Introduction
The discovery of TRITON/TRISIS in 2017 demonstrated that nation-state actors were willing to invest in malware specifically engineered to target industrial control systems — not for espionage, but for disruption or destruction. TRITON targeted Schneider Electric Triconex safety instrumented systems at a Saudi petrochemical facility.
In the years since, two further ICS malware frameworks have emerged with the same level of industrial specificity: PIPEDREAM (also tracked as INCONTROLLER) disclosed in April 2022, and COSMICENERGY disclosed in May 2023. Neither has been observed in active destructive attacks at the time of their public disclosure — both were identified either before deployment or in research contexts — but both represent significant advances in adversary capability against industrial infrastructure.
This analysis covers what they are, how they work, and what the defender community should draw from them.
PIPEDREAM / INCONTROLLER
Background and Attribution
PIPEDREAM was disclosed jointly by CISA, the NSA, the FBI, the Department of Energy, and private sector partners Dragos and Mandiant in April 2022. Dragos tracks it as PIPEDREAM; Mandiant as INCONTROLLER. The framework was attributed by Mandiant with moderate confidence to a state-sponsored Russian threat actor. Dragos attributed it to CHERNOVITE, a newly named threat group. The malware was identified before any confirmed destructive deployment — an unusual situation that suggests intelligence access to the tooling before it was used.
The timing of the disclosure — amid the conflict in Ukraine and against the backdrop of US critical infrastructure threats — was deliberate. CISA’s advisory stated directly that the capabilities “could be leveraged to cause physical damage and create life-safety consequences.”
Architecture
PIPEDREAM is a modular framework. Each component targets a specific industrial protocol or device type. Dragos identified five modules:
EVILSCHOLAR — Targets Schneider Electric Modicon PLCs via the CODESYS communication protocol. CODESYS is a widely used software environment for PLC programming and runtime; Schneider Electric PLCs implementing CODESYS V3 runtime are in scope. EVILSCHOLAR can enumerate devices, upload and execute malicious logic, and trigger denial-of-service conditions against the PLC. It can also reboot the device into an invalid state and permanently damage it by overwriting firmware under specific conditions.
MOUSEHOLE — A Modicon-specific module that communicates via the Modbus protocol. While Modbus is a simpler protocol than CODESYS, it is ubiquitous in industrial environments — far more devices speak Modbus than CODESYS. MOUSEHOLE provides broader reach at the cost of less control capability.
LAZYCARGO — A Windows kernel driver module. Unlike the other components, LAZYCARGO operates at the IT/OT boundary — it exploits a vulnerable signed driver to load unsigned code into the Windows kernel, bypassing driver signature enforcement. This capability would typically be used on the engineering workstation that connects to PLCs, allowing the attacker to run code in kernel space on the machine that manages industrial devices.
BADOMEN — Targets Omron PLCs via the FINS (Factory Interface Network Service) protocol. Omron PLCs are widely deployed in manufacturing automation, particularly in Japan and in facilities with Japanese equipment. BADOMEN provides similar capabilities to EVILSCHOLAR but for the Omron device ecosystem.
DUSTTUNNEL — A remote tunnelling and proxy module that provides encrypted command-and-control communication back to attacker infrastructure. DUSTTUNNEL is the persistence and C2 layer that the other modules communicate through — without it, the framework loses its command channel.
Capability Summary
The combination of modules gives PIPEDREAM operators the ability to:
- Enumerate and identify Modicon and Omron PLCs on a network
- Interact with and modify PLC logic via native industrial protocols
- Cause controlled outages (taking a PLC offline) or uncontrolled disruptions (corrupting firmware)
- Establish persistent footholds on engineering workstations at kernel level
- Operate across multiple PLC vendor ecosystems from a single framework
This is a significant departure from ad-hoc ICS attack tooling. Prior to PIPEDREAM, demonstrated ICS attacks (STUXNET, Industroyer/Crash Override, TRITON) each used custom tooling for a single device type. PIPEDREAM’s modularity allows a single operator team to attack heterogeneous industrial environments without rebuilding tooling for each target.
Relevance to Current Defenders
PIPEDREAM targets device types (Modicon, Omron PLCs) that are still in active production use across energy, water, and manufacturing sectors worldwide. The CODESYS runtime targeted by EVILSCHOLAR is embedded in devices from hundreds of manufacturers — the scope of potential impact extends well beyond Schneider Electric and Omron branded devices.
Specific recommended actions from the CISA advisory remain relevant:
- Isolate OT networks from the internet and from IT networks using defended DMZs
- Enforce MFA on all OT-adjacent engineering workstations
- Limit CODESYS and FINS protocol traffic to authorised engineering workstations only via firewall rules
- Monitor for unexpected Modbus WRITE commands and CODESYS function block modifications
- Audit for the presence of the LAZYCARGO vulnerable driver (a specific ASRock driver) on Windows systems in OT environments
COSMICENERGY
Background and Attribution
COSMICENERGY was disclosed by Mandiant in May 2023. Unlike PIPEDREAM, no formal government advisory accompanied the disclosure. Mandiant assessed that COSMICENERGY may have been developed by or for Rostelecom-Solar (a Russian cybersecurity company with government contracts) as a red team tool for power grid disruption exercises. The tooling contains artefacts consistent with this assessment, including strings and file paths referencing Russian-language test environments.
