The US authorities uncover a versatile hacking tool targeting critical infrastructure

April 14, 2022 |

Wired reports that the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI released an advisory about the a malware toolset which can interfere with industrial control systems.  Given Australia has just passed an updated critical infrastructure legislation this is a particularly relevant development.  The state of protection by Australian organisations is generally poor, legislation notwithstanding.

The advisory provides:


The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

    • Schneider Electric programmable logic controllers (PLCs),
    • OMRON Sysmac NEX PLCs, and
    • Open Platform Communications Unified Architecture (OPC UA) servers.

The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices. 

Technical Details

APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:

    • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
    • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and 
    • OPC Unified Architecture (OPC UA) servers.  

The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 

In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.

APT Tool for Schneider Electric Devices  

The APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502). Modules may allow cyber actors to:

    • Run a rapid scan that identifies all Schneider PLCs on the local network via User Datagram Protocol (UDP) multicast with a destination port of 27127 (Note: UDP 27127 is a standard discovery scan used by engineering workstations to discover PLCs and may not be indicative of malicious activity);
    • Brute-force Schneider Electric PLC passwords using CODESYS and other available device protocols via UDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available); 
    • Conduct a denial-of-service attack to prevent network communications from reaching the PLC;
    • Sever connections, requiring users to re-authenticate to the PLC, likely to facilitate capture of credentials; 
    • Conduct a ‘packet of death’ attack to crash the PLC until a power cycle and configuration recovery is conducted; and 
    • Send custom Modbus commands (Note: this capability may work against Modbus other than in Schneider Electric PLCs).

Refer to the appendix for tactics, techniques, and procedures (TTPs) associated with this tool.

APT Tool for OMRON 

The APT actors’ tool for OMRON devices has modules that can interact by:

    • Scanning for OMRON using (Factory Interface Network Service (FINS) protocol;
    • Parsing the Hypertext Transfer Protocol (HTTP) response from OMRON devices;
    • Retrieving the media access control (MAC) address of the device;
    • Polling for specific devices connected to the PLC;
    • Backing up/restoring arbitrary files to/from the PLC; and
    • Loading a custom malicious agent on OMRON PLCs for additional attacker-directed capability.

Additionally, the OMRON modules can upload an agent that allows a cyber actor to connect and initiate commands—such as file manipulation, packet captures, and code execution—via HTTP and/or Hypertext Transfer Protocol Secure (HTTPS). 

Refer to the appendix for TTPs associated with this tool.

APT Tool for OPC UA 

The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.

Refer to the appendix for TTPs associated with this tool.


Note: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices from new capabilities. They have not been verified against every environment and should be tested prior to implementing.

DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:

    • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. 
    • Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
    • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
    • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
    • Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. 
    • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
    • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
    • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
    • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP)
    • .
    • Ensure all applications are only installed when necessary for operation. 
    • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
    • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
    • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system. 

The Wired article provides:

Malware designed to target industrial control systems like power grids, factories, water utilities, and oil refineries represents a rare species of digital badness. So when the United States government warns of a piece of code built to target not just one of those industries, but potentially all of them, critical infrastructure owners worldwide should take notice.

On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.

“This is the most expansive industrial control system attack tool that anyone has ever documented,” says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it.”

Dragos says the malware has the ability to hijack target devices, disrupt or prevent operators from accessing them, permanently brick them, or even use them as a foothold to give hackers access to other parts of an industrial control system network. He notes that while the toolkit, which Dragos calls “Pipedream,” appears to specifically target Schneider Electric and OMRON PLCs, it does so by exploiting underlying software in those PLCs known as Codesys, which is used far more broadly across hundreds of other types of PLCs. This means that the malware could easily be adapted to work in almost any industrial environment. “This toolset is so big that it’s basically a free-for-all,” Caltagirone says. “There’s enough in here for everyone to worry about.”

The CISA advisory refers to an unnamed “APT actor” that developed the malware toolkit, using the common acronym APT to mean advanced persistent threat, a term for state-sponsored hacker groups. It’s far from clear where the government agencies found the malware, or which country’s hackers created it—though the timing of the advisory follows warnings from the Biden administration about the Russian government making preparatory moves to carry out disruptive cyberattacks in the midst of its invasion of Ukraine.

