This article is more than 1 year old
'Irongate' attack looks like Stuxnet, quacks like Stuxnet ...
Thankfully it isn't as bad Stuxnet, but Siemens control kit is in theoretical peril
FireEye threat researchers have found a complex malware instance that borrows tricks from Stuxnet and is specifically designed to work on Siemens industrial control systems.
Josh Homan, Sean McBride, and Rob Caldwell named the malware "Irongate" and say it is probably a proof-of-concept that is likely not used in wild.
Industrial control system malware are complex beasts in large part because exploitation requires knowledge of often weird, archaic, and proprietary systems.
The steep learning curve required to grok such systems limits the risk presented by the many holes they contain.
It is this that makes Irongate interesting. The malware is also unique in that it employs man-in-the-middle attacks to capture normal traffic on human machine interfaces to replay it in a bid to mask anomalies during attacks.
That replay trick is reminiscent of work by IOActive researcher Alexander Bolshev who told The Register how frequency and amplitude modifications in waves generated by control programmable logic controllers could allow attacks to be masked.
Irongate is also capable of evading VMware and Cuckoo sandboxes - the use of which is indicative of white hat researchers - a standard feature of well-designed malware.
The FireEye and Mandiant team found the malware on VirusTotal, likely uploaded by authors wanting to test their trojan for antivirus detection. No security platforms detected it.
"While Irongate malware does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, it leverages some of the same features and techniques" the team says.
"Even though process operators face no increased risk from the currently identified members of the Irongate malware family, it provides valuable insight into adversary mindset."
The malware operates in Siemens simulated programmable logic controller environments which are used before live deployment, seeking out and replacing proprietary DLL files, but does not function in standard environments.
Its infection vector is unknown. ®