But private security experts who worked in parallel with government agencies to analyze the system said it was likely to be Russian, that its top target was probably liquefied natural gas production facilities, and that it would take months or years to develop strong defenses against it.
That combination makes the discovery of the system, dubbed Pipedream by industrial control security experts Dragos, the realization of the worst fears of longtime cybersecurity experts. Some compared it to Stuxnet, which the United States and Israel used more than a dozen years ago to damage equipment used in Iran’s nuclear program.
The program manipulates equipment found in virtually all complex industrial plants rather than capitalizing on unknown flaws that can be easily fixed, so almost any plant could fall victim, investigators said.
“This is going to take years to recover from,” said Sergio Caltagirone, vice president of threat intelligence at Dragos and a former global technical lead at the National Security Agency.
The initial report of the system’s discovery came in a joint warning notice issued by the National Security Agency, the Energy Department, the Cybersecurity and Infrastructure Security Agency and the FBI. The agencies urged the energy sector and others to install monitoring programs and require multifactor authentication for remote logins, among other steps.
The “tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices,” the advisory said.
Dragos said the malicious computer code was probably aimed at liquefied natural gas plants because its most detailed attack methods appeared intended to target equipment that would be in such facilities.
In particular, the programs contains methods for subverting controllers made by France’s Schneider Electric and Omron of Japan, as well as open-source framework for moving data from sensors into applications, called OPC Unified Architecture.
The software is intended to take advantage of longstanding issues that make defending control systems difficult. Those include the industry’s requirements for compatibility among products made by different vendors, which means that data flowing from one type of equipment to the next must do so unencrypted.
Another systemic flaw is that it is hard to monitor what is going on inside physical equipment.
Perhaps the most concerning aspect of the software was its seeming effort to target the way most industrial facilities protect themselves from cyberattack by keeping aspects of the operation separated from one another.
Pipedream can target hundreds of types of what are known as programmable logic controllers, or PLCs, which link operations. A few previous industrial attacks, including one attributed by Western intelligence to Russia against energy facilities, attacked a specific kind of PLC used in safety equipment.
Two years ago, the United States sanctioned a Russian lab it said was behind the software, called Triton or Trisis, used in that 2017 attack on a Saudi petrochemical plant. That attack cost millions of dollars to the plant’s production but could have been far worse if it had worked as designed.
Pipedream goes further, using the omnipresent code in PLCs to break through layers and probe more deeply into the heart of a facility.
Based largely on previous attacks, security firm Mandiant said Russia was probably behind the new system and that those at greatest risk from it in the near term included Ukraine and NATO countries protecting it from Russia’s attack.
The attack kit “contains capabilities related to disruption, sabotage, and potentially physical destruction. While we are unable to definitively attribute the malware, we note that the activity is consistent with Russia’s historical interest,” said Mandiant Director of Intelligence Analysis Nathan Brubaker.
Liquefied natural gas, including from the United States, is playing a growing role as an alternative to Russian oil and gas imports that the European Union has pledged to reduce because of the invasion.