Expert Insight On PIPEDREAM, The 7th Known Malware To Specifically Target Industrial Control Systems

By   ISBuzz Team
Writer , Information Security Buzz | Apr 14, 2022 07:16 am PST

Amid escalating threats to global critical infrastructure, last night Dragos announced the discovery of new malware specifically developed to disrupt industrial processes: PIPEDREAM.

This is the seventh ever publicly known ICS-specific malware, following INDUSTROYER2, STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, and TRISIS.

Since early 2022, Dragos has been analyzing PIPEDREAM malware. PIPEDREAM was developed by a new threat group Dragos identifies as CHERNOVITE. Dragos assesses with high confidence this threat group created PIPEDREAM for use in disruptive or destructive operations against Industrial Control Systems (ICS).

Media Resources:

Last night’s advisory by the US Cybersecurity and Infrastructure Security Agency (CISA):

Dragos blog:

Dragos white paper:

Dragos page on newly named Chernovite Activity Group:

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Robert M. Lee
Robert M. Lee , CEO and Co-Founder
April 14, 2022 3:16 pm

Since early 2022, Dragos has been analysing the PIPEDREAM toolset, which is the seventh ever ICS specific malware. We track its developers as the threat group CHERNOVITE, which we assess with high confidence to be a state actor that developed the PIPEDREAM malware for use in disruptive or destructive operations against ICS. Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.

The PIPEDREAM malware initially targets Schneider Electric and Omron controllers, however there are not vulnerabilities specific to those product lines. PIPEDREAM takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller, and leverage popular ICS network protocols such as ModbusTCP and OPC UA.

Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks. While the malicious capability is sophisticated, with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defense against this threat.

Last edited 1 year ago by Robert M. Lee

Recent Posts

Would love your thoughts, please comment.x