Industroyer2 and INCONTROLLER - In-depth Technical Analysis of the Most Recent ICS-specific Malware

Abstract

Industroyer2 and INCONTROLLER, also known as PIPEDREAM, are the newest examples of ICS-specific malware and were disclosed to the public almost simultaneously on April 12 and 13, 2022, respectively.
Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 industrial protocol. INCONTROLLER is a full toolkit containing modules to send instructions to or retrieve data from ICS devices using industrial network protocols, such as OPC UA, Modbus, CODESYS, Machine Expert Discovery and Omron FINS. Additionally, Industroyer2 has a highly targeted configuration, while INCONTROLLER is much more reusable across different targets.
ICS-specific malware is still very rare when compared to commodity malware, such as ransomware or banking trojans. Industroyer2 and INCONTROLLER follow previous-known examples, such as Stuxnet, Havex, BlackEnergy2, Industroyer and TRITON. Both Industroyer2 and INCONTROLLER were caught before causing physical disruption. Industroyer2 is believed to have been developed and deployed by the Sandworm APT, linked to the Russian GRU, which was behind the original attacks on the Ukrainian power grid in 2015 and 2016. The Industroyer2 incident follows recent activity against the APT in 2022, such as the disruption of the Cyclops Blink botnet. There is still no conclusive evidence about the actors behind INCONTROLLER, their motives or objectives. Both new malwares show that abusing often insecure-by-design native capabilities of OT equipment continues to be the preferred modus operandi of real-world attackers. Vedere Labs recently disclosed a set of 56 insecure-by-design vulnerabilities in OT equipment called OT:ICEFALL, which included Omron controllers that were targeted by INCONTROLLER. The emergence of new vulnerabilities and new malware exploiting the insecure-by-design nature of OT supports the need for robust OT-aware network monitoring and deep packet inspection capabilities.
This briefing presents the most detailed (to date) public technical analysis of Industroyer2 and INCONTROLLER (Section 2), a list of IoCs extracted from those samples and other shared intelligence (Section 3) and recommended mitigations (Section 4). Although there have been previous reports about both malware families analyzed in this research, we present the following new contributions:

  • A functionality in Industroyer2 to discover the target’s Common Address of ASDU. Despite not being used given the hardcoded configuration of our sample, it might have been a tool used in previous reconnaissance stages to gather information about the target (Section 2.1.2)
  • An analysis of the similarity of the IEC-104 implementation in Industroyer that reveals it is very probably a modified version of a publicly available implementation (Section 2.1.3)
  • The most detailed public description so far of Lazycargo, a part of INCONTROLLER, which became publicly available (Section 2.2.1)

Type
Publication
In Forescout VedereLabs Threat Reports
Emmanuele Zambon
Emmanuele Zambon
Assistant Professor

My research interests include Industrial Control System security and network intrusion detection.