the malware discovered is linked to Russia.
US government agencies issued a joint warning yesterday (13 April) saying hackers have created custom-made tools that could target multiple industrial control systems (ICS) and gain “full system access”.
The US Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency and the FBI did not identify the threat actors in their joint advisory warning. However, cybersecurity firms that contributed to the warning believe some of the malware discovered could be linked to Russia.
The agencies urged critical infrastructure organisations, particularly those involved in energy, to take measures such as multifactor authentication and consistent password changes to protect their control systems.
Some of the devices that could be affected include programmable logic controllers (PLCs) made by Schneider Electric and Omron. A Schneider spokesperson told Reuters it had worked with US officials and called it “an instance of successful collaboration to deter threats on critical infrastructure before they occur”.
Mandiant is one of the companies that worked with the US agencies on this advisory. The cybersecurity company shared details of a set of ICS attack tools, which it named Incontroller. It said this represents “an exceptionally rare and dangerous cyberattack capability” and compared it malware such as Triton, Industroyer and Stuxnet.
Industroyer was used at the end of 2016 to bring down Ukrenergo, an energy provider in Ukraine, and cut power in the country. A modified variant was said to be used in a cyberattack last week that targeted Ukraine’s electrical grid.
Mandiant said that Incontroller is “very likely” to be state-sponsored given its complexity and its “limited utility in financially motivated operations”. The cybersecurity firm said it couldn’t connect the malware with a known group, but said the activity is “consistent with Russia’s historical interest in ICS”.
“While our evidence connecting Incontroller to Russia is largely circumstantial, we note it given Russia’s history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America,” Mandiant said in its report.
Another cybersecurity firm, Dragos, released a report on a modular ICS attack framework called Pipedream, which it said was created by a group called Chernovite.
“While Chernovite is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and Pipedream’s functionality could work across hundreds of different controllers,” Dragos said in its report.
This is not the first time the US has issued warnings around potential cyberattacks. Last month, US president Joe Biden warned companies operating in the country to bolster their cybersecurity efforts as “evolving intelligence” suggested that Russia was planning cyberattacks targeting critical infrastructure in the US.
In a joint advisory the week before, the FBI and CISA warned organisations to be on alert and bolster their multifactor authentication security after revealing details of how state-sponsored hackers in Russia were able to gain access to an unnamed NGO’s network.
Earlier that same month, US cybersecurity companies Cloudflare, CrowdStrike and Ping Identity joined hands to offer many of their products and services to US critical infrastructure organisations for free, in anticipation of potential cyberattacks emanating from Moscow.
While Ukraine has borne the brunt of cyberattacks from Russia in recent months, the US hasn’t been spared from threats. Bloomberg reported in early March that more than 100 employees of almost two dozen natural gas companies in the US were found to have been hacked by Russian actors.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.