Chernovite and Bentonite - threat groups that reshaped the OT security landscape in 2022
Analysis of Chernovite and Bentonite threat groups identified by Dragos in 2022 - Pipedream/Incontroller framework, ICS attack capabilities, implications for energy and water infrastructure.
Józef Sulwiński 
In April 2022, CISA, NSA, FBI, and the US Department of Energy issued a joint advisory about a new set of offensive tools targeting industrial control systems. Hours later, Dragos published a detailed technical analysis. The toolset received two names: Pipedream (from Dragos) and Incontroller (from Mandiant). The group behind its development was designated Chernovite by Dragos.
That same year, Dragos identified another threat group - Bentonite - with a different operational profile but equally concerning capabilities. Together, these two actors defined a new trajectory in the evolution of critical infrastructure threats.
Chernovite - the creators of Pipedream
Chernovite is the seventh ICS threat group identified by Dragos and the first attributed with the capability to directly interact with a broad spectrum of industrial devices. Until its disclosure, groups like Electrum and Xenotime were known for targeting specific protocols or specific vendors. Chernovite went further.
Pipedream - a modular ICS attack framework
Pipedream is not a single piece of malware but a modular platform consisting of several components, each serving a different function in the attack chain:
| Component | Function | Target |
|---|---|---|
| Evilscholar | Reconnaissance and interaction with Schneider Electric controllers | Modicon M251/M258/M241 PLCs (CODESYS protocol) |
| Badomen | Scanning and interaction with OPC UA servers | OPC UA servers in any implementation |
| Mousehole | Operator interface for managing the attack | Orchestration of the entire framework |
| Dusttunnel | C2 (command and control) communication | Maintaining access and exfiltration |
| Lazycargo | Interaction with Omron controllers | Omron NX/NJ PLCs (FINS protocol) |
What distinguishes Pipedream from earlier ICS tools (such as Industroyer or Triton) is its versatility. Previous ICS malware was built for a specific attack against a specific target. Pipedream was designed as a reusable platform - capable of adapting to different industrial environments.
Technical capabilities
Dragos analysts assessed Chernovite’s capabilities as including:
- Industrial process manipulation - changing setpoints, controller configurations, and output states
- Communication disruption - interrupting or modifying communication between HMI and PLC
- Controller destruction - overwriting firmware, changing boot configurations, permanently damaging devices
- Lateral movement in OT networks - leveraging industrial protocols to move between devices
WARNING
Pipedream does not require vulnerability exploitation in the traditional sense. It leverages native functions of industrial protocols (CODESYS, OPC UA, Modbus, FINS) - the same functions that engineers use to program and configure controllers. There is no patch that fixes this.
Who is behind Chernovite
The joint CISA/NSA/FBI advisory pointed to an “advanced APT actor” without providing state attribution. Dragos traditionally does not attribute ICS threat groups to specific nations, focusing instead on technical capabilities and operational infrastructure. External analysts and media pointed to Russia, based on the target profile (energy sector, water infrastructure) and the geopolitical context - the advisory appeared two months after Russia’s invasion of Ukraine.
Bentonite - a new actor in the OT threat landscape
Bentonite is the eighth ICS threat group identified by Dragos, disclosed in the Year in Review 2022 report. Unlike Chernovite, which specializes in tools for direct ICS interaction, Bentonite focuses on gaining initial access to the networks of critical infrastructure operators.
Operational profile
Bentonite primarily targets:
- The oil and gas sector
- Electricity generation operators
- Water utility operators
The group uses a combination of remote code execution (RCE) exploits against internet-facing devices and phishing operations targeting operational personnel. After gaining initial access, it conducts OT network reconnaissance, gathering information about topology, protocols in use, and controller types.
What we know about affiliations
Dragos noted operational overlap between Bentonite activity and Iranian APT groups. The group shows interest in targets consistent with Iranian intelligence priorities - energy infrastructure operators in the Middle East and North America. At the same time, Dragos cautioned that infrastructure overlap does not equate to definitive attribution.
What this means for critical infrastructure operators
The year 2022 brought a fundamental shift in the OT threat landscape. Until that point, seven known ICS threat groups existed worldwide. Within a single year, Dragos identified two more, and the Pipedream framework set a new standard for offensive capabilities.
TIP
Defense against Pipedream and similar tools requires, above all, deep visibility into the OT network. If you are not monitoring industrial protocol communications (Modbus, OPC UA, CODESYS, FINS), you have no way of detecting manipulation performed through the native functions of those protocols.
Defensive checklist
- Inventory all PLC/RTU controllers and their firmware versions
- Segment the OT network with separate zones for different processes
- Monitor network traffic in the OT zone (industrial protocols)
- Restrict access to PLC programming ports (physically and logically)
- Disable unused protocols on controllers
- Create regular backups of controller configurations
- Monitor firmware and PLC configuration changes
- Control remote access to OT networks
Pipedream in historical context
Pipedream is the fifth publicly known malware designed specifically to attack ICS systems, after Stuxnet, Industroyer, Triton, and COSMICENERGY. But it is the first that was not discovered after being used in an attack - it was intercepted during the preparatory phase, before it caused damage. This is both good news (defenders acted in time) and bad news (someone is building increasingly sophisticated tools to attack critical infrastructure).
| ICS Malware | Year | Target | Effect |
|---|---|---|---|
| Stuxnet | 2010 | Uranium centrifuges (Siemens S7-300) | Physical destruction |
| Industroyer | 2016 | Ukrainian power grid | Power outage |
| Triton | 2017 | Safety Instrumented Systems (SIS) | Safety system disabled |
| Industroyer2 | 2022 | Ukrainian power grid | Attack thwarted |
| Pipedream | 2022 | Multi-vendor PLCs | Intercepted before attack |
Conclusions
Chernovite and Bentonite represent two complementary threat vectors. Chernovite builds tools for direct attacks on industrial processes. Bentonite provides initial access to networks where those tools could be deployed. For critical infrastructure operators, this means defending on two fronts simultaneously - both at the IT/OT boundary and within the OT network itself.
Organizations that rely solely on a firewall between IT and OT are not prepared for threats of this caliber. Effective defense requires visibility into the OT network, monitoring of industrial protocols, and understanding what normal communication patterns look like in their environment - to distinguish them from anomalies.
Sources:
- Dragos, CHERNOVITE’s Pipedream Malware Targeting Industrial Control Systems, April 2022 - dragos.com
- CISA Alert AA22-103A, APT Cyber Tools Targeting ICS/SCADA Devices, April 2022 - cisa.gov
- Mandiant, INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems, April 2022 - mandiant.com
- Dragos, Year in Review 2022 - dragos.com
Need help in this area?
Our experts will help you assess the risk and plan next steps.