Industrial control systems and operational technology networks historically have not faced the same level and volume of threats that typical IT networks have, but that is beginning to change, as adversaries have started to focus more attention on ICS and OT environments and begun to develop high-level malware and attack frameworks built specifically for those networks.
The clearest example of this is the emergence of the PIPEDREAM malware, a custom-built framework developed by a state-level threat group known as Chernovite that researchers discovered last year. PIPEDREAM is unique in a number of respects, including its scalability, its ability to target 15 types of OT devices, and potential for disruptive and possibly even destructive attacks. The framework is modular and has a range of capabilities, and researchers at Dragos, which discovered PIPEDREAM, said it could enable an attacker to gather valuable information about a target environment and then plan and execute a later attack.
“PIPEDREAM is the first reusable cross-industry capability that impacts native functionality in industrial protocols and a wide variety of devices. Dragos and our third-party partners discovered and analyzed its capabilities before it was employed. Malware development is shifting towards improving on the known and successful techniques used in earlier ICS cyber attacks,” Dragos said in a new report on 2022 ICS and OT threats.
“This accumulated knowledge may have informed PIPEDREAM’s malware framework, which is more robust and modular and most likely will inform CHERNOVITE and other adversaries’ malware development in the future.”
“We are absolutely at the time’s up phase for industrial security for some of these things.”
Although researchers discovered PIPEDREAM before it was deployed in any disruptive or destructive attacks, Dragos CEO Robert Lee said that the framework’s feature set and complexity leave little doubt about its capabilities and those of its development team.
“We have high confidence this was developed by a state actor and PIPEDREAM was initially targeted at LNG and electric companies in the U.S. and elsewhere. It’s cross-industry, repeatable and scalable.. You can load this up and go. You could put it anywhere. This thing can work anywhere. The state actor responsible for this, there’s no chance this wasn’t their go-to package to bring down infrastructure,” Lee said.
Chernovite is a formidable, high-line actor that has emerged in the last year or so, and Lee said when Dragos came upon the group’s activities and the PIPEDREAM malware, the group already was operating at a high level and had demonstrated advanced capabilities.
“No one was tracking them. They were already a stage two actor. Nobody has perfect visibility. We have a lot less visibility than people realize globally. Maybe five percent of global infrastructure is being monitored, so you’re not going to see as much of the threats as you’d like,” Lee said.
ICS and OT security has emerged as a serious concern in the last few years, thanks to a number of high-profile attacks against critical infrastructure and ICS systems. The attack against the Colonial Pipeline by the DarkSide ransomware group in 2021 drew a huge amount of media attention as well as that of the White House. Data that Dragos collected on attacks shows an 87 percent increase in ransomware attacks, 72 percent of which targeted companies in the manufacturing industry. While the ransomware attacks draw the most attention, there are plenty of other intrusions going on under the surface that don’t necessarily bubble up.
“We are absolutely at the time’s up phase for industrial security for some of these things,” Lee said.