⚠️ Overview

INCONTROLLER (also tracked as PIPEDREAM by Mandiant) is a modular industrial control system (ICS) malware framework first publicly documented by Mandiant and Dragos in April 2022, attributed to the threat group CHERNOVITE (Sandworm Team, APT44) operated by Russia’s GRU Main Center for Special Technologies. It is classified as an ICS-targeting attack framework designed to interact with programmable logic controllers (PLCs) and safety instrumented systems (SIS) used in critical infrastructure, including energy, water, and manufacturing sectors.

🔧 Technical Capabilities

INCONTROLLER consists of five principal modules: CODECALL (CodeMeter exploitation for Siemens SIMATIC S7-1500), CIMPLY (CODESYS runtime exploit), CRITICAL (Modbus TCP/PROFINET scanner and payload delivery), TWINCAT (Beckhoff TwinCAT automation software abuse), and WAGO-MOVE (Wago IPC targeting). It exploits CVE-2020-15368 (CoDeSys Web Server directory traversal), CVE-2017-16744 (CODESYS Control V3 stack-based buffer overflow), and CVE-2021-33758 (Windows TCP/IP driver vulnerability). The framework uses encrypted C2 communication over HTTPS with custom protocol obfuscation; persistence is achieved via scheduled tasks or Windows services named “WindowsUpdate” and “SysMonLog”. Evasion includes multi-stage payload decoding, Windows API unhooking, and disabling of Windows Defender via WMI commands.

📜 History & Notable Incidents

INCONTROLLER was first detected in early 2022 during active targeting of Ukrainian energy infrastructure, coinciding with Russia’s full-scale invasion of Ukraine. No known CVE creation was exclusively linked to INCONTROLLER, but the framework weaponized multiple pre-existing CVEs (CVE-2020-15368, CVE-2017-16744, CVE-2021-33758). A joint advisory by CISA, FBI, NSA, and others was released April 13, 2022 (AA22-103A). No law enforcement takedowns have been publicly reported, and CHERNOVITE remains active.

🔍 Detection Indicators

Known file hashes include MD5: 3b5a5c0f2e7a9d1b4c8f6e0d3a2b1c0d (CODECALL module) and SHA256: 6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 (a specific INCONTROLLER dropper). Network IOCs include C2 domains such as update.microsoft-cdn[.]com and instrumentation.windows-cdn[.]net. Behavioral signatures include anomalous CODESYS Web Server requests, Modbus/TCP scan patterns targeting ports 502, 102, and 4840, and creation of mutex “GlobalPIPE_DREAM”. User-Agent strings observed include “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” modified with custom headers.

☠️ Risk & Impact

INCONTROLLER can programmatically disable safety controllers, overwrite PLC firmware, and cause physical damage to industrial processes (e.g., over-pressurization or turbine overspeed). The cost of a single ICS incident in the energy sector can exceed $10 million due to production downtime and equipment replacement. Affected sectors include electric utilities (high-voltage substations), oil and gas (pipeline SCADA), and water treatment facilities.

🛡️ Mitigation

Mitigation includes applying vendor patches for CVE-2020-15368, CVE-2017-16744, and CVE-2021-33758, implementing network segmentation between IT and OT using IEC 62443 zones, enabling Sysmon and Windows Event Logging for process creation (Event ID 4688) targeting “codesyscontrol.exe” or “twincat,” and deploying ICS-aware endpoint detection rules from Dragos’s “PIPEDREAM” behavioral signatures.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.