Mystery malware designed to target industrial control systems has been inadvertently discovered by cybersecurity firm FireEye, the company announced on Thursday.
Those systems can include critical infrastructure like electrical grids, sewage plants, air traffic control and transportation systems. Researchers have been unable to decipher where the program they’ve dubbed “IronGate” came from, but describe it as similar in design to the “Stuxnet” virus that for years ravaged Iranian nuclear facilities.
“While IronGate malware does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, [it] leverages some of the same features and techniques Stuxnet used to attack centrifuge rotor speeds at the Natanz uranium enrichment facility,” FireEye said. “It also demonstrates new features for ICS malware.”
Related Story: http://www.washingtonexaminer.com/article/2575269
The similarities include looking for a single process that the program can exploit as a vulnerability; automatically detecting and avoiding environments where the malware could be detected; and replicating “process data” to hide manipulations. That replication process, researchers explained, is analogous to placing a security camera on a feedback loop in order to deceive a viewer.
The main difference between Stuxnet and IronGate, researchers said, is that IronGate is only designed to work in simulated environments, and only in control systems produced by Siemens.
Experts aren’t sure what motivated the program’s invention. “We’ve got theories ranging from the nefarious to the totally benign,” said Dan Scali, a senior manager for FireEye. “Someone [could be] looking to test it in a simulation environment and then re-do it or rewrite code to attack processes in the real world.”
On the benevolent end, Scali said, a security researcher might simply be testing the systems out to demonstrate where vulnerabilities exist.
Related Story: http://www.washingtonexaminer.com/article/2581024
Scali and Sean McBride, a senior threat intelligence analyst for FireEye, said the company’s “reverse engineering” team discovered the malware when they were trying to find an unnamed actor behind another malicious program. They said that while there were similarities behind the code used in IronGate and code used by the group they were seeking, that link was ultimately too tenuous to confirm.
The team said the company was revealing their discovery to raise awareness of the risks posed by critical vulnerabilities. “There is not a lot of information out there about industrial control systems malware and industrial control system attacks,” McBride said. “Not even knowing what this is, we thought it was important to share with the community.”
Scali added that he hoped the company would figure out where it came from. “People may look at this and learn some things about how industrial control systems may be attacked,” Scali said, “and maybe someone will raise their hand and say, ‘Oh yeah, I wrote that.'”
