- West Virginia corrections employees suspended after Nazi salute photo surfaces Thursday 8:02 PM
- Here are the 15 best Eddie Murphy movies available to stream Thursday 7:56 PM
- Ex-InfoWars video editor admits to making up Islamophobic stories Thursday 6:55 PM
- WhatsApp accounts deleted amid Kashmir internet blackout Thursday 6:21 PM
- Guy gets mocked for tattoo of Baby Yoda drinking White Claw Thursday 6:18 PM
- Spotify Wrapped has people asking just how much it knows about us Thursday 5:50 PM
- Instagram account allegedly asked for inappropriate photos of children Thursday 5:16 PM
- How to stream ‘Boys vs. Bears on Thursday Night Football Thursday 4:33 PM
- Woman caught her boyfriend cheating through his Fitbit Thursday 4:29 PM
- The Pete Buttigieg ‘High Hopes’ dance was designed by an intern Thursday 4:17 PM
- TikTok admits to hiding content made by fat, LGBTQ, and disabled users Thursday 3:58 PM
- ‘Merry Happy Whatever’ is an unoriginal sitcom with plenty of holiday cheer Thursday 3:55 PM
- The ‘Pod Save America’ Bros are losing it over Joe Biden’s newest ad Thursday 3:28 PM
- Van Halen had a wholesome response in defense of Billie Eilish Thursday 3:15 PM
- Influencer faces wrath of K-pop fans after her son played with penis-shaped soap Thursday 1:27 PM
Security researchers at FireEye have discovered a new type of malware that attacks the equipment powering critical infrastructure, one that draws inspiration from the famous Stuxnet worm that disrupted Iran‘s nuclear enrichment program.
FireEye described the virus, which it dubbed IRONGATE, as “an [industrial control system]-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment.”
Stuxnet, widely reported to be the work of the United States and Israel, destroyed nearly 1,000 Iranian centrifuges located in a heavily secured enrichment facility in 2010 by infiltrating their Siemens control devices and directing them to spin at improper speeds.
The cyberattack on Iran’s nuclear program was the first known case of a digital intrusion causing substantial physical damage to critical infrastructure. Its sophistication and destructiveness served as a wake-up call to other powerful nations, sparking the modern cyber arms race and leading to the development of new viruses aimed at industrial control systems like the ones found in power plants, hospitals, and military facilities.
Cyberattacks targeting critical infrastructure are on the rise. Last December, someone knocked out power to a large portion of western Ukraine using malware linked to a Russian hacker group. It was the first known case of a cyberattack causing a blackout.
“IRONGATE is certainly an interesting development in malware targeting ICS systems, not because it’s as advanced but because these cases are rarely publicly reported,” Ryan Olson, intelligence director at Palo Alto Networks, said in an email.
Several aspects of IRONGATE suggest that its designers paid careful attention to how Stuxnet worked and sought to improve on its efficacy and stealthiness.
While Stuxnet merely detected antivirus programs running on the computers it infiltrated, IRONGATE took things a step further, searching for “malware detonation/observation environments,” which handle the digital equivalent of a bomb squad’s controlled detonations to isolate the effects of malware.
IRONGATE also covers its tracks in a more sophisticated way than Stuxnet did, according to FireEye.
But the similarities between the two are unmistakable. “Both pieces of malware look for a single, highly specific process,” FireEye’s research team wrote. And both manipulate hardware by replacing a specific type of file, known as a DLL, in the file system powering the computer.
Dr. Richard Forno, the assistant director of the cybersecurity program at the University of Maryland, Baltimore County, told the Daily Dot that IRONGATE’s improvements over Stuxnet, including its upgraded resistance to detection by anti-malware programs, were to be expected.
“Since virtual machines are used to analyze malware, it stands to reason that a malware author would include some self-awareness ‘defenses’ to try and hinder analysis by the ‘good guys,'” Forno said in an email. “I think such defensive measures have been included in desktop malware, so it’s logical to see it applied to more specialized malware like this one, too.”
FireEye researchers said they believed IRONGATE was a “test case, proof of concept, or research activity” because it did not work against any currently deployed Siemens systems.
“The DLLs that IRONGATE seeks and replaces are not part of the Siemens standard product set,” they wrote, “but communicate with [a simulation program]. Malware authors test concepts using commercial simulation software.”
In addition, the researchers didn’t see any trigger in IRONGATE’s code, suggesting that it was not designed to automatically begin sabotaging a system it found itself in; malware is nearly always written to automatically execute when it detects that it has arrived in a target system.
“The most advanced components of Stuxnet, including its exploitation of zero-day vulnerabilities and automated actions against a specific ICS system, are not present in IRONGATE,” Olson said, “but it certainly looks like an actor testing software for some type of attack.”
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.