Mysterious malware targets industrial control systems, borrows Stuxnet techniques

The IRONGATE malware is likely a proof of concept, but could signal future attacks

Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes.

The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran's nuclear program and credited with destroying a large number of the country's uranium enrichment centrifuges.

The new malware was discovered in the second half of last year by researchers from security firm FireEye, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.

The mysterious program, which FireEye has dubbed IRONGATE, was uploaded to VirusTotal by several sources in 2014, at which time none of the antivirus products used by the site detected it as malicious.

It's also surprising that no company has identified the malware until late 2015, because the VirusTotal samples are automatically shared with all antivirus vendors who participate in the project.

FireEye itself discovered it because the company was searching for potentially suspicious samples compiled with PyInstaller, a technique used by various attackers. Two IRONGATE payloads stood out because they had references to SCADA and associated functionality.

The good news is that the samples seem to be a proof of concept or part of some research effort. They're designed to find and replace a specific DLL that communicates with Siemens SIMATIC S7-PLCSIM, a software product that allows users to run programs on simulated S7-300 and S7-400 programmable logic controllers (PLCs).

PLCs are the specialized hardware devices that monitor and control industrial processes -- spinning motors, opening and closing valves, etc. They transmit their readings and other data to monitoring software, the human-machine interface (HMI), that runs on workstations used by engineers.

Like Stuxnet did at Iran's Natanz nuclear plant, IRONGATE goal is to inject itself into the SCADA monitoring process and manipulate the data coming from PLCs, potentially hiding ongoing sabotage.

Stuxnet did this by suspending the PLC operation so the reported centrifuge rotor speed would remain static and within normal limits while it actually was not. IRONGATE instead records valid data from the PLC and then continuously plays that data back -- think of robbers feeding the same video recording to a surveillance camera in a loop.

The fact that IRONGATE interacts with a PLC simulator and replaces a DLL that is not part of the Siemens standard product set have led the FireEye researchers to believe this malware was likely just a test.

The Siemens Product Computer Emergency Readiness Team (ProductCERT) "has confirmed that the code would not work against a standard Siemens control system environment," the FireEye researchers said in a blog post Thursday.

However, if IRONGATE was just a proof of concept developed in 2014, intended to test a Stuxnet-like man-in-the-middle attack against PLCs, it could mean its creators have built another malware program since then that works against real industrial control system (ICS) deployments. Either way, IRONGATE's discovery should serve as a warning to organizations that operate SCADA systems.

"The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS," Dale Peterson, the CEO of ICS security consultancy Digital Bond, said in a blog post. "We need significant improvement in detection capabilities for ICS integrity attacks."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?