IT Security: Mysterious malware targets industrial control system

Share This

The IRONGATE malware is likely a proof of concept, but could signal future attacks

Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes.

The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran’s nuclear program and credited with destroying a large number of the country’s uranium enrichment centrifuges.

The new malware was discovered in the second half of last year by researchers, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.

The mysterious program, dubbed IRONGATE, was uploaded to VirusTotal by several sources in 2014, at which time none of the antivirus products used by the site detected it as malicious.

It is also surprising that no company has identified the malware until late 2015, because the VirusTotal samples are automatically shared with all antivirus vendors that participate in the project.

The good news is that the samples seem to be a proof of concept or part of some research effort. They are designed to find and replace a specific DLL that communicates with Siemens SIMATIC S7-PLCSIM, software that allows users to run programs on simulated S7-300 and S7-400 programmable logic controllers (PLCs).

PLCs are the specialized hardware devices that monitor and control industrial processes — spinning motors, opening and closing valves, etc. They transmit their readings and other data to monitoring software, the human-machine interface (HMI), that runs on workstations used by engineers.

Like Stuxnet did at Iran’s Natanz nuclear plant, IRONGATE goal is to inject itself into the SCADA monitoring process and manipulate the data coming from PLCs, potentially hiding ongoing sabotage.

Stuxnet did this by suspending the PLC operation so the reported centrifuge rotor speed would remain static and within normal limits while it actually was not. IRONGATE instead records valid data from the PLC and then continuously plays that data back — think of robbers feeding the same video recording to a surveillance camera in a loop.

The fact that IRONGATE interacts with a PLC simulator and replaces a DLL that is not part of the Siemens standard product set have led the researchers to believe this malware was likely just a test.

The Siemens Product Computer Emergency Readiness Team (ProductCERT) “has confirmed that the code would not work against a standard Siemens control system environment“.

However, if IRONGATE was just a proof of concept developed in 2014, intended to test a Stuxnet-like man-in-the-middle attack against PLCs, it could mean its creators have built another malware program since then that works against real industrial control system (ICS) deployments.

Either way, IRONGATE’s discovery should serve as a warning to organizations that operate SCADA systems.

The attackers have learned and implemented Stuxnet techniques, but the defenders have not really improved the ability to detect malware targeting ICS. There is a significant need for improvement in detection capabilities for ICS integrity attacks.