A new strain of malware has been identified by security researchers that targets industrial control systems. The malware has also been designed to avoid detection and uses man-in-the-middle (MITM) attacks, which enables hackers to surreptitiously tamper with core infrastructural systems, without the knowledge of the systems' operators.
Security firm Fire Eye uncovered the malware and named it Irongate. The firm discovered the malware on Google's Virus Total database, adding that it has similarities with the infamous Stuxnext malware, which also targeted industrial software designed by Siemens in efforts to compromise uranium-rich nuclear facilities in Iran.
Fire Eye researchers said Irongate was likely uploaded onto Virus Total by developers who wanted to test out its effectiveness as it is yet to connect the malware with past or ongoing malicious campaigns or threat actors. "Irongate's characteristics lead us to conclude that it is a test, proof of concept, or research activity," said the firm.
The company analysed several droppers and determined that the malware had various key features, some of which mimicked Stuxnet. Researchers also believe that while the malware appears to be currently non-malicious in nature, its presence suggests that cybercriminals may be once again eyeing the industrial sector's control systems as potential targets.
Irongate has been found to use MITM attacks, using malicious Dynamic Link Library (DLL) to record traffic, which in turn "could allow an attacker to alter a controlled process unbeknownst to process operators". Additionally, the malware is capable of avoiding sandbox detection and anti-analysis codes, commonly used by white-hat hackers, in efforts to protect itself from being identified.
Fire Eye also noted that within a simulated environment, Irongate uses a Stuxnet-like approach in attacking industrial control systems. Despite not having the same sophisticated complexities as Stuxnet, Irongate adapts the same approach in identifying and targeting systems' vulnerabilities.
Fire Eye added that "Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that Irongate is not viable against operational Siemens control systems and determined that Irongate does not exploit any vulnerabilities in Siemens products". The firm said it was sharing the information on Irongate "because the body of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) malware is limited".
Malware targeting industrial control systems are considered dangerous because of their ability to cripple critical infrastructural systems, as evidenced by the devastation caused by Stuxnet.