{
	"id": "c1c14c56-5ab3-44a9-8bd7-48b0c69d8142",
	"created_at": "2026-04-06T00:16:51.859436Z",
	"updated_at": "2026-04-10T13:12:18.699777Z",
	"deleted_at": null,
	"sha1_hash": "b234d5ca9bc57c9fbbcbeb2ecddbf1334b80a91b",
	"title": "INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1298534,
	"plain_text": "INCONTROLLER: New State-Sponsored Cyber Attack Tools\r\nTarget Multiple Industrial Control Systems | Mandiant\r\nBy Mandiant\r\nPublished: 2022-04-13 · Archived: 2026-04-05 16:33:55 UTC\r\nWritten by: Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey\r\nHildebrandt, Rob Caldwell\r\nIn early 2022, Mandiant, in partnership with Schneider Electric, analyzed a set of novel industrial control system\r\n(ICS)-oriented attack tools—which we call INCONTROLLER (aka PIPEDREAM)—built to target machine\r\nautomation devices. The tools can interact with specific industrial equipment embedded in different types of\r\nmachinery leveraged across multiple industries. While the targeting of any operational environments using this\r\ntoolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment.\r\nINCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and\r\npotentially physical destruction.\r\nINCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to\r\nTRITON, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a\r\npower outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010. To\r\nhelp asset owners find and defend against INCONTROLLER, we have included a range of mitigations and\r\ndiscovery methods throughout this report. As future modifications to these tools are likely, we believe behavior-based hunting and detection methods will be most effective.\r\nIf you need support responding to related activity, please contact Mandiant Consulting. Further analysis of related\r\nthreats is available as part of Mandiant Advantage Threat Intelligence.\r\nThis report is related to information shared in CISA Alert (AA22-103A). For more information from Schneider\r\nElectric, please see their bulletin. For more information from CODESYS, please see their advisory.\r\nINCONTROLLER is comprised of three main components:\r\nTool Description\r\nTAGRUN\r\nA tool that scans for OPC servers, enumerates OPC structure/tags, brute forces credentials,\r\nand reads/writes OPC tag values.\r\nCODECALL A framework that communicates using Modbus—one of the most common industrial\r\nprotocols—and Codesys. CODECALL contains modules to interact with, scan, and attack at\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 1 of 12\n\nleast three Schneider Electric programmable logic controllers (PLCs).\r\nOMSHELL\r\nA framework with capabilities to interact with and scan some types of Omron PLCs via\r\nHTTP, Telnet, and Omron FINS protocol. The tool can also interact with Omron's\r\nservodrives, which use feedback control to deliver energy to motors for precision motion\r\ncontrol.\r\nTable 1: Description of tools\r\nINCONTROLLER Was Built to Manipulate and Disrupt Industrial Processes\r\nIndustrial automation networks rely on a variety of equipment that enable operators to translate information and\r\ninstructions into chains of physical actions. Given the diversity of assets present in industrial networks, industrial\r\nautomation equipment typically speaks different languages across different portions of the network, which is\r\npossible using standardized industrial communication protocols.\r\nINCONTROLLER includes three tools that enable the attacker to send instructions to ICS devices using industrial\r\nnetwork protocols, such as OPC UA; Modbus; Codesys, which is used by EcoStruxure Machine Expert and\r\nSoMachine; and Omron FINS. While the tool's capabilities could enable the actor to communicate with a variety\r\nof products from different original equipment manufacturers (OEMs), the actor developed modules for specific\r\ncontrollers from Schneider Electric and Omron. The targeted equipment consists of machine automation solutions\r\nwhose use cases span from supporting simple, repetitive machines to complex modular machines in distributed\r\narchitectures:\r\nOPC servers\r\nSchneider Electric Modicon M251, Modicon M258, and Modicon M221 Nano PLCs\r\nOther devices leveraging Modbus and Codesys may also be affected\r\nOmron NX1P2 and NJ501 PLCs and R88D-1SN10F-ECT servo drive\r\nOther devices from NJ and NX PLC series may also be affected\r\nWe highly doubt that the threat actor would target these devices at random. It is more likely they were chosen\r\nbecause of reconnaissance into specific target environment(s). We note that this would be consistent with previous\r\nICS malware, such as TRITON, which targeted a critical safety system that was almost certainly identified prior to\r\ncompromising the target's industrial environment.