The likely target of the alleged Russian malware was LNG facilities
But private security experts who worked alongside government agencies to analyze the system said it was likely Russian, its primary target was likely liquefied natural gas production facilities, and it would take months or years to develop strong defenses against him.
This combination makes the discovery of the system, dubbed Pipedream by industrial control security experts Dragos, the realization of longtime cybersecurity experts’ worst fears. Some have compared it to Stuxnet, which the United States and Israel used more than a dozen years ago to damage equipment used in Iran’s nuclear program.
The program manipulates equipment found in virtually any complex industrial plant rather than capitalizing on unknown flaws that can be easily fixed, so almost any plant could fall victim to it, investigators said.
“It’s going to take years to recover from,” said Sergio Caltagirone, vice president of threat intelligence at Dragos and former global technical lead at the National Security Agency.
The initial report of the discovery of the system came in a common warning notice issued by the National Security Agency, the Energy Department, the Cybersecurity and Infrastructure Security Agency and the FBI. Agencies have urged the energy industry and others to install monitoring programs and require multi-factor authentication for remote logins, among other steps.
The “tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices,” the advisory said.
Dragos said the malicious computer code likely targeted liquefied natural gas plants, as its most detailed attack methods appeared intended to target equipment found at those facilities.
In particular, the programs contain methods for subverting controllers made by Schneider Electric in France and Omron in Japan, as well as an open-source framework for moving data from sensors to applications, called OPC Unified Architecture.
The software is intended to take advantage of long-standing issues that make it difficult to defend control systems. These include industry requirements for compatibility between products made by different vendors, which means that data flowing from one type of equipment to another must do so without encryption.
Another systemic flaw is that it is difficult to monitor what is going on inside the physical equipment.
Perhaps the most concerning aspect of the software was its apparent effort to target how most industrial facilities protect themselves against cyberattacks by keeping aspects of the operation separate from one another.
Pipedream can target hundreds of types of so-called programmable logic controllers, or PLCs, that link operations. A few previous industrial attacks, including one attributed by Western intelligence to Russia against energy facilities, have attacked a specific type of PLC used in security equipment.
Two years ago, the United States sanctioned a Russian lab it says was the source of software, called Triton or Trisis, used in that 2017 attack on a Saudi petrochemical plant. This attack cost the factory production millions of dollars, but could have been much worse had it worked as intended.
Pipedream goes further by using the ubiquitous code in PLCs to break through the layers and probe deeper into the heart of an installation.
Based largely on previous attacks, security firm Mandiant said Russia was likely behind the new system and those most at risk in the near term include Ukraine and NATO countries. which protected it from the attack of Russia.
The attack kit “contains capabilities related to disruption, sabotage, and potentially physical destruction. While we are unable to definitively attribute the malware, we note that the activity is of interest history of Russia,” said Nathan Brubaker, director of intelligence analysis at Mandiant.
Liquefied natural gas, including from the United States, is playing an increasing role as an alternative to Russian oil and gas imports which the European Union has pledged to cut due to the invasion.