Pipedream/Incontroller : ICS-specific malware attacks

An industrial Control System (ICS) specific malware

Four US governmental agencies: CISA, FBI, NSA, Energy Department and several Cybersecurity researchers teams have found a new threat to industrial control systems.
According to the investigation, APT actors use a destructive toolset to take control of machines in order to access the operational technology network and impact the industrial process : Pipedream/Incontroller.

These attacks can cause physical impact by killing established processes.

Pipedream/Incontroller is an industrial Control System specific malware created by a group dubbed “Chernovite” by Dragos. Several sources including Dragos assess with high confidence that the threat group Chernovite is a state group.

This toolset can allow access and manipulate Schneider Electric and Omron PLCs, as well as Open Platform Communications (OPC) Unified Architecture OPC-UA servers. It can manipulate a lot of PLC’s[1] and industrial software and attack industrial technologies.


Incontroller/Pipedream is a set of tools that can be used when an attacker have established access within an OT environment. They can establish access with any vector available.

In the current case they used of the ASRock driver exploit (CVE-2020-15368[2]) in order to escalate their privileges and move through the environment.

This set of tools has a modular architecture and is automated. This allows Incontroller/Pipedream to be more adaptable: A tool component can be replaced or added depending on the exploit or tool and of the PLC type.

Here is a list of systems of an electrical substation that are affected by Pipedream/Incontroller:

  • ASRock driver that is vulnerable to CVE-2020-15368.
  • OPC Unified Architecture (OPC UA) Servers.
  • Schneider Electric MODICON and MODICON Nano PLCs (TM251, TM241, M258, M238, LMC058, and LMC078).
  • OMRON Sysmac NJ and NX PLCs (NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT).

Dragos broke Incontroller/Pipedream into five categories: 

  • Evilscholar: It allows to discover access and manipulate Schneider Electric PLCs. It has been developed with Python and Linux ELF library.
  • Badomen: It allows to scanning, identifying and accessing Omron software PLCs. It has been developed with Python framework.
  • Mousehole: It allows to interact and access OPC unified server architecture allowing brute-forcing attack or nodeids enumeration. It has been coded with a Python framework and target OPC-UA server.
  • Dusttunnel: It allows for persistence and command & control remotely. It has been coded in C++ and target Microsoft Windows devices.
  • Lazycargo: It allows elevating credential by exploiting a known vulnerability ASRock driver. Lazycargo has been coded in C++ and target Microsoft Windows devices.

Here is a diagram explaining this:

Chernovite scenario example. Source: https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf

Untrusted code is executed from the PLCs with PLC implants. These implants can stay on an Impacted PLC for a long time and it needs firmware forensic to reveal their presence.

In fact, it is difficult to detect a malicious code in the firmware of the PLC than in the memory zone. Indeed, the firmware serves as a link between hardware and software, and the user interacts the most of the time with the hardware and the top-level software. The firmware is not accessible for the user.

Capabilities of Pipedream/Incontroller malware

Here are the functionality of this malware depending the device and the system:

Schneider Electric Devices:

  • It can scan with UDP multicast over port 27127 in order to identify all Schneider PLC’s very fast on another network
  • Use brute force on Schneider PLC password via CODESYS over port 1740.
  • Conduct DoS attack to avoid network communication to the PLC.
  • Cut connections in order to force re-authentification to the PLC and then gather credential information.
  • Crash the PLC, for a power cycle and configuration recovery.
  • Push custom Modbus commands/packets.
  • Find files/directory listings in the device and the subnet
  • Delete files in the device and the subnet.
  • Add a route if the device gateway IP exists on a different interface.

Omron devices:

  • It can Scan for Omron via FINS protocol over port 9600.
  • Parse out HTTP response from Omron devices.
  • Find MAC addresses of devices.
  • Ask for what is connected to the PLC.
  • Backup and restore files to or from the PLC.
  • Load additional customs agents on the PLCs in order to allow for additional features.
  • Clean the device’s memory and reset it.
  • Activate the Telnet daemon and connect to the device with it and upload or executing payloads and commands.
  • Make a network capture.
  • Kill processes on the device.
  • Transfer files to the device.
  • Connect and communicate with attached servo drives.


  • It can identify the servers.
  • Connect to the servers via default or compromised credentials.
  • Read/Write tag values for data on servers.
  • Brute forcing credentials.
  • Output log files.


  • Use YARA rules to monitor the network (IDS)
YARA Rules. Sources : https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool
  • Ensure there is no direct connection between corporate and OT network and these network flows are strictly limited.
  • Disable all unused ports and protocols.
  • Use multi-factor authentication for all remote access to OT network and device.
  • Change all default passwords and use strong password policies.
  • Only use Admin account when it is needed.
  • Monitor System for loading unusual drivers.  
  • Map the network and assets.
  • Set up a block list to known, suspicious or malicious entities and an allow list to avoid any unwanted software.
  • Set up training and awareness session for employees.
  • Make sure to apply all the updates and the patches.
  • Restrict access to UDP/1740-1743, TCP/11740 for all Schneider Electric TM2xx series PLCs.
  • Restrict access to TCP/11740 for non-Schneider PLCs.
  • Conduct network telemetry analysis for unusual interactions with PLCs.
  • Disable the Schneider NetManage discovery service because the attackers used it to discover PLCs.
  • Isolate Network of safety systems from process systems.

Ecrit par Ganesh Pajani et Paul Peix.













[1] https://www.unitronicsplc.com/what-is-plc-programmable-logic-controller/

[2] https://nvd.nist.gov/vuln/detail/CVE-2020-15368?msclkid=85419d5cb4e011ecb9c6a9a06c66a82f