Stuxnet-Esque Irongate Malware Targets Industrial Control Systems

Malware that targets industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems has been discovered by FireEye Labs.

While the malware appears to be harmless, the researchers believe it should remind the industrial sector of the cyber threats posed to their command and control systems.

FireEye Labs dubbed the malware Irongate, and said that it found the samples on Google’s VirusTotal database that were first placed there back in 2014.

No Threat

They said that Irongate shares some of the same attributes as the Stuxnet malware, that caused so much carnage to Iranian nuclear infrastructure. That malware was widely believed to have been created by the United States and Israel, and it reportedly damaged nearly 3,000 centrifuges in the Natanz facility in Iran.

Unlike Stuxnet however, it seems that Irongate does not actively pose a threat as it was designed with the single purpose of running within Siemens simulated control system environments.

“Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that Irongate is not viable against operational Siemens control systems and determined that Irongate does not exploit any vulnerabilities in Siemens products,” said the researchers. “We are unable to associate Irongate with any campaign or threat actors. We acknowledge that Irongate could be a test case, proof of concept, or research activity for ICS attack techniques.”

The fact that Irongate is not an active threat is a tad odd, considering that is similar to Stuxnet. Even more puzzling is the fact the Irongate reportedly goes to great lengths to keep itself hidden. This is why FireEye believes it is a proof of concept piece of code, written by authors unknown.

Proof of concept

Irongate employs three techniques not seen before in malware targeting critical infrastructure.

Firstly, if Irongate detects that a targeted system has a sandbox (a safe area where nasty code can be executed), it will employ sandbox evasion techniques. Essentially, if a sandbox is detected, the code will not run, which implies Irongate’s purpose was malicious, as opposed to a tool written for other legitimate purposes.

Secondly, Irongate also utilises clever masking technologies. “ Irongate actively records and plays back process data to hide manipulations,” said FireEye Labs.

And thirdly Irongate’s principle feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation.

FireEye said that the malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.

The sophisticated nature of Irongate has left FireEye Labs scratching their collective head, considering that it poses no threat. But it said its presence should act as a warning for industrial operators.

“Even though process operators face no increased risk from the currently identified members of the Irongate malware family, Irongate provides valuable insight into adversary mindset,” it said. “Network security monitoring, indicator of compromise (IoC) matching, and good practice guidance from vendors and other stakeholders represent important defensive techniques for ICS networks.”

Industrial Attacks

Malware targetting industrial systems are not new. In April this year for example a German nuclear power plant in Bavaria admitted that its systems were riddled with malware, and the plant was shut down as a precaution.

The potential risk to systems controlling critical infrastructure and industrial systems remains a worry for many governments and authorities around the world. Researchers have previously warned that security weaknesses in industrial control systems could allow hackers to create cataclysmic failures in infrastructure.

In 2015 a hacker managed to hack into the systems of a nuclear power plant in South Korea. A computer worm was later discovered in a device connected to the control system, but the plant operator insisted that the breach had not reached the reactor controls itself.

The hacker later posted files from the hack online, and included a demand for money.

A German steelworks also suffered “massive damage” after a cyber attack on its computer network in late 2014.

Are you a security pro? Try our quiz!