See All Nexus 2024 Sessions
Claroty Nexus Logo
Topics:
See all in Cyber Resilience See all in Articles
See all in Videos
See all in Podcasts
In this episode of the Claroty Nexus podcast, Mandiant's Daniel Kapellmann Zafra, discusses Incontroller, an attack framework that includes components targeting three OPC UA servers, various Schneider Electric PLCs, and Omron PLCs.

Nexus Podcast: Daniel Kapellmann Zafra on Incontroller ICS Malware

Michael Mimoso
/
May 5, 2022

Fewer than 10 attack tools purpose-built for industrial control systems have been uncovered, and while each have their own characteristics and capabilities, their intended outcomes are similar in their desire to disrupt industrial processes or interfere with safety systems that could endanger human lives.

Subscribe, rate, and review the Nexus podcast on all major platforms, including Apple Podcasts and Spotify.

The latest to be found in the wild, Incontroller (also known as Pipedream), arrived within a tense geopolitical climate stressed by a bloody war in Ukraine. While it was found before its capabilities were fully turned on its victims, its intent was clear: attack critical infrastructure, disrupt service delivery, and cause chaos.

Researchers from Mandiant were among the first to publish threat intelligence about Incontroller, calling it "exceptionally rare," and possessing "dangerous cyber attack capability." In this episode of the Nexus podcast, Daniel Kapellmann Zafra, senior technical analysis manager at Mandiant, specializing in cyber-physical threat intelligence, discusses Incontroller in depth.

Kapellman Zafra discusses early analyses of Incontroller and why Mandiant and others were so concerned about the flexibility it provides attackers in going after a targeted environment. Incontroller has three tailor-made components: Tagrun, Codecall, and Omshell, that target OPC UA servers, various Schneider Electric PLCs, and Omron PLCs respectively.

These components were built only after extensive reconnaissance of target environments. Each component was made to interact with specific industrial equipment and interfere with critical processes through sophisticated means reserved previously for the Stuxnets, Tritons, and Industroyers of the world.

"If you were an attacker and you were trying to compromise a specific organization using these devices, if you operate using this set of modules, you might be able to generate much more of an impact than if you were using a tool that goes specifically after one device," he said.

Mandiant, CISA, Schneider Electric, and CODESYS each published advisories that included indicators of compromise and mitigation advice. Incontroller is nonetheless stealthy and challenging to detect, and defenders should examine their environments for unusual OPC or CODESYS communication, and other anomalous behavior.

Also in this conversation, you'll learn:

  • More details about the Tagrun, Codecall, and Omshell components.

  • Two Windows components also included within Incontroller that target Windows-based engineering workstations running ASRock motherboards. These components were built for ASRock implementations, based on reconnaissance.

  • The resilience and readiness of potential victims within various industries.

  • How researchers approach such high-stakes work.

Michael Mimoso
Editorial Director

Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.

Stay in the know Get the Nexus Connect Newsletter
Subscribe
Listen on Apple Podcasts. Listen on Spotify Podcasts.
Share
LinkedIn Twitter Facebook Email
Featured Articles
Considerations for Medical Device Vulnerability Remediation Technical Debt in OT Environments: How It's Different and Why it Matters The Purdue Model's Risky Blindspot
Featured Videos
Browse by Topics
Cyber Resilience Cybersecurity Insurance Federal Food & Beverage Healthcare Industrial Internet of Things Nexus Conference Operational Resilience Operational Technology Ransomware Risk Management Technical Debt Vulnerability Management Zero Trust
You might also like… Read more
noam-moshe-headshot.jpeg
Internet of Things
Operational Technology

Nexus Podcast: Noam Moshe on the IOCONTROL Malware

Michael Mimoso
Team82’s Noam Moshe discusses state actor targeting of OT, why it’s so challenging to develop ransomware for OT and industrial control systems, and the mitigation strategies available to defenders of cyber-physical systems.
Cyber Resilience
Internet of Things

Nexus Podcast: Team82 on Attacking the Insecure IoT Cloud

Michael Mimoso
nexus_steven-adair.jpg
Cyber Resilience
Vulnerability Management
Risk Management

