Newly found Irongate malware will put Stuxnet to shame, targets industrial control systems

Silicon Valley-based security researchers at FireEye has uncovered stuxnet-like malware that is targeting industrial control systems (ICS), in a new report released on June 2.

According to the researchers, the malware, named Irongate, was first submitted to VirusTotal in 2014 but seems that it had gone unnoticed until it was identified in the course of FireEye’s research into droppers compiled with PyInstaller in late 2015. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.

The researchers discovered two malware samples that included a suspicious extension labeled SCADA.exe, seemingly in reference to supervisory control and data acquisition (SCADA) systems used in ICS. ICS and SCADA systems are special kinds of computer equipment that control industrial plants.

The malware has not been used in actual attacks and that it appears designed to run in a simulation environment rather than on an actual ICS.

“We acknowledge that Irongate could be a test case, proof of concept, or research activity for ICS attack techniques,” the researchers write.

However, unlike Stuxnet, it seems that Irongate does not actively pose a threat as it was designed with the single purpose of running within Siemens simulated control system environments.

“Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that Irongate is not viable against operational Siemens control systems and determined that Irongate does not exploit any vulnerabilities in Siemens products,” said the researchers in a blog post. “We are unable to associate Irongate with any campaign or threat actors. We acknowledge that Irongate could be a test case, proof of concept, or research activity for ICS attack techniques.”

Considering that Irongate is similar to Stuxnet, the fact that it is not an active threat is a little odd. What is even more surprising is the fact the Irongate supposedly goes to great lengths to keep itself hidden.

However, Irongate’s discovery should serve as a warning to organizations that operate SCADA systems.

“The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS,” Dale Peterson, the CEO of ICS security consultancy Digital Bond, said in a blog post. “We need significant improvement in detection capabilities for ICS integrity attacks.”