Staff at cybersecurity firm Dragos warned on Tuesday that the Pipedream malware they discovered this month represents “a threat that should be taken seriously,” with potential to disrupt industrial control systems (ICS) across a wide range of critical infrastructure sectors.

Dragos disclosed the Pipedream malware suite April 13, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency confirmed the discovery separately in a joint statement with the FBI and National Security Agency. (See E-ISAC Warns of Escalating Russian Cyber Threats.)

Sam Hanson, Dragos | Dragos

The firm dubbed Pipedream’s developer “Chernovite,” in keeping with its policy of not attributing hacks to specific nation-states or other groups, and said it appears to be an “impact group” focused on conducting the actual cyberattack rather than gaining access to target networks. The group appears capable of operating in both information technology and operational technology networks, giving it “the potential for significant industry impact.”

In a webinar focused on the new malware, Dragos Vulnerability Analyst Sam Hanson emphasized that the Chernovite team appear to be “professionals [with] the resources on their side to improve their capabilities and industrial impact over time.” While there is no evidence Pipedream has been used in any attacks so far, its existing capabilities and the sophistication of its developers mean the danger is likely to rise over time.

Modular Structure Allows Wide Range of Targets

The version of Pipedream discovered this month targets programmable logic controllers (PLC) from Schneider Electric and Omron Automation, along with Open Platform Communications Unified Architecture (OPC UA) servers. PLCs are computer systems that constantly monitor the state of input devices and control the state of output devices, while OPC UA is an open-source standard for data exchange between sensors and cloud applications.

However, presenters in Tuesday’s webinar warned that users should not assume they are safe because they don’t work with these two vendors. The modular nature of Pipedream means it can be easily modified to attack equipment from other manufacturers or different types of ICS hardware.

Rather than a single tool, Dragos’ researchers said Pipedream is more like a collection of utilities that an attacker “could package together or use individually.” Its many components — given code names by Dragos — include Evilscholar, which enables interaction with Schneider Electric controllers; Badomen, which interacts with Omron controllers; Mousehole, for OPC UA servers; Dusttunnel, a Microsoft Windows implant that facilitates remote interactive operations; and Lazycargo, which can be used to install an unsigned driver on a target device.

In a sample deployment scenario Dragos shared, an initial access group — likely separate from Chernovite — gains entry into an enterprise network, after which Chernovite uses Dusttunnel to establish a permanent foothold and move laterally into an OT network. Mousehole is then used to identify OPC UA servers and connected devices. The attacker can then use Evilscholar and Badomen to interact with the appropriate PLCs and disrupt the target’s operations.

Malware Teams’ Sophistication Growing

Jimmy Wylie, Dragos | Dragos

Jimmy Wylie, Dragos’ principal malware analyst, emphasized that the discovery of Pipedream’s capabilities does not mean it has been neutralized; the targeted hardware is used across the electricity, oil and gas sectors, and should be considered vulnerable without mitigating activities. Recommendations for Schneider Electric devices include changing default credentials and monitoring for new outbound connections; for Omron equipment, restricting access to certain ports and, where possible, restricting workstations from making outbound connections; and disabling OPC UA discovery to reduce the target’s “attack surface.”

In addition, Wylie warned that the new malware displayed a much greater level of sophistication than relatively “sloppy” tactics seen in the last decade, suggesting the pace of malware development is accelerating.

“This is an attack tool, and also a research utility,” Wylie said. “Pipedream combines the breadth of knowledge of Crashoverride” — the malware used to attack Ukraine’s power grid in 2017, also called Industroyer — “with the in-depth knowledge of protocols of Trisis,” which was used in a cyberattack against targets in the Middle East in 2017.

“In six years, we’ve gone from something that was sloppy and defective” — referring to Crashoverride — “to something that’s professionally made and easy to use,” he added.