{
	"id": "279f1441-babb-45a4-8f24-ae77bddcb726",
	"created_at": "2026-04-06T00:10:09.532157Z",
	"updated_at": "2026-04-10T13:11:34.075083Z",
	"deleted_at": null,
	"sha1_hash": "2d385a132bff6eaff546e5dcfbf431bd308c2513",
	"title": "Responding to CHERNOVITE’s PIPEDREAM with Dragos Global Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56096,
	"plain_text": "Responding to CHERNOVITE’s PIPEDREAM with Dragos\r\nGlobal Services\r\nBy Dragos, Inc.\r\nPublished: 2022-04-28 · Archived: 2026-04-02 10:34:14 UTC\r\nPIPEDREAM is the seventh known ICS-specific malware. Developed by the Threat Group that Dragos has\r\ndesignated CHERNOVITE, PIPEDREAM malware can disrupt, degrade, and potentially destroy industrial\r\nenvironments and processes. This blog post is intended to provide guidance for the impacted ICS/OT\r\nenvironments of Dragos customers and draws on the experience of our Global Services team providing\r\narchitecture reviews, maturity assessments, and incident response services.\r\nFor details on the Threat Group and Malware, refer to the original blog post, “CHERNOVITE’s PIPEDREAM\r\nMalware Targeting Industrial Control Systems (ICS),” and the in-depth whitepaper, “PIPEDREAM:\r\nCHERNOVITE’s Emerging Malware Targeting Industrial Control Systems.” Additional technical details on\r\nPIPEDREAM are available with a Dragos WorldView Threat Intelligence subscription.\r\nDragos Platform customers can get summary guidance for how to leverage the Platform in this recent blog to\r\nquickly identify and mitigate risks from PIPEDREAM – including deploying the latest knowledge pack,\r\nidentifying impacted assets with Asset Inventory, looking for current malicious behaviors, performing\r\nretrospective search for past malicious behaviors, and using the Platform vulnerability management plan to\r\nmanage this event.\r\nReview Incident Response Plans – Get Moving Now, Not Later\r\nIncident Response Plans (IRPs) and Collection Management Framework (CMF) are the starting point for incident\r\nresponse preparation and response. Dragos recommends asset owners have an OT-specific IRP. If you do not have\r\none in place, use this as an impetus to construct one. While the IRP is being developed, defenders should gather\r\ninsights from those responsible for the process environment and those who will be working on automation\r\nsystems during restoration.\r\nCMF is a process that documents and institutionalizes data sources that are available to defenders including what\r\ninformation is available and how long that data is retained. The CMF will provide the baseline for identifying\r\nimpacted assets and searching for potential threat behaviors. If you do not have a CMF, start building one. Identify\r\ndata sources that contain asset information and OT network traffic logs.\r\nFind \u0026 Address Impacted Systems\r\nIncident Response (IR) begins with evidence collection. Therefore, defenders need to ensure quality collection\r\ncapability is in place for the identified targeted systems:\r\nSchneider PLCs\r\nhttps://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/\r\nPage 1 of 4\n\nOmron PLCs\r\nOPC-UA Endpoints\r\nCODESYS-based devices\r\nEngineering workstations controlling the affected devices\r\nSystems with firewall rules allowing communication to these devices\r\nTeams should understand their roles and responsibilities and communicate with corresponding teams. Educate OT\r\noperations staff on the potential for cyber impacts to their environments, and ensure they are aware that they\r\nshould report any concerns for investigation. Operations and automation staff should consider cybersecurity into\r\ntheir decisions concerning odd behaviors observed.\r\nEstablish a Solid Baseline of Known “Good” Configurations\r\nFor Schneider and Omron PLCs specifically, having a full set of known “good” project files for the systems\r\npotentially affected by PIPEDREAM can help reduce the time for analysis of potentially malicious logic files\r\nfound on Engineering Workstations (EWS). Compare the digital fingerprints, the MD5 or SHA256 hashes of\r\nknown good project files, to those of project files found on EWSes suspected of having been compromised. The\r\nsame applies to configuration data and especially Python scripts found on EWSes.\r\nOperators should ensure personnel are open to considering that a cybersecurity incident is a potential root cause\r\nduring a fault analysis. This requires the OT operations team to quickly loop in the incident response (IR) team\r\nduring a fault analysis, with the IR team collecting forensic host and network data during any incident analysis to\r\nverify or rule out any malicious cyber activity that might have led to the malfunction.\r\nThis is true for systems running the OPC-UA protocol – any unusual network activity from HMIs or data\r\nhistorians using the OPC-UA protocol should be investigated. OPC scanning is always a highly suspicious activity\r\nand does not commonly occur on operational systems. Malfunctioning HMIs leveraging the OPC-UA protocol\r\nshould follow the same fault analysis approach as mentioned above for PLCs: forensic data should be collected\r\nand analyzed for a potential compromise of these systems.\r\nFinally, unusual failures in segments that are not connected via Ethernet but have serial Modbus connections\r\nterminating on PLCs that are network connected, should also be investigated with the assumption that malicious\r\ncyber activity is a potential root cause. In this case, the segment that requires forensic collection is the one that is\r\nnetwork connected and terminates the serial connection.\r\nBrief Your Operations Team to Be on the Lookout\r\nOperations teams are often the first line of detection during abnormal process changes or conditions. Dragos\r\nrecommends OT security teams talk to operations employees to understand how to manage the environment under\r\nemergent operational conditions, especially under a loss of view condition.\r\nTeams should know when and how to safely shutdown critical processes when HMI information is tampered with\r\nor simply unavailable.\r\nHistorians and process visualization applications, which leverage OPC-UA, may cross IT/OT security\r\nboundaries.\r\nhttps://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/\r\nPage 2 of 4\n\nLosing these connections can create the potential for loss of process trends, custody transfer information, or\r\nenvironmental data, for example. Additionally, IT/OT interconnections provide adversarial pathways to\r\npivot into the ICS/OT environment from the enterprise.\r\nUpdate and Mature Your Incident Response Plan\r\nIf you haven’t tested your disaster recovery or OT Incident Response Plans recently, you should consider\r\nfacilitating a discussion-based scenario, such as a Tabletop Exercise (TTX) to ensure that team members are well\r\nversed on the IRP, their roles, and overall preparedness for a potential incident. If you have limited internal\r\nincident response capabilities or lack an incident response plan tailored to ICS/OT, then Dragos recommends\r\nreaching out to a trusted ICS incident response provider for a retainer.\r\nTake Steps to Mitigate Risk of Impacted Assets\r\nThe detailed whitepaper, “PIPEDREAM: CHERNOVITE’s Emerging Malware Targeting Industrial Control\r\nSystems,” contains specific recommendations for mitigating impacts of PIPEDREAM.\r\nAdditionally, operators should look for quick wins like the ability to deny vulnerable drivers, such as the ASRock\r\ndriver that PIPELINE utility LazyCargo requires. This has a potentially high probability for OT vendor approval\r\nfor deployment and a large net gain for detection/mitigation capabilities. It is important to also understand that this\r\nvulnerability has multiple public examples of exploitation and POC code so it should be considered a high priority\r\nfor mitigation.\r\nMicrosoft recently announced a driver blocklist feature to Windows Defender, however the current recommended\r\nblocklist already contains ASRock driver. Because this is such a new capability, it may not apply to most ICS/OT\r\nenvironments but is something to consider in planning.\r\nIt is good to remember that this vulnerability requires prior access, and an adversary must interact with the system\r\nto exploit it. This creates additional opportunities for detection across the network or on the host. The\r\n“CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS)” blog provides additional\r\nprospective details to inform detection activities.\r\nFinally, operators should explore other areas within the OT environment where they can fortify and enhance\r\ndefenses, such as monitoring for telnet use or enablement. If owners can segment or harden many of the targeted\r\ntechnologies, they can break the adversaries’ collection of tools.\r\nWhat’s Next?\r\nAs Dragos continues to perform analysis of PIPEDREAM, several additional detections are in development for\r\nfuture Dragos Platform Knowledge Pack (KP) releases. For more insight on streamlining\r\nPIPEDREAM/CHERNOVITE detection, see the blog, “Detecting CHERNOVITE’s PIPEDREAM with the\r\nDragos Platform.”\r\nGet the Complete Analysis\r\nhttps://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/\r\nPage 3 of 4\n\nRead the complete analysis on CHERNOVITE and the PIPEDREAM malware targeting ICS, with defensive\r\nrecommendations on what to do to protect against possible cyber attack.\r\nDownload Whitepaper\r\nSource: https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/\r\nhttps://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/"
	],
	"report_names": [
		"responding-to-chernovites-pipedream-with-dragos-global-services"
	],
	"threat_actors": [
		{
			"id": "091dc6fb-2650-4646-894a-41de0d463f94",
			"created_at": "2023-11-17T02:00:07.594612Z",
			"updated_at": "2026-04-10T02:00:03.455179Z",
			"deleted_at": null,
			"main_name": "Chernovite",
			"aliases": [],
			"source_name": "MISPGALAXY:Chernovite",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2d385a132bff6eaff546e5dcfbf431bd308c2513.pdf",
		"text": "https://archive.orkl.eu/2d385a132bff6eaff546e5dcfbf431bd308c2513.txt",
		"img": "https://archive.orkl.eu/2d385a132bff6eaff546e5dcfbf431bd308c2513.jpg"
	}
}