Attribution to a specific threat group or state actor is not established with high confidence. Mandiant explicitly noted that red team tools developed by national-security-adjacent contractors have historically been acquired and repurposed by offensive actors — as occurred with tools from the Hacking Team and NSO Group leaks.
The relevance to defenders is the capability, not the attribution: the toolset demonstrates the operationalisation of power grid disruption via ICS protocols.
Architecture and Targeting
COSMICENERGY targets the IEC 60870-5-104 (IEC-104) protocol, which is widely used for SCADA communication in power distribution networks — particularly in Europe, the Middle East, and Asia. IEC-104 is the network-layer adaptation of the older IEC 101 serial protocol and controls the communication between control centres and remote terminal units (RTUs) that manage substation equipment including circuit breakers and switches.
COSMICENERGY consists of two components:
LIGHTWORK — Sends IEC-104 commands directly to RTUs to change the state of power line switches — ON or OFF. This is the disruptive payload: it can command a substation’s controllable equipment to open or close, which is functionally equivalent to a remote operator switching off power to a distribution area. LIGHTWORK does not need to exploit a vulnerability in the RTU — it sends valid IEC-104 commands. The vulnerability is authentication: many IEC-104 deployments do not implement message authentication.
LIGHTBOAT — A tool that queries Microsoft SQL Server databases to retrieve IEC-104 information object addresses for specific RTUs. In power SCADA environments, the MSSQL database often serves as the configuration backend for the control centre software, storing the mapping between physical equipment and their IEC-104 data object identifiers. LIGHTBOAT extracts this information to provide LIGHTWORK with the correct addresses for targeted disruption rather than random switching.
The Authentication Gap
The core exploitation in COSMICENERGY is not a software vulnerability. IEC-104 was designed in an era when SCADA networks were physically isolated serial links — authentication was not part of the protocol specification. IEC 62351 (the security extension for IEC-104) adds authentication and encryption, but adoption has been slow. Many operational deployments still use IEC-104 without authentication, meaning any host that can reach an RTU on the network can send valid control commands.
This is the same pattern as the DNP3 authentication gap and the Modbus lack of authentication. Industrial protocols designed before network connectivity became standard carry security assumptions that do not survive internet-adjacent deployment. COSMICENERGY operationalises this gap against the specific device class — European power RTUs — where it is most consequential.
Differences from Industroyer
Industroyer (2016) and Industroyer2 (2022) are the prior ICS malware frameworks targeting power infrastructure, both attributed to Sandworm and used in attacks against Ukrainian electricity. Both also implement IEC-104 (among other protocols).
COSMICENERGY differs in scale and approach. Industroyer was a full-capability framework with multiple protocol modules (IEC-101, IEC-104, IEC-61850, OPCDA) and was built for specific deployment environments. COSMICENERGY is narrower — IEC-104 only — and the MSSQL reconnaissance component suggests it was designed to operate against a specific class of SCADA architecture where the control centre database is accessible to the attacker.
Comparative Assessment
| PIPEDREAM | COSMICENERGY | |
|---|---|---|
| Disclosed | April 2022 | May 2023 |
| Attribution | Russian state-sponsored (moderate confidence) | Possible Rostelecom-Solar red team tool |
| Protocol targets | CODESYS, Modbus, FINS, LADP | IEC-104 |
| Device targets | Modicon PLCs, Omron PLCs | Power RTUs (IEC-104 capable) |
| Sector focus | Manufacturing, energy, water | Power distribution |
| Active destructive use | Not confirmed | Not confirmed |
| Complexity | High (modular, kernel-level capabilities) | Moderate (two-component, protocol exploitation) |
Implications for OT Defenders
Both PIPEDREAM and COSMICENERGY share a structural lesson: the most capable ICS-targeting malware does not primarily exploit software vulnerabilities. It exploits protocol design decisions — the absence of authentication in Modbus, FINS, and IEC-104 — and the architectural reality that engineering workstations and SCADA databases have network access to production devices.
The defensive response to both frameworks is the same:
Network segmentation is the primary control. A host that cannot reach a PLC or RTU cannot send it malicious commands regardless of what software the host is running. Firewall rules that restrict IEC-104, Modbus, CODESYS, and FINS traffic to authorised management hosts are more robust than trying to detect malicious protocol traffic on allowed paths.
Anomaly-based monitoring on industrial protocols. LIGHTWORK sends valid IEC-104 commands. EVILSCHOLAR sends valid CODESYS messages. Signature-based detection cannot distinguish them from legitimate operations. Monitoring for protocol anomalies — commands issued outside normal operational windows, commands to objects that are not typically modified remotely, command sequences inconsistent with operational patterns — is the relevant detection layer.
Database access controls in SCADA environments. LIGHTBOAT’s dependence on MSSQL access to retrieve RTU addressing information highlights an underappreciated attack surface: the SCADA configuration database. Restrict access to SCADA historian and configuration databases to the minimum necessary hosts and implement monitoring for unusual query patterns.
IEC 62351 and DNP3 authentication. Where standards-based authentication is available for industrial protocols, evaluate its deployment. IEC 62351 for IEC-104 environments and DNP3 Secure Authentication (SAv5) for DNP3 networks provide the cryptographic authentication layer that makes protocol-level attacks like COSMICENERGY’s approach significantly harder. Adoption is technically and operationally complex but remains the long-term answer to protocol-level exploitation.