Several U.S. government agencies issued a joint warning Wednesday warning of the discovery of a suite of malicious cyber tools created by unknown advanced threat actors capable of sabotaging the energy sector and other key industries.
The Department of Energy and Homeland Security, the FBI, and the National Security Agency did not name the actors or provide details about the search. But their private-sector cybersecurity partners say the evidence suggests that Russia is behind industrial control-disrupted equipment – and that they were initially configured to address North America’s energy concerns.
Mandiant, one of the cybersecurity firms involved, called the tools “extremely rare and dangerous.”
In a report, it described the effectiveness of the equipment as “consistent with the malware used in Russia’s previous physical attacks”, although it acknowledged that the evidence linking it to Moscow was “highly situational”.
The CEO of another government partner, Robert M. Lee of Dragos agrees that a state actor almost certainly created the malware, which he said was originally configured to target liquefied natural gas and electric power sites in North America.
Lee raised questions with the U.S. government about the identity of the state actor and did not elaborate on how the malware was discovered without saying “before attempting to attack.”
“We are actually one step ahead of the opposition. We don’t want anyone to understand where they’ve gone wrong, “Lee said. “Big win.”
The Cybersecurity and Infrastructure Security Agency, which issued the warning, declined to identify the threatening actor.
The U.S. government has warned the infrastructure industry of possible cyber-attacks from Russia in retaliation for the severe economic sanctions imposed on Moscow in response to the February 24 Ukraine attack.
Officials say Russian hackers are particularly interested in the U.S. energy sector, and the CISA issued a statement Wednesday urging caution to be especially aware of the mitigation measures recommended. Last month, the FBI issued a warning that Russian hackers had scanned at least five unnamed energy agencies for vulnerabilities.
Lee said the malware was “designed as a framework to go after and leverage multiple industries. Based on its configuration, the primary target would be LNG and electricity in North America.”
Mandiant said the equipment posed the biggest threat to Ukraine, NATO members and other states, helping Kiev defend itself against Russian military aggression.
It said the malware could be used to shut down critical devices, destroy industrial processes and disable security regulators, leading to physical destruction of devices that could harm human lives. It compared the equipment with Triton, identified the malware as belonging to a Russian government research institute that targets serious security measures, and twice forced an emergency shutdown of a Saudi oil refinery in 2017, and with the industry, the malware used by Russian military hackers in Ukraine last year. Power outage.
Lee said the newly discovered malware, called Pipedream, is only the seventh such malicious software designed to attack industrial control systems.
Lee said Dragos, which specializes in protecting industrial control systems, identified and analyzed its capabilities in early 2022 as part of its normal business research and in collaboration with partners.
He will not make any more specific proposals. In addition to Dragos and Mandiant, the U.S. government alerts Microsoft, Palo Alto Networks and Schneider Electric for their contributions.
Snyder Electric is one of the watchdog manufacturers whose equipment has been targeted by malware. Omron is another. Mandiant says it analyzed equipment with Snyder Electric in early 2002.
In a statement, Wendy Whitmore, executive of the Palo Alto Network, said: “We have been warning for years that our critical infrastructure is under constant attack. Today’s warnings are a reflection of how sophisticated our opponents have become. “
Microsoft had no comment.