Chernovite

CHERNOVITE is the Dragos-designated activity group assessed to have developed the ICS malware framework PIPEDREAM, also tracked by Mandiant as Incontroller. The content describes CHERNOVITE as a state-backed or state-sponsored threat actor that developed PIPEDREAM for disruptive or destructive operations against industrial control systems. At the time of the cited reporting, there were no known cyber attacks associated with CHERNOVITE and Dragos assessed with high confidence that PIPEDREAM had not yet been employed in the wild for disruptive or destructive effects. The group’s activity is centered on development of ICS malware to disrupt, degrade, and destroy industrial environments and processes. PIPEDREAM is described as a modular ICS attack framework and collection of utilities for reconnaissance, manipulation, and disruption of PLCs, along with Windows intrusion tooling. Reported targets and affected technologies include Omron and Schneider Electric PLCs, OPC UA servers, Modbus, and CODESYS-based environments. The content states that likely intended targets were liquefied natural gas and electric facilities. The content attributes to CHERNOVITE capabilities including rapid ICS network reconnaissance using MAC address identification, port numbers, HTTP banners, Omron FINS, Modbus, and Schneider NetManage discovery broadcasts; remote interaction with PLCs via CODESYS to brute force passwords, perform denial of service, and sever connections; interaction with Omron PLCs via HTTP and telnet to load a native implant; use of exposed Omron HTTP endpoints to change operating mode, back up or restore configurations, and wipe PLC memory; arbitrary OPC UA node attribute writes; denial of control and denial of view; use of PLCs as network proxies across OT environments; and collection of PLC network traffic to undermine OT authentication and encryption. Dragos also states CHERNOVITE can manipulate speed and torque of Omron servo motors, potentially causing disruption, destruction, and loss-of-life scenarios. Named PIPEDREAM components associated with CHERNOVITE in the content are EVILSCHOLAR, BADOMEN, MOUSEHOLE, DUSTTUNNEL, and LAZYCARGO. EVILSCHOLAR is described as discovering, accessing, manipulating, and disabling Schneider Electric PLCs and includes a CODESYS library. BADOMEN scans, identifies, and interacts with Omron software and PLCs, including remote shell capability. MOUSEHOLE interacts with OPC UA servers by reading and writing node attributes, enumerating namespaces and NodeIds, and brute forcing credentials. DUSTTUNNEL is described as a custom remote operational implant for host reconnaissance and command-and-control. LAZYCARGO is a Windows executable that drops and exploits a vulnerable ASRock driver to load an unsigned driver, with the report referencing CVE-2020-15368. Known alias in the provided content: Chernovite. The malware/toolkit associated with this actor is referred to as PIPEDREAM by Dragos and Incontroller by Mandiant.