Russian-linked malware was close to putting U.S. electric, gas facilities ‘offline’ last year
The malware was targeted at around a dozen U.S. facilities in the weeks after the invasion of Ukraine.
Hackers linked to Russia got very close to being able to take a dozen U.S. electric and gas facilities offline in the first weeks of the war in Ukraine, the head of a top cybersecurity company warned Tuesday.
Robert M. Lee, the founder and CEO of Dragos, which helps companies respond to cyberattacks, said hackers with a group Dragos calls “Chernovite” were using a malicious software to try to take down “around a dozen” U.S. electric and liquid natural gas sites.
“This is the closest we’ve ever been to having U.S. or European infrastructure, I’d say U.S. infrastructure, go offline,” Lee told reporters in a briefing. “It wasn’t employed on one of its targets, they weren’t ready to pull the trigger, they were getting very close.” Lee declined to offer details on what prevented the attack from succeeding, but said it was halted by a coalition of U.S. government and cyber industry groups.
While the U.S. government disclosed last year that the new malware — called PIPEDREAM — was capable of infiltrating U.S. industrial control systems across multiple key sectors, Lee’s comments suggest that the danger was more acute than officials had disclosed. And his disclosure offers a new picture of the U.S. energy supply’s vulnerability to a crippling cyber assault — a possibility that had drawn widespread concern during the run-up to Russian President Vladimir Putin’s February 2022 invasion.
Lee described the malware as a “state-level, wartime capability.” He did not say if the malware had actually been installed in the targeted networks or if the hackers were just close to getting into the systems.
While Dragos does not link hacking groups to nation states as a matter of policy, other security researchers have said the PIPEDREAM malware used by Chernovite is likely connected to Russia.
The U.S. announced its discovery of the dangerous malware in April 2022, just three weeks after President Joe Biden warned that Russia was “exploring options for potential cyberattacks” against the U.S., and urging critical infrastructure groups to step up security efforts.
Lee said that Dragos worked with partners including the Cybersecurity and Infrastructure Security Agency, the Department of Energy, the FBI and the National Security Agency to “keep something off of American soil that was going to be disruptive in nature.”
“I don’t use those words lightly, not trying to hype anything up, but the state actor responsible for this, there is no chance that this was not their go-to package to be able to actually bring down infrastructure,” Lee said.
A spokesperson for CISA declined to comment on the impact of the malware, and the three other agencies did not respond to requests for comment. When they first announced the discovery of the malware, the agencies said in a joint alert that “certain advanced persistent threat actors” were using new tools to impact multiple types of industrial control systems.
According to Dragos, PIPEDREAM malware is the “first ever” type that can be used across a variety of industrial control systems, and that was not designed to disrupt one specific system — making it particularly dangerous. The malware also does not get into systems through vulnerabilities that could be patched, making it very hard to defend against.
“You could increase temperatures, you could have unsafe conditions in a plant,” Lee said of the impact the use of PIPEDREAM could have. “There is no need to exploit anything, there is no need to find a vulnerability when a capability is already built into the plant so the plant environments can operate.”
Lee told reporters that he believed that since the PIPEDREAM malware was not used successfully against any U.S. infrastructure, the security community “moved past it quickly,” but that there is more to come from these hackers.
“Chernovite is still active, so we assess with high confidence that they are still active and working on this framework and we expect to see it deployed in the future,” Lee said.