Researchers at FireEye have discovered a new variant of malware designed to attack industrial control systems (ICS) that manage the workings of critical infrastructure but aren’t sure exactly what they’ve found. On June 2, the team released a breakdown of the malware — which they dubbed IRONGATE — in an effort to raise awareness in the cybersecurity community and get feedback on where it might have come from and what exactly its purpose is.
While researching malicious code targeting systems written in Python, researchers with the FireEye Labs Advanced Reverse Engineering (FLARE) team discovered two malware samples that included a suspicious extension labeled Industrial Control System.exe, seemingly in reference to supervisory control and data acquisition (Industrial Control System) systems used in ICS.
Research Paper: IRONGATE ICS Malware — Nothing to See Here … Masking Malicious Activity on Industrial Control System Systems
The malware doesn’t seem to be propogating in the wild and the initial target — Siemens, which builds industrial control systems, among other things — “confirmed that IRONGATE is not viable against operational Siemens controls systems” and doesn’t exploit any vulnerabilities in the company’s control systems, according to the June 2 report.
Further, the malware was created to run in a specific simulated environment, leading FireEye researchers to conclude it is likely a “test case, proof of concept or research activity for ICS attack techniques.”
What is concerning, however, is the package’s similarity to Stuxnet — the most advanced malware to date designed to target critical infrastructure — and the evasive techniques IRONGATE uses to keep itself hidden.
“From a sophistication point of view, this is definitely not at all on the level of Stuxnet,” said Rob Caldwell, ICS manager at FireEye. “But it uses some new techniques and methods and that’s what’s really interesting to us in the control systems community.”
Specifically, IRONGATE uses three methods that, while not new in the cybersecurity sector, have never been associated with malware targeting critical infrastructure systems.
The first is sandbox evasion, a technique by which malicious actors can avoid detection. When the malware drops on a system, it first checks to see if the network has a sandbox — a cordoned-off part of the network where potentially malicious code can be opened and analyzed without affecting the rest of the system. If one is detected, the code doesn’t run.
“From an obfuscation point of view, that’s a pretty simple technique and easily worked around by a lot of the technology that’s out there,” Caldwell said. “But it’s something we’ve never seen control system malware do before.”
The second interesting feature of the malware is another masking technique. As the code begins to run, it analyzes and records typical traffic patterns then runs it on a loop, similar to how a burglar might trick a video surveillance system.
The third feature of IRONGATE is another standard of modern malware: the man-in-the-middle attack.
At its core, IRONGATE is designed to intercept a specific input from the users and instead inject one of two values in its place. Doing so could cause a system to malfunction or return incorrect or confusing values.
This tactic is similar to how Stuxnet operates, though the IRONGATE code only returns one of two hardcoded values, rather than manipulating the data in a dynamic way.
This feature, along with the direct reference to Industrial Control System in the executable file and the fact that it’s only designed to run in a simulated environment, led FireEye researchers to believe this is likely a proof of concept for how to attack ICS.
But that doesn’t mean the discovery isn’t significant and possibly even useful.
Caldwell noted there are only three other known malware packages that target ICS: Stuxnet, Havex and BlackEnergy. While IRONGATE has yet to be seen in the wild, having a fourth sample of ICS malware could help improve research in this area.
“If you look at the control system malware space, there’s three samples to date — now four — so it’s a very, very small sample size,” Caldwell said. “We’re trying to get this information out to the rest of the community to help us build this story. We don’t have all the pieces to it — as far as attribution, as far as what actually executes and drops this malware — and that’s what we want to talk about with the rest of the community.”
“Someone — whoever they are — has proven the concept,” said Stephen Ward, FireEye’s director of communications for global government and government affairs. “Someone is thinking about this type of activity where you can mask what you’re doing while at the same time conducting malicious activity … We have to takeaway that if it’s the good guys thinking about it, the bad guys definitely have as well; if it’s bad guys thinking about it, then that’s definitely bad.”
Source: Federal Times