Dragos estimates that Chernovite’s Pipedream malware targets ICS networks
Industrial cybersecurity firm Dragos has released details about the Chernovite Activity Group (AG) that developed Pipedream malware, a modular industrial control system (ICS) attack framework that an adversary could use to cause disruption, degradation, and possibly even destruction depending on the targets and the environment. The initial ICS-tailored malware is assessed to be developed by a ‘state actor’ to be identified before use for its intended purpose.
“Dragos assesses with high confidence that PIPEDREAM has not yet been employed for disruptive or destructive effects,” the company said in a whitepaper. “This is a rare case of analyzing malicious capabilities before employment against victim infrastructure giving defenders a unique opportunity to prepare in advance. Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage PIPEDREAM in future operations,” it added.
“We track its developers as the threat group CHERNOVITE, which we assess with high confidence to be a state actor that developed the PIPEDREAM malware for use in disruptive or destructive operations against ICS,” Robert M. Lee, CEO and co-founder of Dragos, wrote in an emailed statement. “Specifically the initial targeting appears to be liquid natural gas and electric community-specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.”
“PIPEDREAM takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller and leverage popular ICS network protocols such as ModbusTCP and OPC UA,” Lee added.
Dragos said that Pipedream is the seventh known ICS-specific malware, following Stuxnet, Havex, Blackenergy 2, CrashOverride/Industroyer, Trisis/Triton, and Industroyer2. The new tactics, techniques, and procedures (TTPs) are based on detections and awareness that will increase the overall security posture of operational technology (OT) environments, regardless of whether Chernovite has deployed Pipedream.
The Pipedream malware is targeted at equipment found in liquefied natural gas (LNG) and electric power environments, but it is reasonable to assume that Chernovite could easily adapt the capabilities of Pipedream to compromise and disrupt a broader set of targets, Dragos said. In addition, the malware has a competent offensive ICS attack framework. It can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics as measured against the MITRE ATT&CK for ICS behavior matrix, Dragos revealed.
At the highest level, the PLC-related components of Pipedream provide the adversary with an interface for manipulating the targeted devices, Dragos said. “Tools in PIPEDREAM can scan for new devices, brute force passwords, sever connections, and then crash the target device. To accomplish these goals, PIPEDREAM uses several different protocols, including Omron’s proprietary FINS, Modbus, and Schneider Electric’s implementation of CODESYS. Given the variety of protocols that PIPEDREAM abuses, CHERNOVITE possesses a breadth of ICS knowledge beyond any of Dragos’s previously discovered activity groups,” it added.
On Wednesday, the U.S. security agencies and the Department of Energy (DOE) said that specific advanced persistent threat (APT) hackers exhibited the capability to gain full system access to multiple ICS/supervisory control and data acquisition (SCADA) devices. In addition, the APT hackers can leverage the modules to interact with targeted ICS/SCADA devices, enabling operations by lower-skilled cyber hackers to emulate higher-skilled hacker capabilities. The affected hardware includes Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.
The Hanover, Maryland-based company has identified that the Pipedream malware can impact a range of PLCs and industrial software, including specific Omron and Schneider Electric PLCs and OPC UA servers. One of the Schneider Electric PLCs targeted by Pipedream leverages CODESYS as its underlying system architecture, a key component of which Pipedream takes advantage of due to the lack of security. It is a third-party software component used by hundreds of industrial equipment vendors.
Dragos said that Pipedream could currently identify and target Omron and Schneider Electric PLCs. However, the hackers may use the tooling to target and attack controllers from hundreds of additional vendors. Additionally, Pipedream can target a variety of PLCs in multiple verticals due to its versatility.
Chernovite can manipulate the speed and torque of Omron servo motors used in many industrial applications and whose manipulation could cause disruption or destruction of industrial processes leading to potential loss-of-life scenarios, Dragos said. For instance, Chernovite can trigger a denial of control and denial of view for operators using multiple methods, disrupt OT operations by subverting and masquerading within trusted processes, and significantly extend time-to-recovery after an industrial incident by disabling process controllers, potentially requiring them to be returned to the manufacturer before reuse.
Dragos revealed that Chernovite could deliver, install/modify, and execute ICS attack portions of the ICS cyber kill chain Stage 2 in several ways. Some possibilities include remotely interacting with PLCs using CODESYS to support numerous attacks like brute-forcing passwords, performing denial of service (DOS) of the controller, and severing connections.
It can remotely also interact with Omron PLCs via HTTP and telnet to load a native implant to support further command execution, or remotely interconnect with Omron PLCs via exposed HTTP endpoints to change the operating mode, backing up and restore configurations, and wipe the PLCs’ memory among others, the company added.
Dragos recommends the monitoring of industrial environments for all threat behaviors in the MITRE ATT&CK for ICS matrix as adversaries are increasing their scope and scale of capabilities. In addition, organizations must ensure ICS visibility and threat detection, maintain knowledge and control of all assets within the OT environments and utilize a fully researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes ensuring an extended time-to-recovery.
Related
