FireEye experts have released their discoveries on the Irongate ICS/SCADA malware, which targets a Siemens PLC simulation (SIM) environment via a man-in-the middle attack on a particular component of custom PLCSIM code. SIM environments are the place engineers test their PLC code, which suggests Irongate shows no actual threat to ICS operations says FireEye, and there’s been no indication of any attacks or efforts to date.
Irongate, which the analysts think is a proof-of-concept piece of malware, apparently remained underneath the radar for quite a while. It goes back to 2012, but wasn’t revealed until late last year after a number of its samples were submitted to VirusTotal: even so, antivirus scanners overlooked it. FireEye reverse-engineered the samples after observing some SCADA mentions in the code.
This malware is nowhere near as advanced as Stuxnet, but similar to Stuxnet, Irongate targets a unique Siemens control system, and it uses its own DLLs to change a specific task. Each malware family performs some detective work of its own to avoid discovery: while Stuxnet looked for antivirus software to circumvent, Irongate evades sandboxes and other virtual environments so it won’t be reversed.
The analysts mention it’s uncertain whether Irongate is the work of a nation-state, a cybercriminal, or a researcher assessing threats to ICS. “The question for us is if it’s a simulated environment, then what is it? Is someone trying this in a simulated [environment] before taking it to a production environment? Or is it a researcher saying ‘look what I can do … a Stuxnet-type thing,’” says Dan Scali, senior supervisor for FireEye Mandiant ICS Consulting services.
For Fireeye’s full analysis and findings, you can find their writeup here.