Mysterious malware targets industrial control systems, borrows Stuxnet techniques

The IRONGATE malware is likely a proof of concept, but could signal future attacks

Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes.

The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran's nuclear program and credited with destroying a large number of the country's uranium enrichment centrifuges.

The new malware was discovered in the second half of last year by researchers from security firm FireEye, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.

The mysterious program, which FireEye has dubbed IRONGATE, was uploaded to VirusTotal by several sources in 2014, at which time none of the antivirus products used by the site detected it as malicious.

It's also surprising that no company has identified the malware until late 2015, because the VirusTotal samples are automatically shared with all antivirus vendors who participate in the project.

FireEye itself discovered it because the company was searching for potentially suspicious samples compiled with PyInstaller, a technique used by various attackers. Two IRONGATE payloads stood out because they had references to SCADA and associated functionality.

The good news is that the samples seem to be a proof of concept or part of some research effort. They're designed to find and replace a specific DLL that communicates with Siemens SIMATIC S7-PLCSIM, a software product that allows users to run programs on simulated S7-300 and S7-400 programmable logic controllers (PLCs).

PLCs are the specialized hardware devices that monitor and control industrial processes -- spinning motors, opening and closing valves, etc. They transmit their readings and other data to monitoring software, the human-machine interface (HMI), that runs on workstations used by engineers.

Like Stuxnet did at Iran's Natanz nuclear plant, IRONGATE goal is to inject itself into the SCADA monitoring process and manipulate the data coming from PLCs, potentially hiding ongoing sabotage.

Stuxnet did this by suspending the PLC operation so the reported centrifuge rotor speed would remain static and within normal limits while it actually was not. IRONGATE instead records valid data from the PLC and then continuously plays that data back -- think of robbers feeding the same video recording to a surveillance camera in a loop.

The fact that IRONGATE interacts with a PLC simulator and replaces a DLL that is not part of the Siemens standard product set have led the FireEye researchers to believe this malware was likely just a test.

The Siemens Product Computer Emergency Readiness Team (ProductCERT) "has confirmed that the code would not work against a standard Siemens control system environment," the FireEye researchers said in a blog post Thursday.

However, if IRONGATE was just a proof of concept developed in 2014, intended to test a Stuxnet-like man-in-the-middle attack against PLCs, it could mean its creators have built another malware program since then that works against real industrial control system (ICS) deployments. Either way, IRONGATE's discovery should serve as a warning to organizations that operate SCADA systems.

"The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS," Dale Peterson, the CEO of ICS security consultancy Digital Bond, said in a blog post. "We need significant improvement in detection capabilities for ICS integrity attacks."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?