Move over, Stuxnet. IRONGATE may represent the next evolution of malware targeting critical infrastructure.
Security researchers at FireEye have discovered a new type of malware that attacks the equipment powering critical infrastructure, one that draws inspiration from the famous Stuxnet worm that disrupted Iran‘s nuclear enrichment program.
FireEye described the virus, which it dubbed IRONGATE, as “an [industrial control system]-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment.”
Stuxnet, widely reported to be the work of the United States and Israel, destroyed nearly 1,000 Iranian centrifuges located in a heavily secured enrichment facility in 2010 by infiltrating their Siemens control devices and directing them to spin at improper speeds.
The cyberattack on Iran’s nuclear program was the first known case of a digital intrusion causing substantial physical damage to critical infrastructure. Its sophistication and destructiveness served as a wake-up call to other powerful nations, sparking the modern cyber arms race and leading to the development of new viruses aimed at industrial control systems like the ones found in power plants, hospitals, and military facilities.
Cyberattacks targeting critical infrastructure are on the rise. Last December, someone knocked out power to a large portion of western Ukraine using malware linked to a Russian hacker group. It was the first known case of a cyberattack causing a blackout.
“IRONGATE is certainly an interesting development in malware targeting ICS systems, not because it’s as advanced but because these cases are rarely publicly reported,” Ryan Olson, intelligence director at Palo Alto Networks, said in an email.
Several aspects of IRONGATE suggest that its designers paid careful attention to how Stuxnet worked and sought to improve on its efficacy and stealthiness.
While Stuxnet merely detected antivirus programs running on the computers it infiltrated, IRONGATE took things a step further, searching for “malware detonation/observation environments,” which handle the digital equivalent of a bomb squad’s controlled detonations to isolate the effects of malware.
IRONGATE also covers its tracks in a more sophisticated way than Stuxnet did, according to FireEye.
But the similarities between the two are unmistakable. “Both pieces of malware look for a single, highly specific process,” FireEye’s research team wrote. And both manipulate hardware by replacing a specific type of file, known as a DLL, in the file system powering the computer.
Dr. Richard Forno, the assistant director of the cybersecurity program at the University of Maryland, Baltimore County, told the Daily Dot that IRONGATE’s improvements over Stuxnet, including its upgraded resistance to detection by anti-malware programs, were to be expected.
“Since virtual machines are used to analyze malware, it stands to reason that a malware author would include some self-awareness ‘defenses’ to try and hinder analysis by the ‘good guys,'” Forno said in an email. “I think such defensive measures have been included in desktop malware, so it’s logical to see it applied to more specialized malware like this one, too.”
FireEye researchers said they believed IRONGATE was a “test case, proof of concept, or research activity” because it did not work against any currently deployed Siemens systems.
“The DLLs that IRONGATE seeks and replaces are not part of the Siemens standard product set,” they wrote, “but communicate with [a simulation program]. Malware authors test concepts using commercial simulation software.”
In addition, the researchers didn’t see any trigger in IRONGATE’s code, suggesting that it was not designed to automatically begin sabotaging a system it found itself in; malware is nearly always written to automatically execute when it detects that it has arrived in a target system.
“The most advanced components of Stuxnet, including its exploitation of zero-day vulnerabilities and automated actions against a specific ICS system, are not present in IRONGATE,” Olson said, “but it certainly looks like an actor testing software for some type of attack.”