The IRONGATE malware is likely a proof of concept, but could signal future attacks Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes. The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran’s nuclear program and credited with destroying a large number of the country’s uranium enrichment centrifuges. The new malware was discovered in the second half of last year by researchers from security firm FireEye, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines. The mysterious program, which FireEye has dubbed IRONGATE, was uploaded to VirusTotal by several sources in 2014, at which time none of the antivirus products used by the site detected it as malicious. It’s also surprising that no company has identified the malware until late 2015, because the VirusTotal samples are automatically shared with all antivirus vendors who participate in the project. FireEye itself discovered it because the company was searching for potentially suspicious samples compiled with PyInstaller, a technique used by various attackers. Two IRONGATE payloads stood out because they had references to SCADA and associated functionality. The good news is that the samples seem to be a proof of concept or part of some research effort. They’re designed to find and replace a specific DLL that communicates with Siemens SIMATIC S7-PLCSIM, a software product that allows users to run programs on simulated S7-300 and S7-400 programmable logic controllers (PLCs). PLCs are the specialized hardware devices that monitor and control industrial processes — spinning motors, opening and closing valves, etc. They transmit their readings and other data to monitoring software, the human-machine interface (HMI), that runs on workstations used by engineers. Like Stuxnet did at Iran’s Natanz nuclear plant, IRONGATE goal is to inject itself into the SCADA monitoring process and manipulate the data coming from PLCs, potentially hiding ongoing sabotage. Stuxnet did this by suspending the PLC operation so the reported centrifuge rotor speed would remain static and within normal limits while it actually was not. IRONGATE instead records valid data from the PLC and then continuously plays that data back — think of robbers feeding the same video recording to a surveillance camera in a loop. The fact that IRONGATE interacts with a PLC simulator and replaces a DLL that is not part of the Siemens standard product set have led the FireEye researchers to believe this malware was likely just a test. The Siemens Product Computer Emergency Readiness Team (ProductCERT) “has confirmed that the code would not work against a standard Siemens control system environment,” the FireEye researchers said in a blog post Thursday. However, if IRONGATE was just a proof of concept developed in 2014, intended to test a Stuxnet-like man-in-the-middle attack against PLCs, it could mean its creators have built another malware program since then that works against real industrial control system (ICS) deployments. Either way, IRONGATE’s discovery should serve as a warning to organizations that operate SCADA systems. “The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS,” Dale Peterson, the CEO of ICS security consultancy Digital Bond, said in a blog post. “We need significant improvement in detection capabilities for ICS integrity attacks.” Related content opinion Can your cloud backup provider fail? Cloud backup providers aren’t infallible. Be sure to ask hard questions of providers about their storage redundancy, geo-replication, data integrity measures, and disaster recovery capabilities. By Curtis Preston Apr 19, 2024 7 mins Backup and Recovery Cloud Computing Data Center news Cisco marries AI and security with cloud-based data center offering Cisco announces AI-based Hypershield, a self-upgrading security fabric that's designed to protect distributed applications, devices and data. By Michael Cooney Apr 18, 2024 5 mins Network Security Data Center how-to Shredding files on Linux with the shred command The shred command is a good option for removing files from a Linux system in a way that makes them virtually impossible to recover. By Sandra Henry-Stocker Apr 18, 2024 4 mins Linux news Intel announces edge AI processors New edge-optimized processors and FPGAs will power AI-enabled devices in vertical industries including retail, industrial and healthcare. By Andy Patrizio Apr 18, 2024 3 mins CPUs and Processors Edge Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe