Nation-state actors are using specialised malware to maintain access to industrial control systems (ICS) and supervisory control and data acquisition (SCADA) equipment, according to the US government.

In an alert, numerous US agencies stated that “APT actors have created custom-made tools for targeting ICS/SCADA systems.” “Once they’ve gained initial access to the operational technology (OT) network, the tools allow them to scan for, compromise, and control affected devices.

The US Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have issued a joint federal advisory. Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers are all targeted with the custom-made tools.

Furthermore, the anonymous actors are alleged to have the ability to access Windows-based engineering workstations across IT and OT networks by using an ASRock-signed motherboard driver with known vulnerabilities (CVE-2020-15368). The goal, according to the agencies, is to use ICS system access to escalate privileges, move laterally through networks, and destroy mission-critical functions in liquified natural gas (LNG) and electric power environments.

PIPEDREAM is a “modular ICS attack framework that an adversary might exploit to cause interruption, degradation, and possibly even damage depending on targets and the environment,” according to Dragos, which has been tracking the malware under the moniker “PIPEDREAM” since early 2022.

Dragos CEO Robert M. Lee attributed the malware to a state actor known as CHERNOVITE, claiming that the destructive toolkit has yet to be used in real-world attacks, potentially making it the first time “an industrial cyber capability has been discovered *prior* to its deployment for intended effects.”

PIPEDREAM uses a combination of five components to achieve its objectives, allowing it to conduct reconnaissance, hijack target devices, interfere with controller execution logic, and interrupt PLCs. CODESYS, a third-party development environment for developing controller applications that has been discovered to possess as many as 17 separate security flaws in the last year alone, is also known to be used by the malware.

“The ability to reprogram and potentially disable safety controllers and other machine automation controllers may then be used to disable the emergency shutdown mechanism and manipulate the operational environment to unsafe settings,” Dragos said.

Another research from threat intelligence firm Mandiant, released at the same time, found a “collection of innovative industrial control system (ICS)-oriented attack tools” focused targeting Schneider Electric and Omron machine automation equipment.

INCONTROLLER is a state-sponsored virus that uses industrial network protocols including OPC UA, Modbus, and CODESYS to “interact with specific industrial equipment implanted in different types of machinery exploited across multiple industries.”

However, it’s still unknown how government agencies, as well as Dragos and Mandiant, discovered the spyware. The news comes just a day after ESET, a Slovak cybersecurity firm, revealed that an improved version of the Industroyer virus was used in an unsuccessful hack against an unnamed Ukrainian energy supplier last week.

“INCONTROLLER [aka PIPEDREAM] is a very rare and deadly cyber-attack capability,” according to Mandiant. “It’s comparable to Triton, which aimed to damage an industrial safety system in 2017; Industroyer, which knocked out power in Ukraine in 2016; and Stuxnet, which sabotaged Iran’s nuclear programme around 2010.”

Organizations should use multi-factor authentication for remote access, update passwords on a regular basis, and be on the watch for malicious indicators and behaviours to mitigate possible threats and safeguard ICS and SCADA devices, according to the authorities.