CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS)

By Dragos Team

April 14, 2022

PIPEDREAM is the seventh known industrial control system (ICS)-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.

Dragos identified and analyzed PIPEDREAM’s capabilities through our normal business, independent research, and collaboration with various partners in early 2022. Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects.

CHERNOVITE’s PIPEDREAM can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics.¹ PIPEDREAM can manipulate a wide variety of industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA). Together, PIPEDREAM can affect a significant percentage of industrial assets worldwide. PIPEDREAM is not currently taking advantage of any Schneider or Omron vulnerabilities, instead it leverages native functionality.

While CHERNOVITE is specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and PIPEDREAM’s functionality could work across hundreds of different controllers. Said simply, a focus on the equipment vendor is misplaced, and instead the focus should be placed on the tactics and techniques the adversary is leveraging.

Mapping CHERNOVITE/PIPEDREAM Behaviors to MITRE ATT&CK for ICS Matrix [click image to enlarge]

PIPEDREAM accomplishes this far-reaching impact through a series of five components that Dragos labels:

EVILSCHOLAR
BADOMEN
DUSTTUNNEL
MOUSEHOLE
LAZYCARGO

These combined components allow CHERNOVITE to enumerate an industrial environment, infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers, and manipulate executed logic and programming. All of these capabilities can lead to a loss of safety, availability, and control of an industrial environment, dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk.

Due to the historic and expansive nature of PIPEDREAM, mitigating the CHERNOVITE threat will require a robust strategy, and not simply applying cybersecurity fundamentals. Dragos recommends the following defensive mitigations.

Recommendations

Monitor industrial environments for all threat behaviors in the MITRE ATT&CK for ICS matrix as adversaries are increasing their scope and scale of capabilities.
Ensure ICS visibility and threat detection include all ICS North-South and East-West communications — network edge and perimeter monitoring are insufficient for PIPEDREAM.
Maintain knowledge and control of all assets within Operational Technology (OT) environments, including details such as ensuring only known-good firmware and controller configuration files are in use.
Utilize a fully researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes ensuring an extended time-to-recovery.

Recommendations

CHERNOVITE Diamond Model Diagram