Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

01:15 PM
Connect Directly

As Stuxnet Anniversary Approaches, New SCADA Attack Is Discovered

F-Secure has unearthed a new attack against industrial control systems that goes after European targets, using rare infection vectors.

Nearly four years since Stuxnet broke onto the scene, F-Secure has discovered another series of attacks against industrial control systems -- this time aiming at mostly European organizations. The attackers' ultimate motives are unclear. Researchers suspect they are simply gathering intelligence in preparation for a more serious attack.

The attackers are infecting SCADA and ICS systems with the HAVEX remote access tool (mostly used for information gathering), using a unique infection vector. In addition to the usual phishing messages and exploit kits, the attackers compromised the websites of three industrial application vendors and swapped their legitimate installers with ones that would also install HAVEX when downloaded and run. This "watering-hole" attack -- compromising intermediaries to gain access to the real targets -- is uncommon.

Once HAVEX is installed, it calls back to its command-and-control servers -- which are mostly unrelated third-party websites and blogs that the attackers have compromised -- and receives instructions to download and execute further components.

According to F-Secure, "one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers."

They found that the malware was going after OPC, an open programming interface (still used mostly by Windows applications) that enables disparate industrial components to communicate with one another.

As F-Secure explains:

It's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.

The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.

Dale Peterson, founder and CEO of Digital Bond, provided more insight:

What [HAPEX] is doing to OPC servers is still unclear. If this is an early phase of an attack it could simply be running OpcEnum to gather information about what OPC servers are on the network. Most do not deploy the available security controls in OPC because it is difficult... and it breaks necessary comms if not done right. Also, the lack of good coding practices leaves many OPC servers with vulnerabilities, some disclosed and many just waiting to be found or used.

The organizations that have been infected with HAVEX are mostly European: two French universities known for tech research, one French producer of industrial machine products, two German producers of industrial application and machine products, a Russian construction company, and one California company (about which no information has been provided). The "watering holes" are also European, located in Germany, Switzerland, and Belgium.

If the targets had been American, Chinese, or Middle-Eastern, people might more immediately jump to the conclusion that the attacks were politically motivated and carried out by nation-state actors. Being that they're mostly in Western Europe may instead point at organized crime, probably motivated by financial gains.

"This does look like professional-class malware," says Andrew Ginter, vice president of industrial security at Waterfall Security, "which rules out some suspects. It rules out hacktivists, because they are not well funded enough. That leaves organized crime and nation-states."

Ginter says that he is not surprised that this attack is possible and that it manipulates weaknesses in the supply chain of industrial security systems, because experts (himself included) have been warning of such things for years.

"It's nothing like Stuxnet," he says, explaining that this is a more generalized threat as opposed to one laser-focused on one target, "but it's confirmation that all those things people have been telling you is true. It's disturbing."

Ginter says the potential for soft spots in the supply chain has been and will continue to be a problem, especially in safety systems, which have sometimes been counterfeited for profit.

"Control systems will always have a softer interior than IT systems," but that's for legitimate reasons. It's not just because of the possibility of outages, but rather that of explosions or other physical disasters. "It's because every change to the safety system is a threat to your life."

However, he points out that, although the supply chain is being used as the infection vector, there are other stages of attacks that can be dealt with -- the website or the communications between infected machines and C&C servers, for example.

Digital Bond's Peterson takes it a step further:

F-Secure’s discovery of this ICS malware leads to a question... shouldn’t DHS / INL / ICS-CERT be scouring malware data and samples to identify ICS malware?

Developing a process and tools to identify potential ICS malware in large samples seems like an ideal project for DHS / INL / ICS-CERT. Then give it, don’t try to sell it a la Sophia, to those with large samples with some agreement to share the results. The ICS world would get some great threat data from the often touted, but rarely of value, public/private partnership. Big win.

ICS-CERT has issued an alert here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/27/2014 | 11:10:40 PM
Re: Stuxnet is another thing
I agree that the level of complexity is very different. Regardless, I think it underscores the importance of limiting the attack surface and locking those systems down as much as possible. No question that these attacks are going to continue to go up.

User Rank: Ninja
6/27/2014 | 3:23:24 AM
Stuxnet is another thing
Hi guys I'm reading on the internet that some colleagues are comparing this attack to the Stuxnet case. Be aware the only factor in common is that both targeted an ISC/SCADA system, but the level of complexity behind the operation is totally different.

Stuxnet is considerable a cyber weapon exploited by governments to hit Iranian critical infrastructure, its development as requested a huge effort in terms of money, resources and skills. I don't want to go deep into the details of Stuxnet architecture, but the malware used in the recent attacks is considerable a game if compared to Stuxnet. The dangerous aspect of the story is that the number of cyber attacks against critical infrastructures is increasing and it is even easier to find open on the internet all the necessary to hit vital component in critical processes.

I afraid that we will see an explosion of similar attacks in the next months, in the majority of the cases they will go undetected and this is a real problem.

Give a look to a recent presentation I made with the popular hacker Raoul Chiesa at Security Summit in Rome


User Rank: Ninja
6/26/2014 | 10:07:10 PM
Admin Accounts
Again, it's these "watering hole" events, that make it crucial to have a standard account and an admin account with no internet capabilities. I know this isn't the main goal for this specific information gathering, however, if they wanted to they could use the spoofed app to pull credentials and gain industry information, change configurations, and potentially do major future damage. 

Just something to point out to help mitigate the risk of attacks that involve the watering hole event and potentientially stunt major detrimental damage.
David Wagner
David Wagner,
User Rank: Black Belt
6/26/2014 | 5:35:20 PM
Wow, this isn't frightening at all. Just gathering intelligence for a future attack? Too-well-funded for anything but organized crime or a government?


So are Americans lucky here, or are we the next target?

FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...