Archer

Investigators find a new breed of attack that tries to hide itself in plants, factories and industrial systems.

It was sitting there quietly, this new kind of malware, minding its own business and hiding from security companies around the world.

Now, IRONGATE, as it is called, is unmasked. And experts say it shows how attackers have honed their weapons—and how the rest of the world needs to catch up.   

Investigators at cybersecurity company FireEye found the IRONGATE malware while they were looking for something else.

It was not “in the wild,” in other words, on the system of a real power plant or factory. Instead, someone had loaded it onto VirusTotal—a website used to gather millions of samples of digital attacks so people can check to see if their systems are infected—back in 2014.

No one noticed it—until FireEye stumbled upon it and brought it to light.

“I think the strangest thing about IRONGATE is that it is like discovering a new animal species—in a zoo,” Reid Wightman, director of Digital Bond Labs, told Archer News.

Now experts wonder if there are more species like it outside of ‘zoo’ walls, and if so, how they might try to damage our critical infrastructure.

“How much other malware attacking an ICS [industrial control system] is sitting in repositories around the world, or even worse undetected on operational ICS?” asked Dale Peterson of Digital Bond.

How IRONGATE works

IRONGATE uses some strategies of Stuxnet, the infamous worm that infiltrated Iran’s nuclear facilities and may have changed the speed of and then destroyed a thousand centrifuges in 2009 and 2010, analysts at FireEye said.  

Both, for example, look for a Dynamic Link Library and replace it with their own malicious Dynamic Link Library, so they can manipulate the programmable logic controllers, or PLCs, that run important equipment, according to their report.

IRONGATE then records five seconds of ‘normal’ traffic in the system, and replays it back. If you were monitoring the system, you might think all was well, when in reality IRONGATE could be making the equipment run amok.

Stuxnet tried to avoid detection by sniffing out antivirus software. IRONGATE tries to avoid detection by looking out for “sandboxes,” places on a network where people can test suspicious software without worry of infecting the whole system, the investigators said.

You’re no Stuxnet

But IRONGATE “does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications,” they wrote.

Where Stuxnet may have taken dozens of people months to create and caused large amounts of damage, some experts call IRONGATE “not technically advanced.”

Some suggested it could be simply a research project or a test for security tools.

And the company behind the equipment the malware targeted, Siemens, told FireEye that IRONGATE as-is is not a viable attack.

Why do we care?

If it’s a low-level, not-currently-viable attack, why are so many people focusing on IRONGATE? Not for what it is, but for what it means for the machines that we rely on each day for power, water and business.

“Many predicted that attackers would learn and mimic Stuxnet techniques. They have,” wrote Peterson in a post.

“This is the first post-Stuxnet ICS example of a Stuxnet-like man-in-the-middle attack with a record/replay feature so [equipment] operators do not see what is truly going on,” he said.

Malicious hackers are improving their skills, but the people trying to parry the attackers’ thrust may be a step behind.

“The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS,” he added. “We need significant improvement in detection capabilities for ICS integrity attacks.”

Too easy

The code for this new malware is “relatively simple,” said Michael Toecker with Context Industrial Security.

The malware author appears to have a specific goal in mind, but not the depth of experience about the equipment operations process needed to make it happen, he explained.

“IRONGATE shows that it’s not that difficult to create basic malware that can hide information about the process from operators,” Toecker told Archer News.

“This was a pretty rudimentary effort targeting a non-critical software, but against real ICS software the only thing that was missing was process knowledge to know what to fake and when,” he said.

What now?

Investigators don’t know who made this malware, nor why—was it a test, a project, or maybe recon for an attack?

“This malware, which targeted Siemens components by cleartext [not encrypted] file names, went completely unnoticed for years,” said Toecker. “What chance do we have to find greater secret evils if we can’t find the stuff that’s under our nose?”

Researchers like Wightman may be willing to try, launching searches for what may already be on critical systems right now, sitting quietly, or ready to roll out a secret attack.

“There may very well be more ICS malware waiting to be analyzed,” said Wightman. “So, I think that some of us in the research community will start digging through files to see what we can find!”

Next steps

The FireEye team lays out steps companies and organizations running industrial control systems can take to protect themselves from IRONGATE-style attacks.

They can implement things like integrity checks and code signing for certain processes so they can stop the IRONGATE man-in-the-middle attack, among other steps.

They may need to take note that malicious hackers have their eye on the industrial control systems that run smart cities, smart factories and smart power, gas and water plants—once thought too difficult for bad guys to penetrate.

You may not find out that animal in your zoo is a really wolf, not a sheep, until years after the fact.

“You cannot rest on the fact that ‘ICS is unique’ or ‘ICS can be hard to figure out’ as a defense mechanism,” wrote Robert M. Lee with the SANS Institute in a post. “ICS is a viable target and attackers are getting smarter on how to impact ICS with ICS specific knowledge sets.