Evidence of Infected SCADA Systems Washes Up in Support Forums

While security experts and lawmakers debate the seriousness of cyber threats to critical infrastructure, one security researcher says that evidence that viruses and spyware already have access to industrial control systems is hiding in plain sight: on Web based user support forums.

SCADAWhile security experts and lawmakers debate the seriousness of cyber threats to critical infrastructure, one security researcher says that evidence that viruses and spyware already have access to industrial control systems is hiding in plain sight: on Web based user support forums.

Close to a dozen log files submitted to a sampling of online forums show evidence that laptops and other systems used to connect to industrial control systems are infected with malware and Trojan horse programs, including one system that was used to control machinery for UK based energy firm Alstom UK, according to industrial control systems expert Michael Toecker. 

Toecker said he has uncovered almost a dozen log files from computers that are connected to industrial control systems (ICS) while conducting research online. The configuration log files, captured by the free tool HijackThis by Trend Micro, were willingly submitted by the computer’s operator in an effort to weed out pesky malware infections. The random sampling suggests that critical infrastructure providers are vulnerable to attacks that take advantage of mobile workers and contractors that bring infected laptops and mobile devices into secure environments. 

Toecker circulated his findings via Twitter and discussed them in a blog post for Digital Bond, a consulting firm that specializes in work with firms in the control systems space. He discovered the links between infected Windows systems and industrial control systems by analyzing the HijackThis logs posted on the forums, which reveal detailed configuration information about the systems in question, the organization it belonged to, and even the role of the individual who owned the system.

In one case, posted on a UK based support forum in 2008, Toecker said the HijackThis logs reveal that a system belonging to the UK energy firm Alstom had been infected with the Trojan Zlob and that DNS queries from the system were being redirected to two Ukrainin DNS servers that were known to redirect users to malicious, drive by download sites. 

The system contained references to an alstom.com domain associated with the company’s power conversion division, and shows the laptop was managing a number of ICS systems including GE’s Proficy, Intellution and FANUC producs and Alspa Pilot, Alstom’s controller interface and programming software. 

The logs don’t reveal how the system became infected with the Zlob trojan, but other forum posts make it clear how infections happened. 

“I downloaded what it (sp) seemed to be a video codec to play a video through a website.  Now I constantly get an annoying pop up message appear every time I open Internet Explorer, or even search for something in Google,” wrote a user named EmerickAguilera in a 2008 post to the experts-exchange.com forum. Details from the HijackThis configuration log revealed an entry for a SCADA application installed in a directory named “DevelopmentDubaiPalmJumeirah,” an apparent reference to one of three famous palm-shaped man-made islands in Dubai.

Public evidence of infected systems that have direct access to industrial control systems – and potentially to critical infrastructure – shouldn’t be surprising, Toecker writes. However, it should prompt critical infrastructure owners to rethink how truly “closed” their networks are, and to increase scrutiny of all the systems that access to them, including mobile systems used by vendors, contractors and full time employees. 

Suggested articles

election security disinformation video

Cybercriminals Step Up Their Game Ahead of U.S. Elections

Ahead of the November U.S. elections, cybercriminals are stepping up their offensive in both attacks against security infrastructure and disinformation campaigns – but this time, social media giants, the government and citizens are more prepared.

Discussion

  • Anonymous on

    Perhaps we should be mad at the MPEG group for locking up all the codec and not allowing every system to include a clean secure copy of every codec is might need.

  • Anonymous on

    Remind me again why criticial infrastructure is running Windows?  It sure as hell didn't work out for the US Navy.

  • Stiennon on

    No Surprises here. Where there is Windows there are infections.  Power grid operators in the US NE were scrambling to counter MSBlaster when the grid failed.

  • REtges on

    Public evidence of infected systems that have direct access to industrial control systems - and potentially to critical infrastructure - shouldn't be surprising, Toecker writes.

    However, it should prompt critical infrastructure owners to rethink how truly "closed" their networks are, and to increase scrutiny of all the systems that access to them, including mobile systems used by vendors, contractors and full time employees.

  • Jonhylbur, on

    I can't find working version of Adobe Photoshop cs5. Can you help me?
  • Rusty on

    I have Linux/Java based secure SCADA system, that uses 256-bit symetrical cypher for encrypting packets. Consist of Field PLC software that can be easy run on SBC and a central logging server. Field PLC is scriptable. Take look at: http://www.java-scada.com

  • jastreender on

    ssghsg sjjsjtr 146776378

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.