\r\nINCONTROLLER: Tooling Overview\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 2 of 12\n\nFigure 1: INCONTROLLER tooling overview\r\nTAGRUN\r\nTAGRUN's capabilities, such as the ability to scan for and enumerate OPC UA servers, suggests a reconnaissance\r\nrole. OPC acts as a central communications protocol to collect and store data from ICS assets in industrial\r\nenvironments. Access to this data can provide attackers with a detailed overview of production systems and\r\ncontrol processes. The tool was likely developed for reconnaissance, but it can also write and change tag values,\r\nwhich could be used to modify data to either support an attack or mask process changes. TAGRUN also verifies\r\nwhether the target environment is running a Windows operating system and provides different ping commands\r\ndepending on this check's return value. This suggests that the actor may use non-Windows devices to execute\r\nTAGRUN.\r\nTAGRUN’s capabilities include:\r\nScanning for OPC UA servers on a network\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 3 of 12\n\nReading the structure of OPC UA servers\r\nReading/writing tag values for data on an OPC UA server\r\nBrute forcing credentials\r\nOutputting log files\r\nCODECALL\r\nCODECALL communicates with ICS devices using the Modbus protocol, which potentially gives it the ability to\r\ninteract with devices from different manufacturers. However, the tool contains a specific module to interact with,\r\nscan, and attack Schneider Electric's Modicon M251 (TM251MESE) PLC using Codesys, which is used by the\r\ncompany's proprietary EcoStruxure Machine Expert protocol. We have reason to believe the tool also targets\r\nSchneider Electric's Modicon M221 Nano PLC and the Modicon M258 PLC, and it potentially affects additional\r\ndevices leveraging these protocols.\r\nCODECALL’s general capabilities include:\r\nIdentifying Schneider Electric and Modbus-enabled devices on a network\r\nConnecting to specific devices over Modbus or Codesys\r\nReading/writing device registers over Modbus\r\nRequesting device ID from a session over Modbus\r\nDefining, dumping, or loading command macro file(s)\r\nExecuting device specific commands over Codesys, such as:\r\nAttempting to login using a username/password and by brute forcing credentials with a provided\r\ndictionary file\r\nDownloading/uploading files to the PLC device\r\nRetrieving file/directory listings\r\nDeleting files\r\nDisconnecting sessions from the PLC device\r\nAttempting a DDoS attack\r\nCrashing the device with a specifically crafted packet\r\nAdding a route if the device gateway IP exists on a different interface\r\nSending custom raw packets\r\nOMSHELL\r\nOMSHELL is designed to obtain shell access to Omron PLCs, including Omron NX1P2, NJ501, R88D-1SN10F-ECT servo drive, and possibly other similar devices from the NJ/NX product lines. The tool primarily operates\r\nusing the HTTP protocol, however it also utilizes Omron's proprietary FINS over UDP protocol for scanning and\r\ndevice identification. The framework is modular, which means the attacker can develop and deploy additional\r\ncapabilities into the tool.\r\nOMSHELL’s capabilities include:\r\nScanning for and identifying Omron devices on the network\r\nWiping the device’s program memory and resetting the device\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 4 of 12\n\nLoading backup configuration and backup data from or restoring data to the device\r\nActivating the telnet daemon on the device\r\nConnecting to the device via the telnet daemon, uploading and optionally executing an arbitrary payload or\r\ncommand\r\nConnecting to a backdoor present on a device and providing arbitrary command execution\r\nPerforming a network traffic capture\r\nKilling arbitrary processes running on the device\r\nTransferring files to the device\r\nConnecting and communicating with attached servo drives\r\nWe have reason to believe that indicator-based detections would not be effective at detecting INCONTROLLER\r\nin victim environments, in part because the attacker would almost certainly modify or customize the tool prior to\r\nusing it in a specific victim environment. Instead, defenders should focus their efforts on behavior-based hunting\r\nand detection methods for these tools.\r\nPotential Supporting Windows Tooling\r\nWe are also tracking two additional tools affecting Windows-based systems that may be related to this threat\r\nactivity. It is possible that these tools could be used to support the overall attack lifecycle in an INCONTROLLER\r\nattack by exploiting Windows-based systems in IT or operational technology (OT) environments.