Pipedream: new malware designed to attack industrial control systems identified
- Published: Wednesday, 20 April 2022 07:57
Dragos has released details of Pipedream, new malware that it has discovered which has been specifically developed to disrupt industrial processes. Pipedream is the seventh known industrial control system (ICS)-specific malware. It is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.
What is Pipedream?
Pipedream can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics and can manipulate a wide variety of industrial control programmable logic controllers (PLC) and industrial software, including Omron and Schneider Electric controllers, and can attack ubiquitous industrial technologies including CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).
While the malware developers are specifically targeting Schneider Electric and Omron PLCs, there could be other modules targeting other vendors as well, and Pipedream’s functionality could work across hundreds of different controllers.
How to protect against Pipedream?
Due to the expansive nature of Pipedream, mitigating the threat will require a robust strategy, and not simply applying cyber security fundamentals, says Dragos. The company recommends the following mitigations:
- Monitor industrial environments for all threat behaviors in the MITRE ATT&CK for ICS matrix as adversaries are increasing their scope and scale of capabilities.
- Ensure ICS visibility and threat detection include all ICS North-South and East-West communications — network edge and perimeter monitoring are insufficient for Pipedream.
- Maintain knowledge and control of all assets within Operational Technology (OT) environments, including details such as ensuring only known-good firmware and controller configuration files are in use.
- Utilize a fully researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes ensuring an extended time-to-recovery.
“Since early 2022, Dragos has been analysing the Pipedream toolset. We track its developers as the threat group Chernovite, which we assess with high confidence to be a state actor. Pipedream malware has been developed for use in disruptive or destructive operations against ICS. Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.
“Pipedream initially targets Schneider Electric and Omron controllers, however there are not vulnerabilities specific to those product lines. Pipedream takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller, and leverage popular ICS network protocols such as ModbusTCP and OPC UA.
“Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks. While the malicious capability is sophisticated, with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defense against this threat.”