The Department of Homeland Security’s cybersecurity unit has recently warned of a new malware toolkit called Pipedream that targets industrial control systems and could be used to cause physical damage or destruction.
The hackers’ toolkit, which was discovered by security firm Dragos, is reportedly designed to target Schneider Electric SE
and Omron Corp.
programmable logic controllers (PLCs). While the malware is adaptable to different industrial environments, the focus on those two types of devices suggests that hackers may be specifically targeting power grids and oil refineries.
The toolkit exploits multiple zero-day vulnerabilities. While patching them won’t prevent most of Pipedream’s capabilities, it is still recommended that infrastructure operators implement safety measures — limit industrial control systems’ (ICS) network connections and implement monitoring systems — to protect their operations.
The toolkit’s creators remain unknown. Dragos suspects Russian hackers, but the truth may not be so simple.
War brings out the worst in people, and cyberwarfare is no different. It seeks to undermine the enemy, its infrastructure and economy by targeting military installations and civilian infrastructure alike in order to disrupt day-to-day activities, and cause chaos and panic.
Governments of embattled countries and their allies start recruiting hackers — individuals they previously sought to incarcerate — to task them with the creation of malicious software that can be used to target the enemy.
Cyber attacks are launched, enemy infrastructure is damaged, and as a result hackers profit. However, the code they create doesn’t expire after its use. It is sold –– often multiple times — in dark web marketplaces.
Malware toolkits can be bought for as little as $50; these marketplaces represent a good source of revenue for hacker groups operating globally.
It’s possible that Pipedream’s source code originated on one such marketplace and is available not only to state-sponsored hackers but also to anyone willing to wreak havoc. Other than targeting specific pieces of hardware, Pipedream does not take sides in cyberwarfare.
U.S. infrastructure may be compromised, but American hackers can decide to do the same to another country that has much more to lose. For example, a country with ample amounts of gas and oil just waiting to be disrupted.
Russia could be a target. Its vast network of natural gas pipelines could be particularly vulnerable, and cyber attacks could easily interrupt supply and cause shortages and possible damage to the infrastructure.
It would also be very difficult to discern which country was responsible if one such attack occurred. Deals like these happen behind closed doors, with actors on both sides taking precautions to obscure their identities.
As you can see, the situation is much less black-and-white than currently presented in the media. If we dig a bit deeper, things get even murkier.
Although the Pipedream malware toolkit is making the headlines these days, it’s only one of several similar pieces of code found in the wild that target industrial control systems software. The first and still most notorious example is Stuxnet — a brainchild of the National Security Agency, Central Intelligence Agency and Israeli intelligence — that was allegedly used to destroy nuclear enrichment centrifuges in Iran in 2010.
This piece of code has been upgraded in many variants responsible for the majority of worldwide ICS malware attacks.
Let’s focus on variants relevant for the war in Ukraine. One such variant is Industroyer, allegedly created by Russian cybermilitary unit Sandworm. Six years ago, the group used the malware to shut down Kyiv’s power grid. The code turned off circuit breakers within the electrical transmission station north of Kyiv, leaving part of the city in the dark.
Sandworm has recently used an updated version, Industroyer 2, in an attempt to cause another blackout by disrupting several high-voltage electrical substations throughout Ukraine.
So, Pipedream isn’t the most important or the most dangerous piece of ICS-targeting malware. Also, Russian hackers aren’t the only malicious actors in the global theater of cyberwarfare.
In fact, the activity of state-sponsored Russian hackers has so far remained in sync with Russia’s military goals in Ukraine. They’ve been focused on disrupting as much of the enemy infrastructure as possible and will likely continue to do so.
As animosities escalate, Russia will find more countries on its list of enemies, and thus eligible targets for retaliation.
Finally, malicious groups and individuals may use the ensuing chaos to escalate ransomware attacks, forcing countries already under significant economic duress to relent to demands and pay hefty fees for their digital negligence.
This raises an important, final question: What can be done to avoid the potential digital bloodshed?
While governments can work on hardening their networks, increasing security and mitigating damage, the best countermeasure is to simply go analog: A device without a digital input/output is impervious to digital attack vectors.
Whether this means implementing backup analog modes that are activated in cases of emergency (and war definitely is one), or completely relying on manual operation is irrelevant. The end result is always minimization of damage and increased resilience of underlying systems –– at the cost of convenience. And in wartime, convenience should be the least of our priorities.