Amid escalating threats to global critical infrastructure, last night Dragos announced the discovery of new malware specifically developed to disrupt industrial processes: PIPEDREAM.
This is the seventh ever publicly known ICS-specific malware, following INDUSTROYER2, STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, and TRISIS.
Since early 2022, Dragos has been analyzing PIPEDREAM malware. PIPEDREAM was developed by a new threat group Dragos identifies as CHERNOVITE. Dragos assesses with high confidence this threat group created PIPEDREAM for use in disruptive or destructive operations against Industrial Control Systems (ICS).
Media Resources:
Last night’s advisory by the US Cybersecurity and Infrastructure Security Agency (CISA): https://www.cisa.gov/uscert/ncas/current-activity/2022/04/13/apt-actors-target-icsscada-devices
Dragos blog: https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems
Dragos white paper: https://hub.dragos.com/whitepaper/chernovite-pipedream
Dragos page on newly named Chernovite Activity Group: https://www.dragos.com/threat/chernovite/
Since early 2022, Dragos has been analysing the PIPEDREAM toolset, which is the seventh ever ICS specific malware. We track its developers as the threat group CHERNOVITE, which we assess with high confidence to be a state actor that developed the PIPEDREAM malware for use in disruptive or destructive operations against ICS. Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.
The PIPEDREAM malware initially targets Schneider Electric and Omron controllers, however there are not vulnerabilities specific to those product lines. PIPEDREAM takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller, and leverage popular ICS network protocols such as ModbusTCP and OPC UA.
Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks. While the malicious capability is sophisticated, with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defense against this threat.