Blog: DFIR

Pipedream ICS malware toolkit is a nightmare

Luke Davis 09 May 2024


  • Malware toolkit specifically designed for attacking ICS 
  • Modular and framework based 
  • Main features are enumeration, Modbus comms, and HTTP interactions 
  • Operational Technology (OT) network breaches are often due to connected Windows devices 
  • Off-network compromise assessments give a strategic view of OT and IT security postures 

Pipedream, tooling created by the CHERNOVITE hacking group, has sparked serious concern in the cybersecurity world. It has the ability to target industrial control systems (ICS) without relying on conventional attack methods, such as software exploits. 

Pipedream’s potential effect has been likened to the impact of the Command and Control tool Cobalt Strike, but for OT environments.  

What is It?

It’s a malware toolkit specifically designed for ICS. It was discovered in April 2022 after being detected in the OT environment of an undisclosed organisation. Mandiant refers to this collection of ICS attack tools as INCONTROLLER (aka PIPEDREAM) and highlights its alignment with Russia’s past focus on ICS: 

“INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017; Industroyer, which caused a power outage in Ukraine in 2016; and Stuxnet, which sabotaged the Iranian nuclear program around 2010” 

Rather than exploiting specific system vulnerabilities, this malware enables operators to interface with various industrial equipment from different manufacturers, potentially leading to the disruption or physical destruction of vital devices.  

The malware doesn’t exploit a particular vulnerability in these systems, but rather uses the functionality of common ICS protocols (ModBus and OPC UA) and tools (CodeSys) alongside specifically developed OEM modules to access and manipulate the configurations of specific OEM devices, such as PLC’s.  

This manipulation could disrupt the control of processes (or in some cases) compromise safety systems and functions, causing processes to run in an unsafe state. 

Supply chain threats

Furthermore, critical infrastructure operators are grappling with supply-chain security threats, a challenge not unique to their sector. In February the German company PSI Software disclosed that it had fallen victim to a cyberattack, confirming that it was a ransomware attack.

In response, PSI Software opted to take its systems offline to mitigate further intrusions. PSI Software specialises in providing software tailored for energy providers and other industrial processes but did not respond to requests for comment. 

Increase in attacks

The frequency and sophistication of cyber attacks targeting industrial entities are rapidly escalating. Ransomware attacks against industrial companies rose by approximately 50% in the last 12 months. In response proactive assessments, both paper based and forensic examinations, have adapted and improved to identify these threats. 

It is worth noting that in our investigations, the majority of OT ransomware incidents stem from the compromise of Windows systems essential for overseeing and managing OT operations, rather than direct attacks on the OT systems themselves. 

This revelation underscores a crucial aspect of cybersecurity in industrial settings: the interconnectedness between traditional IT systems and OT environments. Often, ransomware exploits vulnerabilities in Windows-based systems utilised for monitoring and controlling OT processes, leading to significant disruptions and potential operational standstills.  

The Colonial Pipeline incident in May 2021 sent shockwaves through the cybersecurity community, shedding light on the vulnerabilities inherent in critical infrastructure systems.  

Contrary to initial assumptions, the primary cause of the shutdown was not a direct attack on the OT systems themselves, but rather an abundance of caution response “…to isolate and contain the attack to help ensure the malware did not spread to the Operational Technology (OT) network…” according to the CEO of Colonial Pipeline at the US Committee on Homeland Security hearing in June 2021. 

Whilst it can be speculated that it may have been possible to continue to operate the pipeline from the OT network it should be acknowledged that without key business information, such as where oil was to be transported, in what volumes and billing information, continuing to operate the pipelines could have potentially exacerbated the problems and made even made recovery harder. 


Operators of OT networks need to understand the interactions between, and reliance upon, IT systems to operate their physical processes. They should leverage this understanding to inform their response to incidents in both their IT and OT networks. 

For administrators and controllers of OT networks, staying ahead of potential cyber threats is paramount. One proactive measure they can take is to conduct off-network compromise assessments. These take periodic forensic reviews of the estate, rather than in response to a known compromise, providing early warnings of Indicators of Compromise, without the need for continuous monitoring solutions.   

It’s highly recommended to conduct these assessments quarterly or at least twice annually to ensure a robust security posture. By regularly evaluating the network’s vulnerabilities and potential points of compromise, organisations can strengthen their defences and mitigate the risk of cyber attacks on their critical infrastructure systems.