Pipedream (toolkit)

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

The name "Pipedream" was given by the cybersecurity company Dragos; the cybersecurity company Mandiant uses the name "Incontroller". It has been compared with the Industroyer toolkit used in the December 2015 Ukraine power grid cyberattack. Dragos refers to the authors of the software as Chernovite.

Details
The toolkit consists of custom-made tools that, once they have established initial access in an operational technology (OT) network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:


 * Schneider Electric PLCs,
 * OMRON Sysmac NEX PLCs, and
 * Open Platform Communications Unified Architecture (OPC UA) servers.

The toolkit has a modular architecture and enables cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters.

In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.