Menu
Mysterious malware targets industrial control systems, borrows Stuxnet techniques

Mysterious malware targets industrial control systems, borrows Stuxnet techniques

The IRONGATE malware is likely a proof of concept, but could signal future attacks

Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes.

The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran's nuclear program and credited with destroying a large number of the country's uranium enrichment centrifuges.

The new malware was discovered in the second half of last year by researchers from security firm FireEye, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.

The mysterious program, which FireEye has dubbed IRONGATE, was uploaded to VirusTotal by several sources in 2014, at which time none of the antivirus products used by the site detected it as malicious.

It's also surprising that no company has identified the malware until late 2015, because the VirusTotal samples are automatically shared with all antivirus vendors who participate in the project.

FireEye itself discovered it because the company was searching for potentially suspicious samples compiled with PyInstaller, a technique used by various attackers. Two IRONGATE payloads stood out because they had references to SCADA and associated functionality.

The good news is that the samples seem to be a proof of concept or part of some research effort. They're designed to find and replace a specific DLL that communicates with Siemens SIMATIC S7-PLCSIM, a software product that allows users to run programs on simulated S7-300 and S7-400 programmable logic controllers (PLCs).

PLCs are the specialized hardware devices that monitor and control industrial processes -- spinning motors, opening and closing valves, etc. They transmit their readings and other data to monitoring software, the human-machine interface (HMI), that runs on workstations used by engineers.

Like Stuxnet did at Iran's Natanz nuclear plant, IRONGATE goal is to inject itself into the SCADA monitoring process and manipulate the data coming from PLCs, potentially hiding ongoing sabotage.

Stuxnet did this by suspending the PLC operation so the reported centrifuge rotor speed would remain static and within normal limits while it actually was not. IRONGATE instead records valid data from the PLC and then continuously plays that data back -- think of robbers feeding the same video recording to a surveillance camera in a loop.

The fact that IRONGATE interacts with a PLC simulator and replaces a DLL that is not part of the Siemens standard product set have led the FireEye researchers to believe this malware was likely just a test.

The Siemens Product Computer Emergency Readiness Team (ProductCERT) "has confirmed that the code would not work against a standard Siemens control system environment," the FireEye researchers said in a blog post Thursday.

However, if IRONGATE was just a proof of concept developed in 2014, intended to test a Stuxnet-like man-in-the-middle attack against PLCs, it could mean its creators have built another malware program since then that works against real industrial control system (ICS) deployments. Either way, IRONGATE's discovery should serve as a warning to organizations that operate SCADA systems.

"The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS," Dale Peterson, the CEO of ICS security consultancy Digital Bond, said in a blog post. "We need significant improvement in detection capabilities for ICS integrity attacks."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments