New malware that targets industrial control systems called Irongate was found by researchers who say the discovery should serve as another wakeup call to the security industry to shore up its detection capabilities around ICS and SCADA threats. Irongate, which shares some of the same attributes as the lethal Stuxnet malware, was found by researchers at FireEye Labs Advanced Reverse Engineering which published its findings today.
FireEye said the malware does not currently pose a threat because it was designed with the single purpose of running within Siemens simulated control system environments. But researchers say the malware has gone undetected for years, collecting dust in Google’s VirusTotal database.
“Our ability as an industry to understand and detect threats is improving, but it’s not sufficient as evidenced by an example such as this,” said Rob Caldwell, manager of FireEye Labs Advanced Reverse Engineering. “We need to get better at understanding what the threats are to industrial control systems and how to detect them to better defend against them.”
Irongate’s key attributes include its ability to perpetrate a man-in-the-middle attack against process input and output, along with attacking process operator software within industrial simulations, according to FireEye. An Irongate-compromised system could give attackers the ability to alter industrial controls unbeknownst to the system operator. Those types of techniques have been used in the past to sabotage everything from power grids to logic controllers in nuclear centrifuges.
Researchers stumbled onto the malware on VirusTotal in late 2015 while researching droppers compiled with PyInstaller. That’s when FireEye researchers spotted the Irongate sample and noticed a close relationship to SCADA (supervisory control and data acquisition) applications and other industrial control system malware. Investigating the malware further, FireEye researchers noticed that Irongate was submitted to VirusTotal in 2012 and since then had gone undetected.
A technical analysis of the malware revealed a man-in-the-middle attack designed specifically for a custom-compiled user application in a Siemens Step 7 PLC simulation environment. FireEye researchers also found the introduction of a malicious DLL capable of masking malicious behavior of the malware. That DLL had the ability to record five seconds of “normal” traffic from a simulated PLC (programmable logic controller). An attacker could then replay the “normal” traffic to conceal the fact they were sending hardcoded data back to the simulated hardware unnoticed, FireEye said.
But Irongate really surprised research analysts when they discovered the malware designed for industrial control systems began to act more like conventional malware. When Irongate was introduced to a VMware or Cuckoo Sandbox environment via a dropper, the malware attempted to avoid detection by staying dormant and not running.
“While Stuxnet is orders of magnitude technically more advanced, Irongate borrows some similar traits,” said Sean McBride, senior threat intelligence analyst with FireEye.
Similarities between the two include being written for attacks against a specific control system. The two also share the ability to evade discovery by detecting the presence of antivirus software (in the case of Stuxnet) and VMs (for Irongate).
Compared to just a handful of other industrial control system malware – such as BlackEnergy, Havex, and Stuxnet – Irongate remains toothless because it was created for the sole purpose of the Siemens simulated control system environment.
So then, who created Irongate, put it on VirusTotal and why?
FireEye has three theories as to the origins of Irongate. One, a malicious actor was trying to entice someone to use and port the code from within the simulated Siemens control system environment to a real world deployment. Or, an attacker was testing Irongate in the simulated environment for use in a live environment and submitted it to VirusTotal to verify it couldn’t be detected. Lastly, FireEye said it strongly suspects it may have been a security researcher who abandoned their code on VirusTotal.
“There needs to be a lot more effort as an industry to find ICS threats,” said Dan Scali senior manager at FireEye. “We have generally not see a lot of progress since Stuxnet to address the issues that Irongate brings up. The concern is as the capability to do these types of attacks gets easier over time we need to bolster our defenses as a counterweight.”