CISA has released an urgent security advisory about the Chernovite Pipedream ICS malware. It was issued in conjunction with the US Department of Energy (DoE), NSA and FBI. The advisory warns that “certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices.”
It goes on to list the devices impacted as:
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
- OPC Unified Architecture (OPC UA) servers.
This is no random attack. The Chernovite APT group has built customised tools to target the ICS/SCADA devices. The attack starts with the compromise of the Windows or OT networks. After that, the attackers scan for target devices and then deploy custom malware.
The CISA advisory mentions an exploit that compromises an ASRock motherboard with known vulnerabilities. It is a motherboard that CISA says is found on both OT and IT networks. Once the ICS/SCADA devices are compromised, the attackers elevate privileges and spread across the network. It also allows them to disrupt devices, degrade services or, in extreme instances, cause destruction.
Of interest is that this advisory gives technical details of how Pipedream compromises the devices from each vendor. There is also a section that lists mitigations that network defenders can take to protect themselves.
What do we know about Chernovite and Pipedream?
ICS and OT security vendor Dragos has been tracking the Chernovite activity group. It has obtained copies of and analysed the Pipedream ICS attack framework. That work underpins the CISA announcement. Importantly, Dragos also says that “Pipedream has not yet been deployed in the wild for destructive effects.”
According to Robert M Lee, CEO and Co-Founder of Dragos: “Since early 2022, Dragos has been analysing the PIPEDREAM toolset, which is the seventh ever ICS specific malware. We track its developers as the threat group CHERNOVITE, which we assess with high confidence to be a state actor that developed the PIPEDREAM malware for use in disruptive or destructive operations against ICS. Specifically the initial targeting appears to be liquid natural gas and electric community specific. However, the nature of the malware is that it works in a wide variety of industrial controllers and systems.
“The PIPEDREAM malware initially targets Schneider Electric and Omron controllers, however there are not vulnerabilities specific to those product lines. PIPEDREAM takes advantage of native functionality in operations, making it more difficult to detect. It includes features such as the ability to spread from controller to controller, and leverage popular ICS network protocols such as ModbusTCP and OPC UA.
“Uniquely, this malware has not been employed in target networks. This provides defenders a unique opportunity to defend ahead of the attacks. While the malicious capability is sophisticated, with a wide range of functionality, applying fundamental ICS cybersecurity practices such as having a defensible architecture, ICS specific incident response plan, and ICS network monitoring provide a robust defense against this threat.”
Not limited to Schneider Electric and Omron PLCs
Dragos also warns that Chernovite is not targeting just the vendors listed. It says that there could be other modules targeting other vendors. It is an approach that is pretty typical of most modular frameworks. The challenge is getting hold of new samples that target a wider range of vendors.
Interestingly, that ability to add new modules to widen the attack surface has led Dragos to warn about complacency. It says, “a focus on the equipment vendor is misplaced, and instead the focus should be placed on the tactics and techniques the adversary is leveraging.”
Dragos gives much more information in a blog and a whitepaper (registration required). The 19-page whitepaper explains bow Chernovite uses Pipedream’s components to perform what Dragos calls rapid reconnaissance of ICS networks. The question is, what does rapid mean?
Defenders are regularly told that attackers will sit in networks for some time while they do reconnaissance. If Chernovite is landing, doing recon and deploying in short order, that changes the time to detect. Such a change will worry many defenders who still struggle to detect malware sitting dormant for months, let alone days.
The whitepaper also gives much more detail on the five components of Pipedream that Dragos has identified. It means that defenders can refine their use of indicators of compromise when searching for possible Chernovite attacks.
Enterprise Times: What does this mean?
While this might only be the seventh malware family to target ICS, it will not be the last. Successful ICS attacks have severe consequences far outside of the businesses’ size. We’ve previously seen the impact of such attacks against electricity grids. However, non-ICS attacks, such as that which shut down Colonial Pipeline, can be just as effective.
What is interesting here is how the Pipedream modular ICS attack framework is constructed. There are 12 different processes from access to impact. In addition, each process has a range of different steps it can take to achieve success. For each stage, there are tools that can be deployed. Some of these are part of the device OS, and some are developed by Chernovite. It makes for a framework that can be added to and adapted to deal with different hardware.
Now that the warning and outline of the framework are out there, it is to be hoped that this will give defenders a chance to deploy remediations. It also shows that the lack of ICS specific malware should not be a cause for concern.