View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

New malware could allow ‘low-skill’ hackers to disrupt critical infrastructure

Newly detected INCONTROLLER malware toolset makes attacking industrial control systems easier, researchers warn.

By Claudia Glover

US security agencies have warned of the emergence of new malware that targets industrial control systems. Although Russia is believed to be behind the new tools, their design could allow “lower-skilled” hackers to disrupt critical national infrastructure, researchers have warned.

Newly detected malware targets the programmable logic controllers from vendors including Schneider Electric and Omron. (Image by Алексей Кравчук / iStock)

US security agencies including the FBI warned yesterday that “certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools”. 

The warning follows an investigation by French electricity infrastructure vendor Schneider Electric, the US government, and security consultancy Mandiant, into a new set of tools that target industrial control systems.

The toolset, dubbed ‘INCONTROLLER’ by Mandiant, “represents an exceptionally rare and dangerous cyberattack capability,” the company said, comparable to the Industroyer malware that disrupted Ukrainian electricity infrastructure in 2016.

It “is very likely state-sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction,” Mandiant wrote.

The malware affects a number of programmable logic controllers – computers that control industrial systems – including those provided by Schneider Electric and Japanese industrial automation supplier Omron, according to cybersecurity vendor Dragos, which has also published research on the new threat.

“This ICS-specific malware could be widespread as Schneider Electric and Omron are so popular,” notes Max Heinemeyer, VP of cyber innovation at security company Darktrace.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Mandiant concludes that the design and capabilities of the malware toolset are consistent with Russia’s cyber operations. “We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations,” it said.

“While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia’s history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America.”

INCONTROLLER malware: lower-skilled attackers

The new malware is more sophisticated than previous threats targeting control systems, explains Heinemeyer. “This is more dangerous than your run of the mill, general-purpose malware because it can interact with and control systems in a way that is very targeted and specific,” he says.

Normally, because ICS and SCADA systems are so complex, specialised knowledge is required to attack them. But “from what we have seen so far, this malware makes a lot of that attacking behaviour much easier by abstracting away a lot of the hard work,” Heinemeyer adds. “This allows lower-skilled attackers to conduct ICS attacks which were previously limited to sophisticated actors, as the malware itself does the heavy lifting.”

More positively, the malware toolset has been detected before it was used in any known breaches. This is a first, Dragos founder Robert M Lee claimed on Twitter.

Russia was expected by many to use destructive cyberattacks on critical national infrastructure in support of its invasion of Ukraine. Such attacks have been conspicuous by their absence so far but evidence is now emerging that suggests renewed efforts to compromise industrial control systems.

Earlier this week, Ukrainian officials and IT security vendor ESET revealed details of a failed cyberattack on electrical substations.

Read more: Ukraine electricity grid cyberattack: More destructive attacks may follow

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.