Shades of Stuxnet: Newly found malware can sabotage industrial controls, but only in simulated environments
FireEye's FLARE research lab has discovered an ICS-focused malware program, dubbed Irongate, that carries certain properties of Stuxnet, while also branching out on its own.
FireEye's FLARE research lab team revealed details of a recently discovered malware program, dubbed Irongate, whose properties echo the infamous Stuxnet virus, in that it is theoretically designed to manipulate or sabotage industrial control systems in a Siemens environment.
Fortunately, it appears that Irongate only operates in a simulated Siemens environment, versus a standard operational one, indicating that the malware may only be a test case or a research project. This is more of a proof of concept. Someone was playing with [the concept of] Stuxnet and introduced new features, but isn't going to work against a system today,” said Sean McBride, critical infrastructure lead analyst at FireEye, in an interview with SCMagazine.com.
According to a FireEye blog post detailing the threat, Siemens' Product Computer Emergency readiness Team (ProductCERT) has already confirmed that Irongate does not work on operationally viable Siemens control systems, nor does it exploit vulnerabilities in Siemens products.
McBride told SCMagazine.com that it was unlikely that this particular code could be successfully leveraged by a bad actor to launch a real-life attack. However, he said he “would not be surprised” if Irongate inspired hacking groups to incorporate some of its unique capabilities into future ICS-focused malware. Moreover, he agreed that Irongate's discovery suggests that complex malware like Stuxnet is becoming increasingly accessible to individuals, and is no longer necessary the work of a sophisticated nation-state.
Believed to originate from the U.S. and Israel, the StuxNet worm memorably caused major destructive setbacks to Iran's nuclear program by sabotaging the Siemens-manufactured programmable logic controllers (PLCs) that automated the operation of centrifuges in Iran's Natanz nuclear facilities.
In this new case, FireEye reports that it discovered clues within the coding of Irongate that suggest it was built with the biogas industry in mind. Specifically, Irongate is designed to manipulate code that bears a striking resemblance to programming language found on a blog about simulating PLC communications using commercial simulation software. This matching code includes an executable called biogas.exe, which appears to set pressure and temperature values on industrial control systems, such as those one would likely find in a biogas facility.
Irongate shares a few key traits and behaviors with Stuxnet, including its extreme selectivity in its targets, in that it will only execute if it detects very specific industry process related to its mission (and as mentioned before, this only works in a simulated setting). Both malware examples also feature the ability to replace legitimate Dynamic Link Libraries with malicious coding in order to achieve its means.
But it also has its own unique features, separate from Stuxnet. For starters, it can execute a man-in-the-middle (MitM) attack that hijacks input-output communications between PLCs and the corresponding SCADA systems (supervisory control and data acquisition) that employees use to monitor the industrial process for problems or anomalies. Specifically, Irongate is designed to record five seconds of normal temperature and pressure readings and then surreptitiously replay them on a loop on the SCADA system so that observers fail to detect any dramatic shift in measurements. Meanwhile, it also sends different data back to the PLC. Obviously, if such a cyberweapon was applied in a real-life biogas facility, the results could be catastrophic and life-threatening.
Irongate also contains sandbox evasion technologies ,and will fail to run if such research environments are detected. (Stuxnet, by comparison, only looked out for antivirus software.)
It was in the second half of 2015 that FireEye first identified Irongate in two separate samples that were originally uploaded by separate sources back in 2014. FireEye has not yet identified the infection vector.
Asked for comment, Siemens sent SCMagazine.com the following statement: “Siemens is aware of a malware that targets a third party demo application which communicates with SIMATIC S7 PLC Simulation. Current analysis shows no indications for the exploitation of a technical flaw/security vulnerability with a Siemens product. Siemens recommends customers following its Operational Guidelines… in order to run Siemens devices in a protected IT environment.”