Incontroller ICS malware has ‘rare, dangerous’ capabilities, says Mandiant

Mandiant joins a growing chorus of warnings over novel nation state threats to ICS systems

Alex Scroxton

Alex Scroxton,
Security Editor

Published: 14 Apr 2022 11:12

A set of novel industrial control system (ICS)-oriented attack tools, dubbed Incontroller by researchers from Mandiant and Schneider Electric, poses a critical risk to organisations using the equipment that incorporates the targeted machine automation devices, according to a new alert.

Incontroller interacts with specific Schneider Electric and Omron elements embedded in various types machinery that are present in multiple industries. Known targeted devices include Schneider Electric Modicon M251, Modicon M258 and Modicon M221 Nano PLCs, and Omron NX1P2 and NJ501 PLCs and R88D-1SN10F-ECT servo drive. It is highly likely that these were selected by Incontroller’s operators because they enable reconnaissance in specific target environments – this has been a fairly standard modus operandi for ICS malwares in the past.

Nathan Brubaker, director of intelligence analysis at Mandiant, said: “Incontroller represents an exceptionally rare and dangerous cyber attack capability, following Stuxnet, Industroyer and Triton as the fourth ever attack-oriented ICS malware.

“Incontroller is very likely state-sponsored and contains capabilities related to disruption, sabotage and, potentially, physical destruction. While we are unable to definitively attribute the malware, we note that the activity is consistent with Russia’s historical interest in ICS.

“Incontroller poses a critical risk to organisations leveraging the targeted and affected devices. Organisations should take immediate action to determine if the targeted ICS devices are present in their environments and begin applying vendor-specific countermeasures, discovery methods and hunting tools.”

Incontroller incorporates three tools that enable the attacker to hit ICS devices using various network protocols. The tools are called Tagrun, Codecall and Omshell.

The first, Tagrun, has a scanning and reconnaissance role, gaining a detailed overview of systems and processes, but it can also write and change tag values, which means it could be used to modify data in support of an attack, or for obfuscation.

Codecall, meanwhile, serves to communicate with Schneider Electric ICS devices using the Modbus and Codesys protocols. Its capabilities include the ability to upload, download and delete files on the device, to disconnect existing sessions, to attempt distributed denial of service (DDoS) attacks, to cause crashes, and to send custom raw packets.

Finally, Omshell serves to obtain shell access to Omron devices via both the HTTP and Omron’s proprietary FINS protocols. Besides enumeration of target devices, it can wipe program memories and perform resets, connect to a backdoor on the device for arbitrary command execution, kill arbitrary processes on the device, and transfer files to it.

Mandiant said indicator-based detections are unlikely to detect Incontroller in victim environments, probably because, in common with its peer ICS malwares, the attackers will almost certainly have modified and customised it extensively. Instead, attention should be paid to behaviour-based hunting and detection methods. More detailed information on detecting, confronting and mitigating the threat can be found here.

Although Mandiant refrained from directly attributing Incontroller to a Russian advanced persistent threat (APT) actor, it said historical evidence pointed in that direction. As such, Incontroller is likely to be a more pressing threat to organisations with a presence in Ukraine, and to a lesser extent Nato member states and other allied countries.

Incontroller is the second ICS-specific set of malware tools to emerge in the space of a week. On 12 April, researchers at ESET, along with Ukraine’s government computer emergency response team, CERT-UA, disclosed the existence of Industroyer2, which was used in an attack on a Ukrainian electricity company. The attack was repelled successfully.

A child of Industroyer, a tool of the Sandworm or Voodoo Bear APT, and linked to Russia’s GRU intelligence agency, Industroyer2 targeted Windows, Linux and Solaris operating systems at the target’s high-voltage electricity substations. It is a highly targeted malware and is likely custom-built for each target selected by its operators.

In the light of these disclosures, the US Cybersecurity and Infrastructure Security Agency on 13 April issued a new alert on the threat to ICS infrastructure, including that from Incontroller.