Skip to content

S1045 INCONTROLLER

INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.14253

Item Value
ID S1045
Associated Names PIPEDREAM
Type MALWARE
Version 1.0
Created 28 September 2022
Last Modified 17 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
PIPEDREAM 23

Techniques Used

Domain ID Name Use
ics T0858 Change Operating Mode INCONTROLLER can establish a remote HTTP connection to change the operating mode of Omron PLCs.23
ics T0884 Connection Proxy The INCONTROLLER PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.3
ics T0809 Data Destruction INCONTROLLER can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.423
ics T0890 Exploitation for Privilege Escalation INCONTROLLER has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.3
ics T0891 Hardcoded Credentials INCONTROLLER can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.3
ics T0867 Lateral Tool Transfer INCONTROLLER can use a Telnet session to load a malware implant on Omron PLCs.13
ics T0836 Modify Parameter INCONTROLLER can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.3
ics T0842 Network Sniffing INCONTROLLER can deploy Tcpdump to sniff network traffic and collect PCAP files.3
ics T0861 Point & Tag Identification INCONTROLLER can remotely read the OCP UA structure from devices.1
ics T0843 Program Download INCONTROLLER can use the CODESYS protocol to download programs to Schneider PLCs.34
ics T0845 Program Upload INCONTROLLER can use the CODESYS protocol to upload programs from Schneider PLCs.34
ics T0886 Remote Services INCONTROLLER can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.3
ics T0846 Remote System Discovery INCONTROLLER can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.23
ics T0888 Remote System Information Discovery INCONTROLLER includes a library that creates Modbus connections with a device to request its device ID.13
ics T0869 Standard Application Layer Protocol INCONTROLLER can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.1
ics T0855 Unauthorized Command Message INCONTROLLER can send custom Modbus commands to write register values on Schneider PLCs.1
ics T0859 Valid Accounts INCONTROLLER can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).1

References

  1. DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022. 

  2. DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022. 

  3. Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. 

  4. Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022. 

  5. Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: “APT Cyber Tools Targeting ICS/SCADA Devices” . Retrieved September 28, 2022.