A new ICS/SCADA-focused malware has been discovered that takes a few pages from Stuxnet in targeting critical infrastructure systems.

Snappily named “Irongate,” the malware targets specific processes within simulated Siemens control system environments, according to FireEye, and is likely a proof-of-concept. But its attributes are important to note for future threat intelligence.

“An important aspect of the Stuxnet story has to do with how the malware was discovered in the first place, which underscores the importance of sharing and reusing information in the cyber community,” said Ben Bernstein, CEO of Twistlock, via email. “The malware FireEye discovered was by scanning the VirusTotal/Google database, which are essentially crowdsourced databases of potentially malicious artifacts. The ability to find these kinds of important potential threats will only be possible if all of the actors in the cyber community are indeed encouraged to continue and share their data with the rest of the community for the common good.”

In this case, that’s especially true given Irongate’s resemblance to Stuxnet, which was deployed by the US and Israel to shut down Iran’s nuclear reactors. “While Irongate malware does not compare to Stuxnet in terms of complexity, ability to propagate or geopolitical implications, [it] leverages some of the same features and techniques Stuxtnet used to attack centrifuge rotor speeds at the Natanz uranium enrichment facility,” FireEye noted in an analysis. “it also demonstrates new features for ICS malware.”

To wit: Both Stuxnet and Irongate look for a single, highly specific process, and both replace DLLs to achieve process manipulation. Both also have advanced evasion techniques: Irongate detects malware detonation/observation environments, whereas Stuxnet looked for the presence of antivirus software.

In the “new features” column, Irongate actively records and plays back process data to hide manipulations.

Its key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware replaces a legitimate DLL with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of “normal” traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.

It should be reiterated that this is, for now, a theoretical threat. FireEye researchers found the Irongate samples on VirusTotal while researching droppers compiled with PyInstaller — after testing, the Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that Irongate is effective only in simulated environments, and is not viable against operational Siemens control systems. Irongate has also not been associated with any campaigns or threat actors in the wild, so it could be a test case, proof of concept or research activity for ICS attack techniques.

Photo © Poznyakov