'Irongate' attack looks like Stuxnet, quacks like Stuxnet ...

Thankfully it isn't as bad Stuxnet, but Siemens control kit is in theoretical peril


FireEye threat researchers have found a complex malware instance that borrows tricks from Stuxnet and is specifically designed to work on Siemens industrial control systems.

Josh Homan, Sean McBride, and Rob Caldwell named the malware "Irongate" and say it is probably a proof-of-concept that is likely not used in wild.

Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.

The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.

It is this that makes Irongate interesting. The malware is also unique in that it employs man-in-the-middle attacks to capture normal traffic on human machine interfaces to replay it in a bid to mask anomalies during attacks.

That replay trick is reminiscent of work by IOActive researcher Alexander Bolshev who told The Register how frequency and amplitude modifications in waves generated by control programmable logic controllers could allow attacks to be masked.

Irongate is also capable of evading VMware and Cuckoo sandboxes - the use of which is indicative of white hat researchers - a standard feature of well-designed malware.

The FireEye and Mandiant team found the malware on VirusTotal, likely uploaded by authors wanting to test their trojan for antivirus detection. No security platforms detected it.

"While Irongate malware does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, it leverages some of the same features and techniques" the team says.

"Even though process operators face no increased risk from the currently identified members of the Irongate malware family, it provides valuable insight into adversary mindset."

The malware operates in Siemens simulated programmable logic controller environments which are used before live deployment, seeking out and replacing proprietary DLL files, but does not function in standard environments.

Its infection vector is unknown. ®

Similar topics


Other stories you might like

  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
    The next wave of security maturity is measuring effectiveness, she told The Register

    RSA Conference When Sandra Joyce, EVP of Mandiant Intelligence, describes the current threat landscape, it sounds like the perfect storm. 

    The threat intelligence firm, which is being acquired by Google Cloud, made its annual cybersecurity predictions for the year ahead. And this year, they all materialized at once.

    "We predicted supply-chain attacks four years ago," Joyce said, in an interview with The Register at the RSA Conference. "We predicted deployment of wipers during wartime. And now we're watching all of these things happen at the same time, and in amounts that are greater than ever and at frequencies of scale that are more than ever."

    Continue reading

Biting the hand that feeds IT © 1998–2022