While security experts and lawmakers debate the seriousness of cyber threats to critical infrastructure, one security researcher says that evidence that viruses and spyware already have access to industrial control systems is hiding in plain sight: on Web based user support forums.
Close to a dozen log files submitted to a sampling of online forums show evidence that laptops and other systems used to connect to industrial control systems are infected with malware and Trojan horse programs, including one system that was used to control machinery for UK based energy firm Alstom UK, according to industrial control systems expert Michael Toecker.
Toecker said he has uncovered almost a dozen log files from computers that are connected to industrial control systems (ICS) while conducting research online. The configuration log files, captured by the free tool HijackThis by Trend Micro, were willingly submitted by the computer’s operator in an effort to weed out pesky malware infections. The random sampling suggests that critical infrastructure providers are vulnerable to attacks that take advantage of mobile workers and contractors that bring infected laptops and mobile devices into secure environments.
Toecker circulated his findings via Twitter and discussed them in a blog post for Digital Bond, a consulting firm that specializes in work with firms in the control systems space. He discovered the links between infected Windows systems and industrial control systems by analyzing the HijackThis logs posted on the forums, which reveal detailed configuration information about the systems in question, the organization it belonged to, and even the role of the individual who owned the system.
In one case, posted on a UK based support forum in 2008, Toecker said the HijackThis logs reveal that a system belonging to the UK energy firm Alstom had been infected with the Trojan Zlob and that DNS queries from the system were being redirected to two Ukrainin DNS servers that were known to redirect users to malicious, drive by download sites.
The system contained references to an alstom.com domain associated with the company’s power conversion division, and shows the laptop was managing a number of ICS systems including GE’s Proficy, Intellution and FANUC producs and Alspa Pilot, Alstom’s controller interface and programming software.
The logs don’t reveal how the system became infected with the Zlob trojan, but other forum posts make it clear how infections happened.
“I downloaded what it (sp) seemed to be a video codec to play a video through a website. Now I constantly get an annoying pop up message appear every time I open Internet Explorer, or even search for something in Google,” wrote a user named EmerickAguilera in a 2008 post to the experts-exchange.com forum. Details from the HijackThis configuration log revealed an entry for a SCADA application installed in a directory named “DevelopmentDubaiPalmJumeirah,” an apparent reference to one of three famous palm-shaped man-made islands in Dubai.
Public evidence of infected systems that have direct access to industrial control systems – and potentially to critical infrastructure – shouldn’t be surprising, Toecker writes. However, it should prompt critical infrastructure owners to rethink how truly “closed” their networks are, and to increase scrutiny of all the systems that access to them, including mobile systems used by vendors, contractors and full time employees.