Nexus Podcast: Volexity’s Steven Adair on the Nearest Neighbor Attack

Michael Mimoso
In this episode of the Nexus Podcast. Runsafe Security CEO and cofounder Joe Saunders examines the motivations of these adversaries, the targeting of memory-based vulnerabilities in embedded systems prevalent in OT and healthcare, and how initiatives such as secure-by-design/default/demand can make a dent in ensuring the resilience of critical infrastructure.
Cyber Resilience
Industrial
Healthcare

Nexus Podcast: Joe Saunders on Advanced Attacks Against Critical Infrastructure

Michael Mimoso
nexus_grant1.jpg
Industrial
Healthcare
Ransomware
Cyber Resilience
Operational Resilience
Operational Technology

Nexus Podcast: Grant Geyer on the Business Impact of Disruptions from Cyberattacks

Michael Mimoso
In this episode of the Nexus Podcast, Alethe Denis, a senior security consultant at Bishop Fox, joins to discuss the ongoing effectiveness of open-source intelligence analysis and social engineering tactics as a precursor to larger intrusions against critical infrastructure.
Cyber Resilience
Healthcare
Industrial
Risk Management

Nexus Podcast: Alethe Denis on Social Engineering, Red-Teaming

Michael Mimoso
On this episode of the Nexus Podcast, Alon Dankner of the Technion Institute in Israel explains his research into the Siemens S7 protocol and PLCs. A vulnerability uncovered during research allows an attacker to expose and steal private cryptographic keys by leveraging a severe vulnerability and configuration error.
Operational Technology

Nexus Podcast: Alon Dankner on Extracting Private Crypto Keys from PLCs

Michael Mimoso
In this episode of the Nexus Podcast, Claroty Team82 researcher Noam Moshe explains the challenges involved in gathering attack forensic artifacts from OT devices, in this case, Unitronics PLCs that were exploited in 2023 in attacks against water facilities in the U.S. and Israel.
Operational Technology
Industrial

Nexus Podcast: Noam Moshe on Extracting Forensic Data from Unitronics PLCs

Michael Mimoso
In this episode of the Claroty Nexus Podcast, Alexander Antukh, the chief information security officer at AboitizPower, the Philippines’ largest owner and operator of renewable energy, discusses one path toward translating risk and losses into business terms: cyber risk quantification (CRQ).
Risk Management

Nexus Podcast: Alexander Antukh on Cyber Risk Quantification

Michael Mimoso
In this episode of the Nexus Podcast, Vincente Diaz, a threat intelligence strategist on Google’s VirusTotal team, explains how AI and ML engines are being used in VirusTotal’s malware analysis, and how those results differ from what a traditional AV engine's analysis might render.
Cyber Resilience

Nexus Podcast: Vincente Diaz on Using AI for Malware Analysis

Michael Mimoso
On the latest episode of the Nexus Podcast, Rockwell Automation Senior Network & Solution Consultant Ahmik Hindman joins to discuss patching and vulnerability management of operational technology (OT) and industrial control systems (ICS).
Operational Technology
Vulnerability Management

Nexus Podcast: Ahmik Hindman on Patching OT and ICS

Michael Mimoso
Dr. Bilyana Lilly, an expert on geopolitics and Russia’s codification of information warfare as a strategy, says that the war in Ukraine has only temporarily delayed Russia’s activity against the West in cyberspace. On the latest Claroty Nexus podcast, she reinforces the idea that despite the fact that Russia is operating under severe resource constraints, CISOs should be preparing for the inevitable ramp-up of cyberattacks against critical infrastructure.
Risk Management
Cyber Resilience

Nexus Podcast: Dr. Bilyana Lilly on Information Warfare

Michael Mimoso
Latest on Nexus Podcast
See all episodes
The Nexus podcast features conversations with security leaders, researchers, and experts sharing their expertise on cyber-physical systems security.
noam-moshe-headshot.jpeg
Internet of Things
Operational Technology

Nexus Podcast: Noam Moshe on the IOCONTROL Malware
Team82’s Noam Moshe discusses state actor targeting of OT, why it’s so challenging to develop ransomware for OT and industrial control systems, and the mitigation strategies available to defenders of cyber-physical systems.
Cyber Resilience
Internet of Things

Nexus Podcast: Team82 on Attacking the Insecure IoT Cloud
nexus_steven-adair.jpg
Cyber Resilience
Vulnerability Management
Risk Management

Nexus Podcast: Volexity’s Steven Adair on the Nearest Neighbor Attack