Dragos also declined to comment on the malware’s origin. But Caltagirone says it doesn’t appear to have been actually used against a victim—or at least, it hasn’t yet triggered actual physical effects on a victim’s industrial control systems. “We have high confidence it hasn’t been deployed yet for disruptive or destructive effects,” says Caltagirone.

While the toolkit’s adaptability means it could be used against practically any industrial environment, from manufacturing to water treatment, Dragos points out that the apparent focus on Schneider Electric and OMRON PLCs does suggest that the hackers may have built it with power grid and oil refineries—particularly liquified natural gas facilities—in mind, given Schneider’s wide use in electric utilities and OMRON’s broad adoption in the oil and gas sector. Caltagirone suggests the ability to send commands to servo motors in those petrochemical facilities via OMRON PLCs would be particularly dangerous, with the ability to cause “destruction or even loss of life.”

The CISA advisory doesn’t point to any particular vulnerabilities in the devices or software the Pipedream malware targets, though Caltagirone says it does exploit multiple zero-day vulnerabilities—previously unpatched hackable software flaws—that are still being fixed. He notes, however, that even patching those vulnerabilities won’t prevent most of Pipedream’s capabilities, as it’s largely designed to hijack the intended functionality of target devices and send legitimate commands in the protocols they use. The CISA advisory includes a list of measures that infrastructure operators should take to protect their operations, from limiting industrial control systems’ network connections to implementing monitoring systems for ICS systems, in particular, that send alerts for suspicious behavior.

When WIRED reached out to Schneider Electric and OMRON, a Schneider spokesperson responded in a statement that the company has closely collaborated with the US government and security firm Mandiant and that they together “identified and developed protective measures to defend against” the newly revealed attack toolkit. “This is an instance of successful collaboration to deter threats on critical infrastructure before they occur and further underscores how public-private partnerships are instrumental to proactively detect and counter threats before they can be deployed,” the company added. OMRON didn’t immediately respond to WIRED’s request for comment.

The discovery of the Pipedream malware toolkit represents a rare addition to the handful of malware specimens found in the wild that target industrial control systems (ICS) software. The first and still most notorious example of that sort of malware remains Stuxnet, the US- and Israeli-created code that was uncovered in 2010 after it was used to destroy nuclear enrichment centrifuges in Iran. More recently, the Russian hackers known as Sandworm, part of the Kremlin’s GRU military intelligence agency, deployed a tool called Industroyer or Crash Override to trigger a blackout in the Ukrainian capital of Kyiv in late 2016.

The next year, Kremlin-linked hackers infected systems at the Saudi Arabian oil refinery Petro Rabigh with a piece of malware known as Triton or Trisis, which was designed to target its safety systems—with potentially catastrophic physical consequences—but instead triggered two shutdowns of the plant’s operations. Then, just last week, Russia’s Sandworm hackers were detected using a new variant of their of Industroyer code to target a regional electrical utility in Ukraine, though Ukrainian officials say they managed to detect the attack and avert a blackout.

The Pipedream advisory serves as a particularly troubling new entry in the rogue’s gallery of ICS malware, however, given the breadth of its functionality. But its revelation—apparently before it could be used for disruptive effects—comes in the midst of a larger crackdown by the Biden administration on potential hacking threats to critical infrastructure systems, particularly from Russia. Last month, for instance, the Justice Department unsealed indictments against two Russian hacker groups with a history of targeting power grids and petrochemical systems. One indictment named for the first time one of the hackers allegedly responsible for the Triton malware attack in Saudi Arabia and also accused him and his coconspirators of targeting US refineries. A second indictment named three agents of Russia’s FSB intelligence agency as members of a notorious hacker group known as Berserk Bear, responsible for years of electric utility hacking. And then early this month the FBI took measures to disrupt a botnet of networking devices controlled by Sandworm, still the only hackers in history known to have triggered blackouts.

Even as the government has taken measures to call out and even disarm those disruptive hackers, Pipedream represents a powerful malware toolkit in unknown hands—and one from which infrastructure operators need to take measures to protect themselves, says Caltagirone. “This is not a small deal,” he says. “It’s a clear and present danger to the safety of industrial control systems.”

The war in the Ukraine has revealed the asymetric warfare going on in cyberspace.  The Ukrainians are reported as obtaining masses of data from Russia while Russian Sandworm hackers have tried to impose a third blackout of Ukraine’s electrical transmission system.

Leave a Reply