PIPEDREAM

PIPEDREAM, also referred to as INCONTROLLER, is a modular industrial control systems (ICS) malware framework discovered in 2022 and described as the seventh known ICS-specific malware and the fifth specifically developed to disrupt industrial processes. The content attributes its development to the CHERNOVITE activity group and characterizes it as a state-sponsored capability intended for disruptive or destructive operations against operational technology environments.

The toolkit is designed for reconnaissance, manipulation, and disruption of PLCs, along with intrusion operations against Windows systems. Reported capabilities include scanning for, compromising, and controlling ICS devices on OT networks; targeting Schneider Electric and Omron PLCs; interacting with OPC UA servers; and leveraging the widely used CODESYS software stack, which expands potential applicability beyond the initially observed vendors. The content states that PIPEDREAM uses industrial protocols including OPC UA and Modbus, and that one component uses Modbus TCP for enumeration. Dragos reported that the toolkit can hijack target devices, deny or disrupt operator access, permanently brick devices, use compromised devices as footholds into other parts of an ICS network, and in some scenarios manipulate industrial processes in ways that could cause disruption, degradation, or possible destruction.

The malware is associated in the content with likely targeting of electric utilities and oil and gas environments, especially liquefied natural gas facilities, though it is also described as adaptable to other sectors including manufacturing and water treatment. Multiple sources in the content state that researchers had high confidence the malware had not yet been deployed for disruptive or destructive physical effects at the time of reporting, making it a rare pre-deployment discovery.

The content also references detailed component names from Dragos reporting: EVILSCHOLAR, BADOMEN, MOUSEHOLE, DUSTTUNNEL, and LAZYCARGO. These are described respectively as capabilities for Schneider Electric/CODESYS PLC interaction, Omron PLC/software interaction, OPC UA server interaction, Windows host reconnaissance and command-and-control, and loading an unsigned driver via a vulnerable ASRock driver. Additional behaviors mentioned include brute forcing passwords, denial-of-service against controllers, severing connections, changing operating modes, backing up/restoring configurations, wiping PLC memory, writing arbitrary OPC UA node attributes, and using PLCs as network proxies across OT environments.

Aliases in the content are PIPEDREAM and INCONTROLLER.