Pipedream/INCONTROLLER Detection: New Attack Framework and Tools Target Industrial Control Systems


The US governmental agencies – CISA, FBI, NSA, and the Energy Department – along with several corporate teams of cybersecurity researchers have sounded the alarm about nationwide threats to industrial control systems (ICS). According to the security investigators, APT actors leverage a destructive toolset to take over targeted machines upon establishing initial access to the operational technology (OT) network. These attacks bring the potential to sabotage and kill the established processes and lead to physical compromises.

The researchers are connecting INCONTROLLER and Pipedream ICS-specific malware to Russia-linked threat actors.

Pipedream/INCONTROLLER ICS Malware Detection

For an effortless Pipedream/INCONTROLLER ICS Malware detection, utilize the following threat detection content released by a seasoned security expert Sittikorn Sangrattanapitak. The Sigma-based rule detects suspicious file names associated with ASRock motherboard driver-related exploit – CVE-2020-15368. It is created by INCONTROLLER state-sponsored attack framework developed to target ICS that exploit Windows-based systems in IT or operational technology (OT) environments:

INCONTROLLER State-Sponsored Cyber Attack Tools Targeted Industrial Control Systems with Driver Exploit [CVE-2020-15368] (via file_event)

This detection is available for the 22 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Initial Execution tactic with User Execution (T1204) as the primary technique.

Follow the updates of detection content related to INCONTROLLER in the Threat Detection Marketplace repository of the SOC Prime Platform here. SOC Prime detection content library is constantly updated with new content, empowered by the collaborative cyber defense approach and enabled by Follow the Sun (FTS) model to ensure timely delivery of detections for critical threats.

Eager to hunt for the latest threats, automate threat investigation, and get feedback and vetting by 20,000+ community of security professionals? Join SOC Prime, the world’s first platform for collaborative cyber defense, threat hunting, and discovery that integrates with 25+ SIEM, EDR, XDR platforms. Got high-flying ambitions in cybersecurity? Join our Threat Bounty program, develop your own Sigma rules, and get recurrent rewards for your valuable contribution!

View Detections Join Threat Bounty

Pipedream/INCONTROLLER ICS Malware Analysis

A joint Cybersecurity Advisory from CISA, FBI, NSA, and the US Department of Energy released on April 13, 2022, details multiple ICS-specific attacks as well as APT actors’ attempts to take over supervisory control and data acquisition (SCADA) devices, such as programmable logic controllers (PLCs) released by Schneider Electric and OMRON (Sysmac NJ and NX devices) companies as well as targeting Open Platform Communications Unified Architecture (OPC UA) servers.

Dragos cybersecurity company has released their statement regarding the attacks in question, referring to the malware utilized as Pipedream (that is traced back to a Chernovite ATP), whilst Mandiant focused on the toolset dubbed INCONTROLLER. Pipedream/INCONTROLLER ICS Malware enables adversaries to scan for ICS and SCADA devices and acquire full control over afflicted machines once the initial access to the operational technology (OT) network is successfully achieved. Moreover, the attack framework components allow for the exploit of a flaw in ASRock RGB Driver, tracked CVE-2020-15368 (see the Sigma-based rule above). INCONTROLLER itself is a composition of three ICS tools of different capabilities: TAGRUN, CODECALL, and OMSHELL. The above-mentioned INCONTROLLER components are used in various stages of an attack.

INCONTROLLER attack scenarios suggest comparability with Triton, Student, and Industroyer malware strains. Researchers warn that in light of the current events, i.e., the Russian invasion of Ukraine, INCONTROLLER and Pipedream malware have alarming capability to put in jeopardy many critical infrastructures by sabotaging industrial processes of Ukraine and other countries that stand against the Russian aggression. For example, the latest sample of the notorious Industroyer malware family tagged Industroyer2, has recently hit the headlines, with Sandworm APT group operators behind the attack crippling the Ukrainian electrical grid.

Researchers stress that most devices hit by INCONTROLLER are integrated with automated machinery and often present an inconspicuous part of industrial operations. The full scale of consequences is yet to be discovered.

In dire times, put your trust into time-tested tools and resources to ensure your system is not a sitting duck for cyber-offenders. Stand together with SOC Prime for a safer future. Sign up for free at SOC Prime’s Detection as Code platform to streamline your SOC operations with best practices and shared expertise.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts