Dragos detects escalation in adversarial capabilities, as Pipedream threat group widens attack competence

Industrial cybersecurity company Dragos announced Tuesday that 2022 saw a breakthrough in escalation capabilities by a new modular industrial control systems (ICS) malware, Pipedream, developed by the Chernovite threat group. The Pipedream toolkit has the capabilities that led to the initial ‘cross-industry disruptive/destructive’ ICS/OT malware impacting tens of thousands of industrial devices that control critical infrastructure – devices that manage the electrical grid, oil and gas pipelines, water systems, and manufacturing plants.

“Chernovite’s Pipedream is the first ever cross-industry disruptive/destructive ICS/OT capability. It represents a substantial escalation in adversarial capabilities, Dragos said in its latest report titled ‘ICS/OT Cybersecurity Year In Review 2022.’ “Chernovite possesses a breadth of ICS-specific knowledge beyond what has been demonstrated by previously discovered threat groups. The ICS expertise demonstrated in the Pipedream malware includes capabilities to disrupt, degrade, and potentially destroy physical processes in industrial environments,” it added. 

Dragos assesses that ‘Chernovite represents the most dangerous threat group to date as it exhibits all aspects of the ICS Kill Chain Stage 1 and Stage 2.’ Pipedream is the seventh ICS-impacting malware and most recent ICS-targeted malware discovered in 2022, which abused FINS, MODBUS, CODESYS, OPC UA, and Schneider Electric NetManage ICS protocols. Furthermore, thousands of devices have been ‘potentially impacted’ and thousands of suppliers ‘impacted.’

Apart from implementing common ICS/OT-specific protocols in Pipedream, the Chernovite threat group improved the techniques from prior ICS malware. CRASHOVERRIDE, and the associated threat group, ELECTRUM, exploited the OPC Data Access (OPC DA) protocol to manipulate breakers and electrical switchgear. Chernovite, on the other hand, uses the newer but comparable OPC UA protocol. 

Dragos assesses with high confidence that a state actor developed Pipedream intending to leverage it in future operations for disruptive or destructive purposes. It also assesses with moderate confidence that the Chernovite threat group represents an ‘effects/impact team’ instead of an ‘access team’ suggesting that Pipedream was designed to be leveraged for impact after the initial access into the target environment has been obtained by another threat group. 

Most likely, Chernovite developed Pipedream’s capabilities for a malicious operator with the intent and motivation to access, manipulate, and disrupt OT (operational technology) environments and processes, Dragos said. “Pipedream’s capabilities can provide an adversary with a range of options for learning about a target’s OT network architecture and identifying its assets and processes. This information can set the stage for disruptive and destructive effects, but it also increases an adversary’s knowledge to develop even more capabilities to disrupt or destroy on a much broader scale.”

In its present form, the Pipedream attack framework could be leveraged to target equipment in multiple sectors and industries. Given Pipedream’s modular nature, Chernovite could adapt it to compromise and disrupt a broader set of targets. Therefore, it is necessary for defenders to harden their environment against Chernovite’s known set of capabilities and focus on the tactics, techniques, and procedures (TTP), abuse of environment-native protocols and functionality, and exploitation of a lack of OT asset visibility and network monitoring. 

Dragos assesses with low confidence that no adversary has employed or leveraged components of Pipedream against industrial networks for disruptive or destructive effects. Dragos’ discovery of Chernovite constitutes a rare case of accessing and analyzing malicious capabilities developed by an adversary before its employment, giving defenders a unique opportunity to prepare in advance. 

No individual industrial operator, security vendor, or ICS vendor can independently solve or mitigate attacks like Pipedream, Dragos said. “All three communities should collaborate transparently with support from projects like MITRE ATT&CK and relevant industry-sharing groups so sites can be more secure from PIPEDREAM and any other future attempts to disrupt critical infrastructure.”

Pipedream malware is new and different compared to CRASHOVERRIDE, which focused on electric substation-specific protocols, or Trisis, which impacted one particular safety controller (Triconex). Most likely, the adversary will continue to improve this toolkit—not just to improve support for the CODESYS protocol, but possibly even to expand it to support other protocols. 

“The OPC UA and Modbus components in Pipedream are open-source projects that are widely available,” Dragos reported. “A quick internet search shows there are many other open-source projects for supporting other protocols in the industrial/OT space, such as CIP, BACNet, EthernetIP, Profinet, EtherCAT, and more. The adversary could leverage any one of these to expand their potential target space and give Pipedream even more cross-industry flexibility.”

The Hanover, Maryland-based company also drew attention to the new Bentonite threat group increasingly and opportunistically targeting maritime oil and gas (ONG), governments, and the manufacturing sectors since 2021. The group conducts offensive operations for both espionage and disruptive purposes.

“Bentonite seeks to exploit vulnerable remote access assets or internet-exposed assets that can facilitate access. Bentonite’s operations have impacted North American ONG maritime support organizations and State Local Tribal and Territorial (SLTT) governments,” Dragos said in the report. “Bentonite compromised these organizations by exploiting vulnerabilities on internet-facing assets through Log4J and VMware Horizons vulnerabilities.” 

Once Bentonite achieves initial access, the adversary delivers a downloader-type malware implant to retrieve additional malware implants from adversary-created GitHub accounts. These malware implants conduct command and control to adversary-owned infrastructure, reconnoiter the compromised host, conduct network reconnaissance, and establish a connection through SSH, enabling the adversary operator to perform interactive operations.

