Feds: Infected USB drive idled power plant 3 weeks

A USB drive tainted with "crimeware" infected a turbine-control system at a U.S. power plant in early October and delayed its restart by three weeks, according to the Homeland Security Department.

At another plant, government computer experts discovered "common and sophisticated malware" on several workstations, including two that were critical to the plant's operation. There was no mention of whether the infection might have come from individuals or other governments.

Neither facility was identified by the U.S. Cyber Emergency Readiness Team (CERT). As Reuters notes, DHS rarely identifies infrastructure hit by viruses.

In the October incident, an outside technician used a USB drive to upload software updates while the plant was shut down for equipment upgrades, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported. The malicious software, a form of Trojan virus used for identify theft, infected about 10 computers.

The quarterly report indicated that the power plant's antivirus and security precautions were not up to date.

In the second incident — CERT does not say when — an employee asked IT staff to inspect a USB drive he used to back up control systems. Up-to-date antivirus "produced three positive hits" for a virus, including one "linked to known sophisticated malware."

The utility then called ICS-CERT, which reported:

ICS-CERT's onsite discussions with company personnel revealed a handful of machines that likely had contact with the tainted USB drive. These machines were examined immediately and drive images were taken for in-depth analysis. ICS-CERT also performed preliminary onsite analysis of those machines and discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment. Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations.

No signs of infection were found on 11 other crucial workstations.

CERT did not say whether the second infection disrupted plant operations.

Last week, Homeland Security urged computer users to disable or uninstall the Java programming language because of a serious security vulnerability that lets hackers install malicious code that can steal personal information.

Oracle released a patch Monday, but DHS maintained its warning.