U.S. warns energy firms of a rapidly advancing hacking threat

By Christian Vasquez | 04/14/2022 07:05 AM EDT

The alert from the Department of Energy, FBI and other federal agencies of a newly discovered strain of malware comes on the heels of a major Russian incursion into one of Ukraine’s regional electricity grids.

Liquefied natural gas terminal in Louisiana.

Cybersecurity researchers and the Department of Homeland Security are warning that a new strain of malware targets energy facilities, from liquefied natural gas terminals to power plants. An LNG facility in Louisiana is pictured. Cheniere Energy

The Department of Energy and U.S. intelligence agencies are warning the energy sector of a newly discovered “custom-made” malware targeting the systems that control electricity and natural gas infrastructure.

Yesterday’s joint alert called on energy companies to beef up their defenses against a new method of attack capable of gaining “full system access.” The alert is the latest in a series of intelligence warnings that Russia’s state-backed hackers are hard at work updating their old methods and coming up with new tools for entering, disrupting and destroying energy industry equipment.

While the alert didn’t say which nation developed the new malware, the news comes on the heels of a major Russian incursion into one of Ukraine’s regional electricity grids. The Ukrainian government said Tuesday it had thwarted an attempt by an elite Russian hacking team known as “Sandworm” to damage industrial control systems (ICS) that run high-voltage substations. If the attack had succeeded, it likely would have temporarily shut off power to 2 million people (Energywire, April 13).


The joint alert yesterday from DOE, the Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency said the new malware is able to conduct “highly automated” attacks on energy infrastructure. And researchers say it could open the door to “lower-skilled” hackers who aren’t able to fully map out an electricity or gas system.

The tool has a wide range of uses, according to experts: from initial infiltration and reconnaissance of industrial systems to manipulation and disruption of grid equipment. The hacking tool can also compromise Windows-based engineering workstations, according to the government report.

Cybersecurity firms Dragos Inc. and Mandiant also published separate reports analyzing the malware yesterday.

“We note that the activity is consistent with Russia’s historical interest in ICS,” said Nathan Brubaker, director of analysis at Mandiant. Mandiant’s report says the new hacking tool “poses the greatest threat to Ukraine, NATO member states, and other states actively responding to Russia’s invasion of Ukraine.”

Mandiant experts named the threat “Incontroller” and called it an “exceptionally rare and dangerous” strain of malware. Brubaker compared this malware to Triton, the malware that led to a partial shutdown of a petrochemical and refining complex in Saudi Arabia. Like the Triton malware, hackers could use Incontroller to disable safety systems in a network while reprogramming other systems. Experts say that combination can have destructive outcomes.

“This could cause impacts to human safety, the environment, or damage to equipment, depending on the physical constraints of the process and facility design,” Mandiant experts wrote in their report.

In a separate report, Dragos named the malware “Pipedream.” “It can disrupt, degrade, and potentially destroy industrial environments and processes,” Dragos said in its analysis. The malware was developed to target ICS systems, including supervisory control and data acquisition systems that often operate pipelines.

Security firms often use separate names to track malicious code and hacker groups. Both Pipedream and Incontroller reference the same malware.

Robert Lee, CEO and founder of Dragos, said in a statement that Dragos has been analyzing Pipedream since early this year. He also noted it’s the seventh malware designed specifically to target industrial control systems. This one, he added, aims to go beyond the electric grid to target liquefied natural gas facilities, too.

Timing is one thing that makes this rollout of warnings unique: It was discovered before being used. All other types of ICS-specific malware, such as Triton, were discovered after hackers tried to deploy it.

“This provides defenders a unique opportunity to defend ahead of the attacks,” Lee said.

Dragos experts said the configuration of the malware also suggests its developers are looking for ways into industrial systems through corporate networks. Cybersecurity experts have long warned that the increasing convergence between operational technology and information technology is creating more vulnerabilities for U.S. energy companies.

Lee said that “applying fundamental ICS cybersecurity practices” can provide a “robust defense” against this new malware.

The government bulletin credited cybersecurity companies Dragos, Mandiant, Microsoft Corp. and Palo Alto Networks Inc., as well as industrial manufacturer Schneider Electric SE with helping to discover and analyze the malware.