Pipedream ICS Malware

Pipedream ICS targetted malware framework affecting Schneider Electric and Omron ICS systems. Referred to as Pipedream and Incontroller, the malware is targeting industrial control systems (ICS). We took a look at the malware.

Pipedream ICS Malware

Posted on 2022-04-25 by Peter Bassill in category Insights.

Malware   ICS   SCADA   Maritime  

A new ICS targetted malware framework was recently discovered. Referred to as Pipedream and Incontroller, the malware is targeting industrial control systems (ICS).


Unlike in the many previous attacks that have come to light over the last few years, this time, experts were able to detect the malware components and create defences before the malware was deployed and used for malicious purposes. 


The malware framework, as it is presently, is capable of scanning for and communicating with programmable logic controllers from Schneider Electric and Omron. It can scan and profile unified communication servers based on the OPC Unified Architecture specification. The expertise and capabilities encapsulated in the framework point to a nation-state actor as the source.


On April 12, cybersecurity firm ESET announced that the company had worked with a Ukrainian energy provider to mitigate an attack by Industroyer 2 the previous month.  On April 14, managed response firm Mandiant and ICS specialist Dragos released separate reports on the ICS framework, dubbed Incontroller and Pipedream. The attack framework is the seventh such attacker toolset to target industrial control systems specifically. Our researcher, Peter Bassill, took a look at the malware with a particular interest in how it could propagate into other industry verticles such as maritime.


There are direct links between the targets of these new attack frameworks, and the current Russian invasion of Ukraine has suggested that the nation is likely to be the actual attack source. 


The concern over Pipedream is not because it contains exploits for zero-day vulnerabilities but because the toolset is tailor-made to operate within typical ICS environments. The analysis shows several components making up the attack framework, targeting Schneider Electric programmable logic controllers (PLCs), Omron PLCs, and unified communication servers using the Open Platform Communications (OPC) specification.


The attack framework is not exploiting vulnerabilities in the various ISC controllers and associated products, and instead, it takes advantage of weaknesses in the security of the interoperation. The vulnerability lies within the architectural ecosystem and design of the industrial control systems.


Currently, there are seven known attack frameworks used against industrial control systems. Stuxnet, Havex, Black Energy 2, Industroyer/CrashOverride, Hatman/Triton/Trisys, Industroyer 2, and Pipedream/Incontroller. While Stuxnet is a joint US-Israeli written malicious code, all others have been linked, to varying degrees, to Russian efforts. In addition to the United States and Russia, China has tools that target industrial control systems; these just have not come into the public light yet.


One of the biggest concerns highlighted in our research is the portability of the malware. It would be relatively simple to add components to the framework to scan for and disrupt systems aboard maritime vessels, and the framework code, as we have seen it, would easily sit on any windows workstation onboard. It is certainly food for thought and is another tool added to the arsenal of our penetration testing service.

Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?