Dragos said that Bentonite’s activities are highly opportunistic when it comes to the victims they target. “Additionally, once Bentonite gains access to a victim’s environment, this adversary is very tenacious in its persistence to retain its access by performing lateral movement to other hosts, collecting credentials, and establishing long-term persistence to re-enable access to the adversary operator through scheduled tasks in combination with malware implants. Bentonite utilizes legitimate infrastructure, such as GitHub, and adversary-owned infrastructure for command and control and capability delivery.” 

Bentonite threat group is capable of and has in past compromises disrupted operations through wipers; however, this was not observed in the compromises of the ONG or SLTT organizations. Bentonite has overlapping activity clusters with Microsoft’s activity group PHOSPHORUS (DEV-0270) and CrowdStrike’s activity group NEMESIS KITTEN. 

Addressing INDUSTROYER2, the sixth known ICS-specific malware, Dragos said that the incident last April marked the first time ICS-specific malware had been reconfigured and then redeployed in an electric utility environment, which was also impacted by CRASHOVERRIDE in 2016.

“INDUSTROYER2 utilizes the International Electrotechnical Commission (IEC) IEC-104 protocol to control and communicate with industrial equipment,” Dragos reported. “INDUSTROYER2 is a new variant of CRASHOVERRIDE with fewer capabilities. The 2016 CRASHOVERRIDE malware had a modular framework and multiple components, including a 104 module that utilized the IEC 104 protocol for communicating with industrial equipment. This module is designed to leverage the IEC 104 protocol to change the state of Information Object Addresses (IOA) to switch physical breaker statuses from open to closed or vice versa, causing disruptive effects.” 

Recent public reporting shows Kostovite may be linked to the APT5 adversary group. The U.S. government reported in December 2022 that APT5 was actively exploiting a zero-day vulnerability in Citrix perimeter access devices, which parallels Kostovite’s zero-day exploitation against an energy O&M firm in 2021, and previous APT5 campaigns targeting perimeter devices in 2019. 

Dragos said that both Kostovite and APT5 have leveraged vulnerabilities in perimeter-facing remote access appliances, achieving persistent access to targets over several months undetected. “There is a likelihood that Kostovite’s tooling may expand to include the remote access device zero-days exploited by APT5.”

Kamacite is a threat group targeting industrial infrastructure verticals since at least 2014, and is linked to multiple industrial infrastructure intrusion events, including operations enabling the 2015 and 2016 Ukraine power events. The group possesses ICS-specific capabilities but has also facilitated ICS disruptive events executed by other threat groups such as Electrum. 

“Most recently, in June of 2022, Dragos identified Kamacite network infrastructure communicating with an oblenergo (a regional power distribution entity) in Ukraine,” the report identified. “The oblenergo Kamacite targeted in this incident was one of the same oblenergos impacted in a 2015 cyber attack, which triggered a large-scale power outage across western Ukraine.”

The Dragos-tracked threat group Xenotime is one of the four (including Chernovite, Electrum, and Kamacite) publicly known threat groups that has the intent, motivation, and capability to target and disrupt or destroy critical infrastructure, particularly in the ONG sector. During 2022, Dragos observed Xenotime reconnaissance and research activity focused on ONG and liquefied natural gas (LNG) entities in the U.S., including component manufacturers that support ONG operations.

Electrum was still active in 2022 and continues to develop and modify capabilities against electric grid operations. In the April 2022 incident, Electrum deployed INDUSTROYER2 malware along with a set of wiper malware, Dragos said. “The wiper malware deployed with INDUSTROYER2 was used to cover Electrum’s tracks.” 

Dragos assesses with high confidence that Electrum will continue to target electric utilities in Ukraine. Electrum also has the capability to target electric entities outside of Ukraine because of the similar equipment and protocols in other electric environments. 

During 2022, Erythrite continued to compromise industrial organizations across multiple sectors in North America with its adaptable search engine optimization (SEO) poisoning and custom, rapidly redeveloped malware. Erythrite has a consistent ability to develop and deploy malware and infrastructure at scale.

Dragos assesses with moderate confidence that Wassonite will continue to target ICS entities in nuclear energy, electric, oil and gas, advanced manufacturing, pharmaceutical, and aerospace industries in East Asia, South Asia, and North America. 

Last October, Dragos analyzed Wassonite’s use of nuclear energy-themed spear phishing lures written in Hangul to deliver the AppleSeed backdoor. The Appleseed backdoor is a multi-component backdoor that can take screenshots, log keystrokes, and collect removable media information and specific victim files. It can also upload, download, and execute follow-on commands from a command and control server. 

Industrial operators are at the ground level of critical infrastructure, and when it comes to delivering critical services, they are the closest to the customer, Dragos said. To secure against attacks, the company recommends that industrial operators implement the five critical controls highlighted in the SANS white paper, ‘The Five Critical Controls for ICS/OT,’ by Tim Conway and Robert M. Lee.

Dragos also disclosed in its report a continued increase in the threats and ransomware attacks tracked in 2022, as ransomware attacks on industrial infrastructure organizations nearly doubled in 2022. With over 70 percent of all ransomware attacks focused on manufacturing, ransomware actors continue to broadly target many manufacturing sectors and subsectors. As ransomware activity increases, it results in more risk for OT networks, particularly networks with poor segmentation. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.