US security agencies have warned of the emergence of new malware that targets industrial control systems. Although Russia is believed to be behind the new tools, their design could allow “lower-skilled” hackers to disrupt critical national infrastructure, researchers have warned.

INCONTROLLER malware
Newly detected malware targets the programmable logic controllers from vendors including Schneider Electric and Omron. (Image by Алексей Кравчук / iStock)

US security agencies including the FBI warned yesterday that “certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools”. 

The warning follows an investigation by French electricity infrastructure vendor Schneider Electric, the US government, and security consultancy Mandiant, into a new set of tools that target industrial control systems.

The toolset, dubbed ‘INCONTROLLER’ by Mandiant, “represents an exceptionally rare and dangerous cyberattack capability,” the company said, comparable to the Industroyer malware that disrupted Ukrainian electricity infrastructure in 2016.

It “is very likely state-sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction,” Mandiant wrote.

The malware affects a number of programmable logic controllers – computers that control industrial systems – including those provided by Schneider Electric and Japanese industrial automation supplier Omron, according to cybersecurity vendor Dragos, which has also published research on the new threat.

“This ICS-specific malware could be widespread as Schneider Electric and Omron are so popular,” notes Max Heinemeyer, VP of cyber innovation at security company Darktrace.

Mandiant concludes that the design and capabilities of the malware toolset are consistent with Russia’s cyber operations. “We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations,” it said.

“While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia’s history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America.”

INCONTROLLER malware: lower-skilled attackers

The new malware is more sophisticated than previous threats targeting control systems, explains Heinemeyer. “This is more dangerous than your run of the mill, general-purpose malware because it can interact with and control systems in a way that is very targeted and specific,” he says.

Normally, because ICS and SCADA systems are so complex, specialised knowledge is required to attack them. But “from what we have seen so far, this malware makes a lot of that attacking behaviour much easier by abstracting away a lot of the hard work,” Heinemeyer adds. “This allows lower-skilled attackers to conduct ICS attacks which were previously limited to sophisticated actors, as the malware itself does the heavy lifting.”

More positively, the malware toolset has been detected before it was used in any known breaches. This is a first, Dragos founder Robert M Lee claimed on Twitter.

Russia was expected by many to use destructive cyberattacks on critical national infrastructure in support of its invasion of Ukraine. Such attacks have been conspicuous by their absence so far but evidence is now emerging that suggests renewed efforts to compromise industrial control systems.

Earlier this week, Ukrainian officials and IT security vendor ESET revealed details of a failed cyberattack on electrical substations.

Read more: Ukraine electricity grid cyberattack: More destructive attacks may follow