\r\nOne of the tools exploits CVE-2020-15368 in the AsrDrv103.sys driver, which would result in installation\r\nand exploitation of a vulnerable driver. ASRock motherboards may be leveraged in some human-machine\r\ninterfaces (HMIs) and engineering workstations in OT environments.\r\nThe other tool, which we track as ICECORE, is a backdoor providing reconnaissance and command and\r\ncontrol functionality.\r\nAttack Scenarios\r\nIt is feasible that each tool could be used independently, or the actor may use the three tools to attack a single\r\nenvironment. We highlight that the devices targeted by INCONTROLLER are often integrated in automation\r\nmachinery (e.g., a milling machine or press) and could plausibly be present in a variety of industrial sectors and\r\nprocesses even without the user's explicit knowledge.\r\nWe developed three cyber physical attack scenarios that highlight a range of possible outcomes from an attack\r\nusing INCONTROLLER. In each of the three cases, TAGRUN could have been used at earlier stages to\r\nenumerate the victim environment, identify its targets, and learn about the physical process.\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 5 of 12\n\nFigure 2: INCONTROLLER attack scenarios \r\nThe impact of these scenarios would depend on the nature of the victim facility and the extent of the attacker's\r\nunderstanding of and interaction with the controlled physical process. We note that our current understanding of\r\nINCONTROLLER is still limited given that it leverages an extensible structure that can support new features\r\nimplemented by the author.\r\nINCONTROLLER Is Very Likely State-Sponsored Malware\r\nWe believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the\r\nmalware, the expertise and resources that would be required to build it, and its limited utility in financially\r\nmotivated operations. We are unable to associate INCONTROLLER with any previously tracked group at this\r\nstage of our analysis, but we note the activity is consistent with Russia's historical interest in ICS. While our\r\nevidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of\r\ndestructive cyber attacks, its current invasion of Ukraine, and related threats against Europe and North America.\r\nSince at least 2014, Russia-nexus threat actors have targeted ICS assets and data with multiple ICS-tailored\r\nmalware families (PEACEPIPE, BlackEnergy2, INDUSTROYER, TRITON, and VPNFILTER).\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 6 of 12\n\nFigure 3: Historical Russia-nexus activity impacting ICS\r\nINCONTROLLER's functionality is consistent with the malware used in Russia's prior cyber physical\r\nattacks. For example, the 2015 and 2016 Ukrainian blackouts both involved physical process\r\nmanipulations combined with disruptive attacks against embedded devices. INCONTROLLER similarly\r\nallows the malware operator to manipulate physical processes, while also containing denial-of-service\r\n(DoS) capabilities to disrupt the availability of PLCs.\r\nRecommendations\r\nWhile the nature of any potential intended victims remains uncertain, INCONTROLLER poses a critical risk to\r\norganizations with compatible devices. The targeted devices are embedded in multiple types of machinery and\r\ncould plausibly be present in many different industrial sectors. Given the consistencies with prior Russia-nexus\r\nthreat activity, we suggest that INCONTROLLER poses the greatest threat to Ukraine, NATO member states, and\r\nother states actively responding to Russia's invasion of Ukraine. Organizations should take immediate action to\r\ndetermine if the targeted ICS devices are present in their environments and begin applying vendor-specific\r\ncountermeasures.\r\nWe also recommend that at-risk organizations conduct threat hunts to detect this activity in their networks.\r\nMandiant Advantage Threat Intelligence subscribers have access to additional reporting containing threat hunting\r\nguidance and YARA detections.\r\nIf you need support responding to related activity, please contact Mandiant Consulting. Further analysis is\r\navailable as part of Mandiant Advantage Threat Intelligence.\r\nMitigations\r\nOPC UA\r\nWe recommend several steps to mitigate risk and counter malicious activity in environments using this protocol:\r\nProper segmentation of IT and OT networks to aid in preventing attackers pivoting from corporate\r\nnetworks into industrial environments.