Critical Infrastructure Security, Threat Intelligence, Incident Response, Malware, TDR

Shades of Stuxnet: Newly found malware can sabotage industrial controls, but only in simulated environments

FireEye's FLARE research lab team revealed details of a recently discovered malware program, dubbed Irongate, whose properties echo the infamous Stuxnet virus, in that it is theoretically designed to manipulate or sabotage industrial control systems in a Siemens environment.

Fortunately, it appears that Irongate only operates in a simulated Siemens environment, versus a standard operational one, indicating that the malware may only be a test case or a research project. This is more of a proof of concept. Someone was playing with [the concept of] Stuxnet and introduced new features, but isn't going to work against a system today,” said Sean McBride, critical infrastructure lead analyst at FireEye, in an interview with SCMagazine.com.

According to a FireEye blog post detailing the threat, Siemens' Product Computer Emergency readiness Team (ProductCERT) has already confirmed that Irongate does not work on operationally viable Siemens control systems, nor does it exploit vulnerabilities in Siemens products.

McBride told SCMagazine.com that it was unlikely that this particular code could be successfully leveraged by a bad actor to launch a real-life attack. However, he said he “would not be surprised” if Irongate inspired hacking groups to incorporate some of its unique capabilities into future ICS-focused malware. Moreover, he agreed that Irongate's discovery suggests that complex malware like Stuxnet is becoming increasingly accessible to individuals, and is no longer necessary the work of a sophisticated nation-state.

Believed to originate from the U.S. and Israel, the StuxNet worm memorably caused major destructive setbacks to Iran's nuclear program by sabotaging the Siemens-manufactured programmable logic controllers (PLCs) that automated the operation of centrifuges in Iran's Natanz nuclear facilities.

In this new case, FireEye reports that it discovered clues within the coding of Irongate that suggest it was built with the biogas industry in mind. Specifically, Irongate is designed to manipulate code that bears a striking resemblance to programming language found on a blog about simulating PLC communications using commercial simulation software. This matching code includes an executable called biogas.exe, which appears to set pressure and temperature values on industrial control systems, such as those one would likely find in a biogas facility.

Irongate shares a few key traits and behaviors with Stuxnet, including its extreme selectivity in its targets, in that it will only execute if it detects very specific industry process related to its mission (and as mentioned before, this only works in a simulated setting). Both malware examples also feature the ability to replace legitimate Dynamic Link Libraries with malicious coding in order to achieve its means.

But it also has its own unique features, separate from Stuxnet. For starters, it can execute a man-in-the-middle (MitM) attack that hijacks input-output communications between PLCs and the corresponding SCADA systems (supervisory control and data acquisition) that employees use to monitor the industrial process for problems or anomalies. Specifically, Irongate is designed to record five seconds of normal temperature and pressure readings and then surreptitiously replay them on a loop on the SCADA system so that observers fail to detect any dramatic shift in measurements. Meanwhile, it also sends different data back to the PLC. Obviously, if such a cyberweapon was applied in a real-life biogas facility, the results could be catastrophic and life-threatening.

Irongate also contains sandbox evasion technologies ,and will fail to run if such research environments are detected. (Stuxnet, by comparison, only looked out for antivirus software.)

It was in the second half of 2015 that FireEye first identified Irongate in two separate samples that were originally uploaded by separate sources back in 2014. FireEye has not yet identified the infection vector.

Asked for comment, Siemens sent SCMagazine.com the following statement: “Siemens is aware of a malware that targets a third party demo application which communicates with SIMATIC S7 PLC Simulation. Current analysis shows no indications for the exploitation of a technical flaw/security vulnerability with a Siemens product. Siemens recommends customers following its Operational Guidelines… in order to run Siemens devices in a protected IT environment.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.