Archived material. This page is preserved for historical and educational value. It reflects the threat landscape, available guidance, and research context at the time it was written or last updated. It should not be treated as a current security advisory or production remediation guidance. See the Threat Archive index for context and full listing.

ICS Attack Toolkit · OT · 2022

PIPEDREAM (INCONTROLLER)

State-sponsored modular attack framework targeting industrial control systems

Created: 2022-04-13 (CISA Joint Advisory AA22-103A; pre-deployment discovery, no observed ITW use)
Last updated: 2023 (Dragos continued CHERNOVITE / PIPEDREAM threat-actor tracking)

Summary

PIPEDREAM (also known as INCONTROLLER) is a modular industrial control system (ICS) attack framework developed by state-sponsored actors, likely linked to Russia (CHERNOVITE activity group). It targets programmable logic controllers (PLCs) and other ICS components to enable reconnaissance, disruption, degradation, and potential destruction of industrial processes. Discovered in early 2022 before any known deployment, it represents a versatile toolset comparable to historical ICS malware like TRITON and STUXNET.

Key Facts:

Targets: Schneider Electric Modicon PLCs, Omron Sysmac PLCs, OPC UA servers, Modbus, CODESYS protocols.
Capabilities: Scanning, brute-forcing credentials, manipulating tags/values, DoS attacks, device crashes.
Discovered by: Mandiant, Dragos, in collaboration with vendors and authorities.
No known in-the-wild destructive use as of discovery.

Background

PIPEDREAM was discovered in early 2022 through independent research by Mandiant (now Google Cloud) and Dragos, in partnership with vendors like Schneider Electric. Analysis revealed a sophisticated, modular toolkit designed for ICS attacks. Notifications were made to affected vendors and U.S. government agencies (CISA, FBI, DOE, NSA), leading to a joint cybersecurity advisory on April 13, 2022. Vendors issued security bulletins and advisories (e.g., Schneider Electric SESB-2022-01, CODESYS advisory), but as it leverages native functionalities rather than vulnerabilities, no specific patches were required — instead, focus was on enhanced security configurations and monitoring.

Impact

Exploitation Potential: Allows attackers to gain full system access, manipulate industrial processes, and execute denial-of-service attacks, potentially leading to physical damage or safety incidents.
Scope: Affects critical infrastructure sectors including energy, manufacturing, water utilities, and oil refineries; versatile modules can target a wide array of ICS devices globally.
Risk to Operations: Can cause loss of control, extended downtime, and increased recovery time, endangering lives, livelihoods, and communities.
Geopolitical Angle: Heightened threat to Ukraine, NATO members, and allies amid conflicts like the Russia-Ukraine war.

What's Pipedream

Pipedream is a state-sponsored modular ICS attack framework (aka INCONTROLLER) consisting of multiple components designed to target and compromise industrial control systems. It includes tools like TAGRUN (OPC UA interactions), CODECALL (Modbus/CODESYS for Schneider PLCs), OMSHELL (Omron interactions), and others such as EVILSCHOLAR, BADOMEN, MOUSEHOLE for enumeration, exploitation, and control. Unlike traditional malware, it often uses legitimate protocols and native device functions rather than zero-day exploits, making it adaptable and hard to detect.

Implications

Pipedream underscores the evolving threat to operational technology (OT) environments, where state actors can deploy versatile tools for sabotage without needing specific vulnerabilities. It amplifies security risks in critical infrastructure, particularly during geopolitical tensions, potentially leading to widespread disruptions. Organizations face increased operational risks, including safety hazards and prolonged recovery, necessitating a shift from basic cybersecurity to comprehensive ICS-specific defenses, behavior-based monitoring, and cross-zone isolation to prevent lateral movement and process manipulation.

Mitigation

Immediate (0–7 days)

Enforce multifactor authentication (MFA) for all remote access to ICS networks and devices.
Change all default passwords on ICS/SCADA devices to strong, unique ones to counter brute-force attacks.
Implement continuous OT monitoring to log and alert on malicious indicators, such as unusual scans on ports 27127 or 1740.
Monitor for all threat behaviors in the MITRE ATT&CK for ICS matrix.

Short-Term (1–4 weeks)

Isolate ICS/SCADA systems from corporate and internet networks using strong perimeter controls and limit communications.
Enable robust log collection and retention from ICS systems and ensure visibility into North-South and East-West traffic.
Protect management systems with authentication, encryption, and endpoint detection solutions.

Medium-Term (1–3 months)

Maintain inventory and control of all OT assets, ensuring only known-good firmware and configurations are used.
Create and maintain offline backups of configurations and firmware with integrity checks.
Limit network connections to ICS systems to authorized management workstations only.

Long-Term (3–6+ months)

Develop and regularly exercise a cyber incident response plan tailored to ICS environments, including recovery from denial, disruption, and destruction.
Implement principle of least privilege and remove unnecessary applications from OT systems.
Utilize ICS-aware intrusion protection and firewall rules to block unauthorized protocols and ports.

Timeline

Date	Event
Early 2022	Discovery and analysis by Mandiant, Dragos, and partners.
April 13, 2022	Joint cybersecurity advisory released by CISA, FBI, DOE, NSA.
April 13, 2022	Mandiant and Dragos publish detailed reports.
April 14, 2022	Additional resources added to CISA advisory.
May 25, 2022	Updated mitigations and resources in CISA advisory.

Key Takeaways

PIPEDREAM's modular design makes it a highly adaptable threat to diverse ICS environments, requiring focus on tactics over specific indicators.
Early discovery highlights the value of collaborative threat intelligence in preventing real-world deployments.
Organizations must prioritize OT network segmentation, monitoring, and incident response to mitigate such advanced threats.
The toolkit increases risks amid geopolitical conflicts, urging critical infrastructure operators to enhance defenses immediately.
Behavior-based detection and least-privilege principles are essential for protecting against evolving ICS malware.

References

Identification Tool

Checklist for end users/technicians to confirm if a system may be affected by PIPEDREAM:

Monitor network traffic for rapid scans on UDP port 27127 (Schneider PLC discovery) or 1740 (CODESYS brute-force attempts).
Check for unusual brute-force login attempts on PLCs or OPC UA servers.
Inspect Windows engineering workstations for the presence of AsrDrv103.sys driver (CVE-2020-15368 exploit).
Look for unexpected PLC crashes or "packet of death" symptoms requiring power cycles.
Review logs for unauthorized tag reads/writes in OPC UA or modifications to PLC logic.
Verify if devices like Schneider Modicon or Omron Sysmac PLCs are present and exposed without proper segmentation.
Scan for indicators of compromise (IOCs) from CISA advisory, such as unusual driver loads or connection severing.

If multiple items are checked, assume potential compromise and isolate the system immediately.

PowerShell Check Script

Single script block to detect the vulnerable ASRock driver (AsrDrv103.sys) on Windows engineering workstations and print patch status (green OK if not present / red update needed if present).

$driverPath = "C:\Windows\System32\drivers\AsrDrv103.sys"
$statusColor = "Green"
$statusMessage = "OK - No vulnerable driver detected."

if (Test-Path $driverPath) {
    $statusColor = "Red"
    $statusMessage = "Update Needed - Vulnerable ASRock driver (AsrDrv103.sys) detected. Mitigate CVE-2020-15368 immediately."
}

Write-Host -ForegroundColor $statusColor $statusMessage