\r\nAllow listing accepted primary/subordinate devices, behavior patterns, and commands to aid in\r\nestablishing approved baselines and detecting anomalies with the aid of network monitoring.\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 7 of 12\n\nImplementation of an industrial firewall with deep packet inspection to aid in controlling access and\r\napproved capabilities.\r\nImplementation of ICS-aware intrusion protection systems to aid in monitoring for function codes from\r\npotentially malicious sources.\r\nMonitoring and blocking of external traffic to OPC UA ports, when possible, to aid in detecting anomalous\r\ntraffic and prevent external network traffic directed at OPC UA-associated ports.\r\nEnabling and aggregating audit logs for OPC servers and clients.\r\nPeriodic reviewing of audit logs for inconsistent or nefarious connections, security options negotiations,\r\nconfiguration changes, and user interaction.\r\nSchneider Electric\r\nTo help keep your Schneider Electric products secure and protected, it is in your best interest that you implement\r\nthe cyber security best practices as indicated in the Cybersecurity Best Practices document provided on the\r\nSchneider Electric website: Recommended Cybersecurity Best Practices White paper | Schneider Electric.\r\nAdditionally, Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and\r\nAssociated Equipment User Guide could help you ensure that only legitimate users can access your Schneider\r\nElectric product: Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers\r\nand Associated Equipment, User Guide | Schneider Electric.\r\nYou should pay special attention to features and cyber security devices that help to restrict access to authorized\r\nusers only. This includes examples such as intrusion detection systems, network firewalls, secure remote access,\r\ndevice authentication, device firewall, disabling/filtering unsecure or programming protocols.\r\nOmron\r\nAccording to public vulnerability notices, Omron has previously identified other vulnerabilities that use the same\r\nor similar FIN ports that are used by OMSHELL. Omron's guidance for unpatched vulnerabilities, as noted in their\r\nsecurity brief, indicates that external firewall filtering of identified FIN ports can be used as a mitigation.\r\nMandiant believes that the recommended methodology may be a viable mitigation, though this mechanism has not\r\nbeen tested with INCONTROLLER. Additional guidance related to Omron's previous recommendations can be\r\nfound in the related ICS Advisory for that older vulnerability.\r\nDiscovery Methods\r\nTAGRUN\r\nSearch for and investigate irregular connections to OPC UA endpoints and enable robust audit logging for\r\nOPC UA applications. Aggregate OPC UA logs and audit records to a central location where applicable.\r\nReview OPC UA audit records for evidence of credential bruteforcing, nefarious certificate usage, irregular\r\nconnection attempts, configuration changes, and changes to OPC tags.\r\nSearch for and investigate TAGRUN ping command execution.\r\nReview OT network traffic for evidence of pingsweep activity.\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 8 of 12\n\nCODECALL\r\nEnable robust logging for Schneider Electric PLC devices and aggregate logs to a central location where\r\napplicable.\r\nReview Schneider Electric device logs for evidence of the following activity:\r\nCredential bruteforcing\r\nError codes associated with abnormal device crashes/reboots\r\nFiles uploaded or downloaded\r\nFile deletion\r\nUnauthorized changes in device configuration and execution of commands\r\nConnections to devices outside of documented norms for the device and environment\r\nSearch for and investigate evidence of ARP scanning followed by abnormal Modbus/Codesys traffic\r\ndiffering from environment baselines.\r\nSearch for abnormal Modbus and Codesys traffic flows compared to environment baselines.\r\nOMSHELL\r\nSearch for and investigate evidence of the creation/existence of OMSHELL-related host-based indicators\r\non systems with access to OT resources and connectivity (e.g., packet captures).\r\nEnable robust logging for Omron PLC devices and aggregate logs to a central location where applicable.\r\nReview Omron device logs for evidence of the following activity:\r\nActivation of Telnet daemon on the device.\r\nUnauthorized Telnet connection attempts including the use of default credentials.\r\nWiping of PROGRAM memory and device resets.\r\nUnauthorized changes in device configuration and execution of commands.\r\nConnections to devices outside of documented norms for the device and environment.