Blog

Pipedream is a malware framework that targets programmable logic controllers (PLCs) and industrial control systems (ICS). First made public in April 2022, this malware toolkit – though there is no known instance of its deployment to date – targets ICS, such as electricity grids, industries, water utilities, and oil refineries. Wary of the malware toolkit’s threat potential, the US government issued an advisory, urging enterprises to look out for it. 

Touted as the “Swiss Army knife” for hackers, cybersecurity experts claim the toolkit is the creation of Chernovite Activity Group. Ever since its discovery, Pipedream has drawn comparisons to the Industroyer toolset, which was used in the Ukraine power system cyberattack in December 2015. This modular toolkit enables attackers with access to operational technology (OT) network to monitor, compromise, and operate particular ICS/SCADA devices, such as:

• Schneider Electric PLCs,

• OMRON Sysmac NEX PLCs, and

• Open Platform Communications Unified Architecture (OPC UA) servers.

How can cybercriminals leverage this malware toolkit?

Cybercriminals can launch highly automated exploits against select devices due to the modular architecture of the toolkit. In addition, the software includes a virtual console, which simulates the interface of the targeted ICS/SCADA system. Cyber attackers with lower skills, too, can replicate the capabilities of seasoned hackers by using modules to interact with the targeted devices. 

Advanced persistent threat (APT) actors can scan for targeted devices, gather device details, upload malicious software files, and manipulate device parameters using these modules. APT actors can also employ AsrDrv103.sys, a malware that installs and exploits a known-vulnerable ASRock-signed motherboard driver, to execute malicious code in the Windows kernel to exploit CVE-2020-15368. APT actors may also be able to move laterally inside an IT or OT environment and disrupt important devices or functions if this malware toolkit is successfully deployed.

The US Cybersecurity and Infrastructure Security Agency, the US National Security Agency, and the FBI recently issued a joint notice warning that the Pipedream malware toolkit may interfere with a wide range of industrial control system components. The malware includes more features designed to disrupt or take control of device functionality than any previous industrial control system hacking toolkit. This malware toolkit specifically targets PLCs sold by Schneider Electric and OMRON – both domain leaders. These PLCs are designed to serve as the interface between traditional computers and actuators and sensors in industrial settings.

In an alert co-authored by researchers from several tech giants, the experts claimed that Pipedream could 'execute 38% of known attack techniques and claimed it could pull off 83% of known ICS attack tactics’. 

Adding to the widespread concern is the possibility of Chernovite including new modules and plug-ins that will allow attackers to target more devices. As it is, an existing plug-in enables attackers to manipulate small motors known as servos on EtherCAT networks. By modifying pressure control valves, servos can, among other things, regulate natural gas flow in pipelines. Mousehole, another Pipedream tool, enables attackers to influence Open Platform Communications Unified Architecture or OPC UA, and servers facilitating data exchanges.

Mitigation

Companies can start mitigating the Pipedream threat by continuously monitoring Schneider and Omron devices, disabling specific functionalities, and monitoring PLCs for new connections. Businesses should also follow best practices for securing operational technology networks and ensuring they are ready to respond to attacks. This includes developing and practicing incident response procedures. Given the threat potential of Pipedream, relying on the mere network edge and perimeter security may prove inadequate. Monitoring ICS to tackle the expanding attack surface is another way out. Lastly, finding high-quality firmware and controller configuration files can help strengthen the OT environment.

Conclusion

One way of ensuring your company is safe from Pipedream is by testing the quality of your security infrastructure. Remember, the Pipedream malware toolkit can only be deployed after a hacker has made a breach.

Packetlabs is an industry leader in network and system security testing. We offer a wide range of services that can help you identify any vulnerabilities in your networks and systems, and our team of experts can help you mitigate the risks posed by the Pipedream malware toolkit. Contact us today to learn more about our services or to schedule a consultation.