Categories: News

by peter


Pipedream ICS Malware – A new framework is born

A new ICS targeted malware framework was recently discovered. Referred to as Pipedream and Incontroller, the malware is targeting industrial control systems (ICS).

Unlike in the many previous attacks that have come to light over the last few years, this time, experts were able to detect the malware components and create defenses before the malware was deployed and used for malicious purposes.

The malware framework, as it is presently, is capable of scanning for and communicating with programmable logic controllers from Schneider Electric and Omron. It can scan and profile unified communication servers based on the OPC Unified Architecture specification. The expertise and capabilities encapsulated in the framework point to a nation-state actor as the source.

On April 12, cybersecurity firm ESET announced that the company had worked with a Ukrainian energy provider to mitigate an attack by Industroyer 2 the previous month. On April 14, managed response firm Mandiant and ICS specialist Dragos released separate reports on the ICS framework, dubbed Incontroller and Pipedream. The attack framework is the seventh such attacker toolset to target industrial control systems specifically. Our researcher, Peter Bassill, took a look at the malware with a particular interest in how it could propagate into other industry verticals such as maritime.

There are direct links between the targets of these new attack frameworks, and the current Russian invasion of Ukraine has suggested that the nation is likely to be the actual attack source.

The attack framework is not exploiting vulnerabilities in the various ISC controllers and associated products, and instead, it takes advantage of weaknesses in the security of the interoperation. The vulnerability lies within the architectural ecosystem and design of the industrial control systems.

7 Malware Attack Frameworks

Currently, there are seven known attack frameworks used against industrial control systems.

  1. Stuxnet
  2. Havex
  3. Black Energy 2
  4. Industroyer/CrashOverride
  5. Hatman/Triton/Trisys
  6. Industroyer 2
  7. Pipedream/Incontroller.

While Stuxnet is a joint US-Israeli written malicious code, all others have been linked, to varying degrees, to Russian efforts. In addition to the United States and Russia, China has tools that target industrial control systems; these just have not come into the public light yet.

Pipedream ICS Malware


One of the biggest concerns highlighted in our research is the portability of the malware. It would be relatively simple to add components to the framework to scan for and disrupt systems aboard maritime vessels, and the framework code, as we have seen it, would easily sit on any windows workstation onboard. It is certainly food for thought and is another tool added to the arsenal of our penetration testing service.

The concern over Pipedream is not because it contains exploits for zero-day vulnerabilities but because the toolset is tailor-made to operate within typical ICS environments. The analysis shows several components making up the attack framework, targeting Schneider Electric programmable logic controllers (PLCs), Omron PLCs, and unified communication servers using the Open Platform Communications (OPC) specification.

What can you do?

The most prudent way forward is to run an IoT security assessment against you current in-use IoT devices. You can run this yourselves using readily available open source security testing tools or use a specialist firm such as Hedgehog to do it for you.

Discover more about IoT Security Testing
Categories: News