CHERNOVITE and BENTONITE – New Threats of 2022

Only some two weeks ago, towards the end of February 2023, Dragos released its 6th year running ‘ICS/OT Cybersecurity year in review’.

Today we will look at the two new threat groups Dragos discovered in 2022.

1. CHERNOVITE

First reported on in May 2022 CHERNOVITE is the developer of PIPEDREAM, the seventh piece of malware specifically designed for Industrial Control Systems (ICS), preceded by STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS and Industroyer2.

PIPEDREAM represents stage 2 capabilities as described in the ICS Cyber Kill Chain model where the attacker develops a new capability tailored to affect a specific ICS implementation and for the desired impact.

Originally used to target the electrical sector and oil & natural gas, PIPEDREAM is the first known attack framework able to be effectively deployed across many different industries with the ability to disrupt, degrade, and even destroy physical processes within industrial environments. One of the reasons for this is the fact that it can impact three very widely used solutions – CODESYS, MODBUS and OPC UA – used in thousands of devices across critical industries by a combined number of over 5000 suppliers.

According to Dragos, PIPEDREAM was developed by a state actor with the intention of using it in future operations for the purpose of disruption or destruction. The threat group, CHERNOVITE, is believed to be an “effects/impact team,” rather than an “access team.” This means that PIPEDREAM was designed to be used for its disruptive or destructive effects after another threat group has gained initial access to the target environment. This suggests a complex and sophisticated threat landscape that requires a proactive and multi-layered security approach to protect against potential attacks.

The good news is, PIPEDREAM has been discovered before it was employed for destructive purposes.

How does one protect against PIPEDREAM?

It is not something that can be prevented by patching. Protection against PIPEDREAM has to be focused on detection and response to be able to find PIPEDREAM in the environment itself. The challenge with discovering PIPEDREAM is that it is delivered into the environment when it is needed, and it will not be detectable in the environment before that time simply because it won’t be there.

The key is to constantly monitor the traffic – between the OT and corporate environments as well as laterally across OT networks with ICS protocol-aware technologies. Also, looking for modifications outside of maintenance periods and maintaining an accurate asset inventory (asset visibility).

To read more about the various PIPEDREAM features please refer to our blog entry from April 2022.

2. BENTONITE

Since 2021, the new threat group BENTONITE has been increasingly targeting maritime oil and gas (ONG), government, and manufacturing sectors opportunistically. BENTONITE engages in offensive operations for both espionage and disruptive purposes, indicating a multifaceted and potentially significant threat to critical infrastructure and sensitive information.

BENTONITE aims to exploit vulnerable assets that are either remotely accessible or exposed on the internet, which could enable them to gain unauthorized access to targeted systems or networks.

After obtaining initial access, BENTONITE delivers a malware implant downloader to retrieve additional malware implants from adversary-controlled GitHub accounts. These malware implants enable the adversary to conduct command and control over their infrastructure, gather information about the compromised host, conduct network reconnaissance, and establish an SSH connection.

BENTONITE exhibits a high level of opportunism in selecting its victims. Once they gain access to a victim’s environment, they demonstrate remarkable persistence in retaining their access by engaging in lateral movements to other hosts, collecting credentials, and establishing long-term persistence using scheduled tasks and malware implants.

Different from CHERNOVITE’s PIPEDREAM BENTONITE demonstrates ‘only’ stage 1 of the ICS Cyber Kill Chain potentially effecting in data exfiltration & IT compromise.

BENOTNITE’s case highlights the importance of implementing robust security measures such as regular security updates, multi-factor authentication, and intrusion detection systems to safeguard against potential attacks.

Asset visibility helps organisations manage changes to the OT environment, ensuring that new assets are properly configured and integrated into the security framework.