Home / Blog / Malware families in industry

Malware families in industry

Posted on 06/14/2016, by Daniel Fírvida (INCIBE)
malware in industry


From time to time, Cybersecurity incidents in industry related to malware are published, and this news is often quite worrying.

At the beginning of May 2016, a municipal water and electricity supplier in Michigan was affected by ransomware. A few days before, it was malware in a nuclear centre in Germany. Some of the equipment was affected by Conficker. In 2014, also in Germany, a steel plant had to shut down operations because of a spear-phishing attack. Going back a little further, in 2003 the Davis-Besse nuclear plant, in United States, affected by the Slammer worm , also had to stop operations.

These cases, and no doubt there are some more, are all relevant but each one lacks certain characteristics which the others have, and the malware that affects these industries is not specially designed for industrial control systems.

Evidently, these cases show the traditional IT systems industry's dependence. This is something which we have addressed on previous occasions in the blog but is still not sufficiently present in some situations, as these incidents show.

Although it is scarce, we can confirm the existence of malware specially designed for industrial control systems. There are several reasons to explain the scarcity of specific malware, but we can group them under 3 main reasons:

  1. Lack of visibility. There is low visibility of malware incidents in industrial control systems in the cybersecurity industry, anti-virus companies, etc. To an extent, this is logical since industrial networks are often isolated, the security systems installed such as IDS or anti-virus are disconnected from its manufacturers and they don't analyse false negatives in search of new threats. Moreover, a lot of the times these security systems are not well adapted to monitor industrial control networks. In the end, this means that the search for malware is actually made not very often in these systems and industrial networks.
  2. Little interest in the target. Traditional malware and its usual creators do not have much interest in industry. This is because, usually its aim is to quickly monetise criminal activity, which is not simple if its target is industrial infrastructure. Thus, interest is focused on data theft, mainly bank details with ransomware, botnets, etc. These threats are not designed to attack industry, just as they are designed to affect Linux/Unix but Windows systems. It is a matter of optimising efforts. In addition, the consequences of being found out are of a different nature: bank fraud is not the same as sabotage that could cause casualties.
  3. Particularities of the industrial environment. Many industrial control systems are very specific, meaning it is very difficult to create malware which is well adapted to them. Therefore, broad knowledge of engineering and the workings of the system in the actual industry is needed.

As for the malware for industrial control systems that we know about and which has caused major incidents, we have mainly the following:

But this scenario could be changing, and not exactly for the better, with the appearance of new investigations and very specific threats, which could suppose a major step in the development of these threats.

At the beginning of May, in the Black Hat Asia 2016 conferences, several researchers for the company OpenSource Security presented an investigation on a worm which is 100% developed for PLC systems , in particular Siemens S7-1200.

Siemens S7-1200

What is new in this research  is that, the worm is native to these systems, and the discovery process as well as the victim infection process is executed from the actual PLC systems through structured text and programming function native to these systems. It also incorporated communication mechanisms through a proprietary protocol in the 102/TCP port. The initial "requirement" is load the worm in the first PLC through a dedicated PC, or distribute a manipulated PC. Once the first PLC is infected, the infection process of the rest is "automatic", since the worm manages to infect other PLCs by following orders from the TIA-Portal software .

PLC proceso de infección

The "bad" thing about this worm is that a factory reset of the PLC has to be carried out or the OB (OrganizationBlock) instructions used by the malware have to be re-written. And the "good" thing is that it is easily detectable by its network traffic through the 102/TCP port and luckily, it is only what was found in laboratory research, not a worm found in a real-life incident.

Thanks to this and the researchers´ collaboration with Siemens, in April this manufacturer published a patch  that fixes the bug that this worm uses to its advantage to avoid the write protect in the PLC. We also published the corresponding security alert in INCIBE-CERT.

A similar case named IRONGATE has just been published by Fire Eye researchers in June 2016, in the S4xEurope  conferences. In their published report , they state that they found a sample of malware uploaded to VirusTotal in 2014, and which had gone unnoticed by AV companies that analyse these samples.

During their research, they found some evidence that shows it is a malware for industrial control systems and that it has elements in common with Stuxnet but adapted to simulation environments.

The samples found allowed man-in-the-middle attacks to be carried out on data input and output processes used by industrial simulation software, replacing a software library with a malicious one, specifically for Siemens PLCSIM . Another notable feature is that this malware incorporated sandboxing evasion techniques, to detect whether it is executed in a VMWare environment or with Cuckoo.

However, the most outstanding feature of these samples is that the researchers did not detect any use being made of any vulnerability in any Siemens product, which led them to conclude that this malware could be a test, a proof-of-concept or research to carry out attacks on industrial control systems.

In the light of these latest cases, it is evident that malwares specific for ICS are rather complex, require a lot of dedication, knowledge and interest in affecting rather particular targets and, finally, combine a large part of the characteristics of an APT.

However, they are not an APT which are used for stealing information, and whose main objective it is to go unnoticed. These malwares attempt to alter the normal functioning of rather particular industrial targets. As is normal, the cases which have been detected until know have all been behind a certain state or nation, who is looking to "test" its capabilities or damage critical infrastructure of another state considered an "enemy".

What is clear from the latest research is that this can also change, and some criminal network could start to consider feasible the use of specific ICS malware in extortion operations in the style of ransomware or similar, so that it becomes possible for them to simply monetise these attacks.