Campaigns
Pipedream Malware Continues to Shred Industrial Systems

Pipedream Malware Continues to Shred Industrial Systems

PipedreamDragosIndustrial Control SystemICSChernoviteIncontroller
In 2022, the Chernovite threat group created Pipedream, a new modular malware designed to attack Industrial Control Systems (ICS). This powerful toolset has the potential to launch devastating and devastating attacks on tens of thousands of critical industrial devices.

Indicators of Compromise

No domains found for this campaign

APT Groups1

CHERNOVITERussian Federation

<p><span style="font-size: 13px;">The CHERNOVITE threat group has been active <b>since 2021 </b>and is capable of disrupting, degrading, and potentially destroying industrial environments and physical processes within these environments. The group has developed a highly capable offensive Industrial Control Systems (ICS) malware framework, with <b>PIPEDREAM</b> being one of the key malware they use.</span></p><p><span style="font-size: 13px;">PIPEDREAM provides operators with the ability to scan for new devices, brute force passwords, sever connections, and crash the target device. It uses several different protocols, including FINS, Modbus, and Schneider Electric’s implementation of CoDeSys. While previous threat groups exploited the OPC-DA protocol to manipulate industrial control systems, CHERNOVITE uses the newer but comparable OPC-UA protocol. The PLC-related components of PIPEDREAM provide an interface for manipulating targeted devices and also contains tools for intrusion operations against Windows devices. <b>PIPEDREAM</b> relies on various ubiquitous technologies to facilitate intrusion and exploitation.</span></p><p><span style="font-size: 13px;">It is important to note that as of the time the information was published, PIPEDREAM had not yet been deployed in the wild. This rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment gives defenders a unique opportunity to prepare in advance. The malware is targeted to equipment in liquefied natural gas (LNG) and electric power environments, but it is reasonable to assume that CHERNOVITE could adapt the capabilities of PIPEDREAM to compromise and disrupt a broader set of targets​.</span></p>

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations
  • Adopt stringent security protocols, including robust passwords, multi-factor authentication, and timely software updates. 

  • Educate personnel about cyber threats and protective measures. 

  • Develop a contingency plan for responding to and recovering from a cyber-attack.


Recommendations

  • Monitor industrial environments for all threat behaviors in the MITRE ATT&CK for ICS matrix as adversaries are increasing their scope and scale of capabilities.

  • Ensure ICS visibility and threat detection include all ICS North-South and East-West communications — network edge and perimeter monitoring are insufficient for PIPEDREAM.

  • Maintain knowledge and control of all assets within Operational Technology (OT) environments, including details such as ensuring only known-good firmware and controller configuration files are in use.

  • Utilize a fully researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes ensuring an extended time-to-recovery.

Reports & References2

Observed Countries250

AD (386)
AE (405)
AF (510)
AG (173)
AI (436)
AL (86)
AM (946)
AO (711)
AQ (463)
AR (298)
AS (598)
AT (301)
AU (25)
AW (546)
AX (338)
AZ (12)
BA (624)
BB (960)
BD (392)
BE (82)
BF (422)
BG (226)
BH (858)
BI (850)
BJ (212)
BL (725)
BM (744)
BN (785)
BO (653)
BQ (994)
BR (649)
BS (101)
BT (382)
BV (110)
BW (150)
BY (413)
BZ (236)
CA (729)
CC (233)
CD (65)
CF (275)
CG (421)
CH (473)
CI (597)
CK (827)
CL (201)
CM (777)
CN (890)
CO (221)
CR (672)
CU (22)
CV (620)
CW (606)
CX (907)
CY (953)
CZ (226)
DE (758)
DJ (178)
DK (421)
DM (916)
DO (634)
DZ (907)
EC (313)
EE (601)
EG (223)
EH (869)
ER (517)
ES (627)
ET (438)
FI (300)
FJ (641)
FK (237)
FM (352)
FO (163)
FR (871)
GA (889)
GB (750)
GD (335)
GE (704)
GF (206)
GG (661)
GH (798)
GI (819)
GL (963)
GM (710)
GN (416)
GP (425)
GQ (553)
GR (184)
GS (702)
GT (81)
GU (580)
GW (104)
GY (452)
HK (716)
HM (881)
HN (549)
HR (527)
HT (702)
HU (375)
ID (802)
IE (592)
IL (482)
IM (45)
IN (547)
IO (348)
IQ (843)
IR (650)
IS (313)
IT (302)
JE (69)
JM (460)
JO (111)
JP (545)
KE (874)
KG (498)
KH (229)
KI (651)
KM (745)
KN (378)
KP (62)
KR (414)
KW (174)
KY (85)
KZ (706)
LA (571)
LB (934)
LC (770)
LI (940)
LK (602)
LR (276)
LS (437)
LT (643)
LU (707)
LV (289)
LY (201)
MA (71)
MC (34)
MD (174)
ME (248)
MF (520)
MG (981)
MH (237)
MK (97)
ML (323)
MM (566)
MN (575)
MO (678)
MP (760)
MQ (339)
MR (400)
MS (361)
MT (590)
MU (816)
MV (708)
MW (235)
MX (174)
MY (357)
MZ (242)
NA (644)
NC (205)
NE (387)
NF (688)
NG (207)
NI (824)
NL (999)
NO (555)
NP (696)
NR (24)
NU (549)
NZ (500)
OM (294)
PA (67)
PE (390)
PF (549)
PG (760)
PH (702)
PK (628)
PL (835)
PM (791)
PN (14)
PR (625)
PS (256)
PT (236)
PW (904)
PY (518)
QA (56)
RE (230)
RO (293)
RS (930)
RU (905)
RW (653)
SA (466)
SB (875)
SC (191)
SD (660)
SE (588)
SG (493)
SH (626)
SI (223)
SJ (216)
SK (197)
SL (185)
SM (733)
SN (978)
SO (977)
SR (946)
SS (133)
ST (516)
SV (781)
SX (805)
SY (44)
SZ (505)
TC (343)
TD (275)
TF (554)
TG (298)
TH (158)
TJ (405)
TK (475)
TL (96)
TM (632)
TN (826)
TO (299)
TR (217)
TT (892)
TV (845)
TW (835)
TZ (72)
UA (446)
UG (176)
UM (860)
US (589)
UY (21)
UZ (592)
VA (482)
VC (190)
VE (434)
VG (691)
VI (917)
VN (443)
VU (222)
WF (619)
WS (275)
XK (909)
YE (592)
YT (545)
ZA (50)
ZM (579)
ZW (475)