Pipedream is a
software framework
In computer programming, a software framework is an abstraction in which software, providing generic functionality, can be selectively changed by additional user-written code, thus providing application-specific software. It provides a standard ...
for
malicious code
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...
targeting
programmable logic controller
A programmable logic controller (PLC) or programmable controller is an industrial computer that has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, machines, robotic devices, or any activity tha ...
s (PLCs) and
industrial control systems
An industrial control system (ICS) is an electronic control system and associated instrumentation used for Process control, industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large inter ...
(ICS).
First publicly disclosed in 2022, it has been described as a
"Swiss Army knife" for hacking.
[ It is believed to have been developed by state-level Advanced Persistent Threat actors.][
The name "Pipedream" was given by the cybersecurity company Dragos; the cybersecurity company Mandiant uses the name "Incontroller".] It has been compared with the Industroyer
Industroyer (also referred to as Crashoverride) is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016.
The attack cut a fifth of Kyiv, the capital, off power for one hour and is ...
toolkit used in the December 2015 Ukraine power grid cyberattack
On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked, which resulted in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing Russo-Ukrainian War (2014-present) ...
.[ Dragos refers to the authors of the software as Chernovite.]
Details
The toolkit consists of custom-made tools that, once they have established initial access in an operational technology
Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events''.'' The term has become established to demonstrate the techno ...
(OT) network, enables them to scan for, compromise, and control certain ICS
ICS may refer to:
Computing
* Image Cytometry Standard, a digital multidimensional image file format used in life sciences microscopy
* Industrial control system, computer systems and networks used to control industrial plants and infrastructu ...
/SCADA
Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and ...
devices, including the following:
* Schneider Electric PLCs,
* OMRON Sysmac NEX PLCs, and
* Open Platform Communications Unified Architecture (OPC UA) servers.
The toolkit has a modular architecture and enables cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.[
APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.][
In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.][
]
See also
* Industroyer
Industroyer (also referred to as Crashoverride) is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016.
The attack cut a fifth of Kyiv, the capital, off power for one hour and is ...
* Stuxnet
* Havex
Havex malware, also known as Backdoor.Oldrea, is a RAT employed by the Russian attributed APT group “Energetic Bear” or “Dragonfly." Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. Th ...
* Triton (malware) Triton is malware first discovered at a Saudi Arabian petrochemical plant in 2017. It can disable safety instrumented systems, which can then contribute to a plant disaster. It has been called "the world's most murderous malware."
In December 2017 ...
References
Malware toolkits
Cyberwarfare
2022 in computing
Hacking in the 2020s
Malware targeting industrial control systems
{{malware-stub