\r\nFiles uploaded or downloaded.\r\nIdentify and investigate nefarious pingsweep scanning activity, telnet traffic, and HTTP traffic on systems\r\nwith access and connectivity to OT resources/devices:\r\nSearch for and investigate evidence of Omron FINS traffic outside of standard norms and environment\r\nbaselines.\r\nCollect, identify, and investigate nefarious HTTP POST data to Omron devices containing Omron API commands.\r\nAppendix: MITRE ATT\u0026CK for ICS Mapping\r\nModule Tactic Technique\r\nTAGRUN Execution T0807: Command-Line Interface\r\nTAGRUN Execution T0853: Scripting\r\nTAGRUN Lateral Movement T0859: Valid Accounts\r\nTAGRUN Discovery T0888: Remote System Information Discovery\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 9 of 12\n\nTAGRUN Discovery T0846: Remote System Discovery\r\nTAGRUN Persistence T0859: Valid Accounts\r\nTAGRUN Collection T0801: Monitor Process State\r\nTAGRUN Collection T0861: Point \u0026 Tag Identification\r\nTAGRUN Command and Control T0885: Commonly Used Port\r\nTAGRUN Command and Control T0869: Standard Application Layer Protocol\r\nTAGRUN Impact T0832: Manipulation of View\r\nTAGRUN Impact T0882: Theft of Operational Information\r\nTable 2: TAGRUN MITRE ATT\u0026CK for ICS mapping\r\nModule Tactic Technique\r\nCODECALL Execution T0807: Command-Line Interface\r\nCODECALL Execution T0853: Scripting\r\nCODECALL Persistence T0859: Valid Accounts\r\nCODECALL Persistence T0857: System Firmware\r\nCODECALL Persistence T0889: Modify Program\r\nCODECALL Discovery T0846: Remote System Discovery\r\nCODECALL Discovery T0888: Remote System Information Discovery\r\nCODECALL Lateral Movement T0812: Default Credentials\r\nCODECALL Lateral Movement T0843: Program Download\r\nCODECALL Lateral Movement T0859: Valid Accounts\r\nCODECALL Collection T0801: Monitor Process State\r\nCODECALL Collection T0845: Program Upload\r\nCODECALL Collection T0801: Monitor Process State\r\nCODECALL Command and Control T0885: Commonly Used Port\r\nCODECALL Command and Control T0869: Standard Application Layer Protocol\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 10 of 12\n\nOMSHELL Inhibit Response Function T0881: Service Stop\r\nOMSHELL Impair Process Control T0836: Modify Parameter\r\nOMSHELL Impair Process Control T0855: Unauthorized Command Message\r\nOMSHELL Impact T0879: Damage to Property\r\nOMSHELL Impact T0837: Loss of Safety\r\nOMSHELL Impact T0831: Manipulation of Control\r\nOMSHELL Impact T0882: Theft of Operational Information\r\nTable 3: CODECALL MITRE ATT\u0026CK for ICS mapping\r\nAppendix: YARA Rules\r\nrule MTI_Hunting_AsRockDriver_Exploit_PDB\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"03-23-2022\"\r\n description = \"Searching for executables containing strings associated with AsRock driver Ex\r\n strings:\r\n $dos_stub = \"This program cannot be run in DOS mode\"\r\n $pdb_bad = \"dev projects\\\\SignSploit1\\\\x64\\\\Release\\\\AsrDrv_exploit.pdb\"\r\n $pdb_good = \"c:\\\\asrock\\\\work\\\\asrocksdk_v0.0.69\\\\asrrw\\\\src\\\\driver\\\\src\\\\objfre_win7_amd64\r\n condition:\r\n all of them and (@pdb_bad \u003c @dos_stub[2]) and (#dos_stub == 2) and (@pdb_good \u003e @dos_stub[2]\r\n}\r\nrule MTI_Hunting_AsRockDriver_Exploit_Generic\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"03-23-2022\"\r\n description = \"Searching for executables containing strings associated with AsRock driver Ex\r\n strings:\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 11 of 12\n\n$dos_stub = \"This program cannot be run in DOS mode\"\r\n $pdb_good = \"c:\\\\asrock\\\\work\\\\asrocksdk_v0.0.69\\\\asrrw\\\\src\\\\driver\\\\src\\\\objfre_win7_amd64\r\n condition:\r\n all of them and (#dos_stub == 2) and (@pdb_good \u003e @dos_stub[2])\r\n}\r\n Acknowledgements\r\nThis research was made possible thanks to the hard work of many people not listed on the byline. A huge thanks to\r\nthe Schneider Electric Team, Mandiant Advanced Practices, FLARE, Consulting, Managed Defense, and everyone\r\nelse who supported this effort.\r\nSpecial thanks to Jared Scott Wilson, Glen Chason, Benjamin Read, Jonathan Leathery, Conor Quigley, and\r\nWesley Mok.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nhttps://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"
	],
	"report_names": [
		"incontroller-state-sponsored-ics-tool"
	],
	"threat_actors": [],
	"ts_created_at": 1775434611,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b234d5ca9bc57c9fbbcbeb2ecddbf1334b80a91b.pdf",
		"text": "https://archive.orkl.eu/b234d5ca9bc57c9fbbcbeb2ecddbf1334b80a91b.txt",
		"img": "https://archive.orkl.eu/b234d5ca9bc57c9fbbcbeb2ecddbf1334b80a91b.jpg"
	}
}