Menu
Mysterious malware targets industrial control systems, borrows Stuxnet techniques

Mysterious malware targets industrial control systems, borrows Stuxnet techniques

The IRONGATE malware is likely a proof of concept, but could signal future attacks

Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes.

The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran's nuclear program and credited with destroying a large number of the country's uranium enrichment centrifuges.

The new malware was discovered in the second half of last year by researchers from security firm FireEye, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.

The mysterious program, which FireEye has dubbed IRONGATE, was uploaded to VirusTotal by several sources in 2014, at which time none of the antivirus products used by the site detected it as malicious.

It's also surprising that no company has identified the malware until late 2015, because the VirusTotal samples are automatically shared with all antivirus vendors who participate in the project.

FireEye itself discovered it because the company was searching for potentially suspicious samples compiled with PyInstaller, a technique used by various attackers. Two IRONGATE payloads stood out because they had references to SCADA and associated functionality.

The good news is that the samples seem to be a proof of concept or part of some research effort. They're designed to find and replace a specific DLL that communicates with Siemens SIMATIC S7-PLCSIM, a software product that allows users to run programs on simulated S7-300 and S7-400 programmable logic controllers (PLCs).

PLCs are the specialized hardware devices that monitor and control industrial processes -- spinning motors, opening and closing valves, etc. They transmit their readings and other data to monitoring software, the human-machine interface (HMI), that runs on workstations used by engineers.

Like Stuxnet did at Iran's Natanz nuclear plant, IRONGATE goal is to inject itself into the SCADA monitoring process and manipulate the data coming from PLCs, potentially hiding ongoing sabotage.

Stuxnet did this by suspending the PLC operation so the reported centrifuge rotor speed would remain static and within normal limits while it actually was not. IRONGATE instead records valid data from the PLC and then continuously plays that data back -- think of robbers feeding the same video recording to a surveillance camera in a loop.

The fact that IRONGATE interacts with a PLC simulator and replaces a DLL that is not part of the Siemens standard product set have led the FireEye researchers to believe this malware was likely just a test.

The Siemens Product Computer Emergency Readiness Team (ProductCERT) "has confirmed that the code would not work against a standard Siemens control system environment," the FireEye researchers said in a blog post Thursday.

However, if IRONGATE was just a proof of concept developed in 2014, intended to test a Stuxnet-like man-in-the-middle attack against PLCs, it could mean its creators have built another malware program since then that works against real industrial control system (ICS) deployments. Either way, IRONGATE's discovery should serve as a warning to organizations that operate SCADA systems.

"The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS," Dale Peterson, the CEO of ICS security consultancy Digital Bond, said in a blog post. "We need significant improvement in detection capabilities for ICS integrity attacks."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments