Skip to main content
Blog Post

CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS)

PIPEDREAM is the seventh known industrial control system (ICS)-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.

Dragos identified and analyzed PIPEDREAM’s capabilities through our normal business, independent research, and collaboration with various partners in early 2022. Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects.

[Click image to register]

CHERNOVITE’s PIPEDREAM can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics.1 PIPEDREAM can manipulate a wide variety of industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA). Together, PIPEDREAM can affect a significant percentage of industrial assets worldwide. PIPEDREAM is not currently taking advantage of any Schneider or Omron vulnerabilities, instead it leverages native functionality.

While CHERNOVITE is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and PIPEDREAM’s functionality could work across hundreds of different controllers. Said simply, a focus on the equipment vendor is misplaced, and instead the focus should be placed on the tactics and techniques the adversary is leveraging.

Mapping CHERNOVITE/PIPEDREAM Behaviors to MITRE ATT&CK for ICS Matrix [click image to enlarge]

PIPEDREAM accomplishes this far-reaching impact through a series of five components that Dragos labels:

  • EVILSCHOLAR
  • BADOMEN
  • DUSTTUNNEL
  • MOUSEHOLE
  • LAZYCARGO

These combined components allow CHERNOVITE to enumerate an industrial environment, infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers, and manipulate executed logic and programming. All of these capabilities can lead to a loss of safety, availability, and control of an industrial environment, dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk.

Due to the historic and expansive nature of PIPEDREAM, mitigating the CHERNOVITE threat will require a robust strategy, and not simply applying cybersecurity fundamentals. Dragos recommends the following defensive mitigations.

Recommendations
  • Monitor industrial environments for all threat behaviors in the MITRE ATT&CK for ICS matrix as adversaries are increasing their scope and scale of capabilities.
  • Ensure ICS visibility and threat detection include all ICS North-South and East-West communications — network edge and perimeter monitoring are insufficient for PIPEDREAM.
  • Maintain knowledge and control of all assets within Operational Technology (OT) environments, including details such as ensuring only known-good firmware and controller configuration files are in use.
  • Utilize a fully researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes ensuring an extended time-to-recovery.
CHERNOVITE Diamond Model Diagram
[click image to enlarge]

Get the complete analysis

Read the complete analysis on CHERNOVITE and the PIPEDREAM malware targeting ICS, with defensive recommendations on what to do to protect against possible cyber attack.
References

1 As measured against the MITRE ATT&CK for ICS malicious behavior matrix.

Read next blog post

Blog

Upskill ICS/OT Cybersecurity in an IT World with Splunk’s BOTS Virtual Challenge

04.07.22

View more Blog Posts

Right Arrow

Ready to put your insights into action?

Take the next steps and contact our team today.