Security authorities from the USA are sounding the alarm. They warn of hacker attacks on critical infrastructure facilities, especially energy suppliers. Attackers could use sophisticated modular malware to take full control of industrial control systems.

The risk of hacker attacks on critical infrastructures has increased since the Russian attack on Ukraine, but the Federal Office for Information Security (BSI) had already registered an increase in such cyber attacks in previous years. So far, however, there have been no longer outages with major damage or even fatalities, partly because attacks on supply facilities are anything but easy.

But that may have changed now. The US Department of Energy, FBI, NSA, CIA and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued an urgent alert about a new hacking toolkit. It enables attackers to gain full system access to multiple industrial control systems.

The malware particularly threatens devices from the manufacturers Schneider Electric (France) and Omron (Japan) as well as servers with the Open Platform Communications Unified Architecture, according to the release. The malware are tailored tools that allow attackers to scan, compromise and control affected devices once they gain access to the network that monitors and controls industrial assets, processes and events. They could also exploit a vulnerability in an ASRock motherboard driver to gain access to networked workstations.

What makes the malware toolbox particularly dangerous is that it also enables “less qualified cyber actors” to operate, since the attacks are highly automated. The hackers are provided with a virtual console with a command interface through which the modules interact with the target devices.

The security company Dragon, which discovered the tool kit, calls it “Pipedream”. She writes that the malware can independently carry out 38 percent of the known attack techniques and 83 percent of the known attack tactics on industrial control systems. Taken together, “Pipedream” is able to manipulate a significant percentage of industrial plants worldwide.

According to Dragon, the detected malware is concentrated on Omron and Schneider systems, but there may also be previously unknown modules that target components from other manufacturers. The security firm therefore recommends focusing on the attackers’ tactics and techniques rather than the equipment vendors.

The currently targeted control systems would be used in many production plants, Dragon managing director Robert Lee told Reuters news agency. However, one assumes that the targets of the hackers are liquid gas plants or power generators and power plants. The tools are very powerful and have probably been in the works for years.

The “Pipedream” threat cannot be eliminated as quickly as with conventional vulnerabilities, but it will take years, Dragon employee Sergio Caltagirone told The Washington Post. In the event of an attack, plants could be shut down for long periods of time, putting “lives, livelihoods and communities” at risk, the security firm’s blog post says. Among other things, control units could be so badly damaged that they would have to be completely replaced, according to Caltagirone. This could take months due to the current supply chain issues.

Due to the widespread distribution of the threatened systems in various sectors, the BSI assumes a high level of relevance, but only classifies the danger as “medium”. In order to be as well armed as possible against “pipedream”, the authority lists a number of recommendations for action, with the consistent separation of office and process networks and the monitoring of interfaces between the networks being one of the most important measures.

The US authorities assume that the malware has not yet been used. They did not provide any information about their origin, Dragon calls the mastermind Chernovite Activity Group, but does not name the country of origin either. However, Nathan Brubaker from the security company Mandiant expressed a suspicion to The Washington Post: The attack kit contains “capabilities related to disruption, sabotage and potential physical destruction. Although we cannot clearly identify the malware, we find that the activity with coincides with the historical interest of Russia.”

6