The State of XIoT Security Report: 1H 2022
Download the Report
Claroty Logo


Aperture Podcast: Daniel Kapellmann Zafra on Incontroller/Pipedream

Michael Mimoso
/ May 5th, 2022

By Michael Mimoso | May 5, 2022 

Fewer than 10 attack tools purpose-built for industrial control systems have been uncovered, and while each have their own characteristics and capabilities, their intended outcomes are similar in their desire to disrupt industrial processes or interfere with safety systems that could endanger human lives.

Subscribe, rate, and review the Aperture podcast on all major platforms, including Apple Podcasts and Spotify.

The latest to be found in the wild, Incontroller (also known as Pipedream), arrived within a tense geopolitical climate stressed by a bloody war in Ukraine. While it was found before its capabilities were fully turned on its victims, its intent was clear: attack critical infrastructure, disrupt service delivery, and cause chaos.

Researchers from Mandiant were among the first to publish threat intelligence about Incontroller, calling it "exceptionally rare," and possessing "dangerous cyber attack capability." In this episode of the Aperture podcast, Daniel Kapellmann Zafra, senior technical analysis manager at Mandiant, specializing in cyber-physical threat intelligence, discusses Incontroller in depth.

Kapellman Zafra discusses early analyses of Incontroller and why Mandiant and others were so concerned about the flexibility it provides attackers in going after a targeted environment. Incontroller has three tailor-made components: Tagrun, Codecall, and Omshell, that target OPC UA servers, various Schneider Electric PLCs, and Omron PLCs respectively.

These components were built only after extensive reconnaissance of target environments. Each component was made to interact with specific industrial equipment and interfere with critical processes through sophisticated means reserved previously for the Stuxnets, Tritons, and Industroyers of the world.

"If you were an attacker and you were trying to compromise a specific organization using these devices, if you operate using this set of modules, you might be able to generate much more of an impact than if you were using a tool that goes specifically after one device," he said.

Mandiant, CISA, Schneider Electric, and CODESYS each published advisories that included indicators of compromise and mitigation advice. Incontroller is nonetheless stealthy and challenging to detect, and defenders should examine their environments for unusual OPC or CODESYS communication, and other anomalous behavior.

Also in this conversation, you'll learn:

  • More details about the Tagrun, Codecall, and Omshell components.

  • Two Windows components also included within Incontroller that target Windows-based engineering workstations running ASRock motherboards. These components were built for ASRock implementations, based on reconnaissance.

  • The resilience and readiness of potential victims within various industries.

  • How researchers approach such high-stakes work.


Interested in learning about Claroty's Cybersecurity Solutions?

Claroty Logo
LinkedIn Twitter YouTube Facebook