Nearly four years since Stuxnet broke onto the scene, F-Secure has discovered another series of attacks against industrial control systems -- this time aiming at mostly European organizations. The attackers' ultimate motives are unclear. Researchers suspect they are simply gathering intelligence in preparation for a more serious attack.
The attackers are infecting SCADA and ICS systems with the HAVEX remote access tool (mostly used for information gathering), using a unique infection vector. In addition to the usual phishing messages and exploit kits, the attackers compromised the websites of three industrial application vendors and swapped their legitimate installers with ones that would also install HAVEX when downloaded and run. This "watering-hole" attack -- compromising intermediaries to gain access to the real targets -- is uncommon.
Once HAVEX is installed, it calls back to its command-and-control servers -- which are mostly unrelated third-party websites and blogs that the attackers have compromised -- and receives instructions to download and execute further components.
According to F-Secure, "one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers."
They found that the malware was going after OPC, an open programming interface (still used mostly by Windows applications) that enables disparate industrial components to communicate with one another.
As F-Secure explains:
It's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.
The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.
Dale Peterson, founder and CEO of Digital Bond, provided more insight:
What [HAPEX] is doing to OPC servers is still unclear. If this is an early phase of an attack it could simply be running OpcEnum to gather information about what OPC servers are on the network. Most do not deploy the available security controls in OPC because it is difficult... and it breaks necessary comms if not done right. Also, the lack of good coding practices leaves many OPC servers with vulnerabilities, some disclosed and many just waiting to be found or used.
The organizations that have been infected with HAVEX are mostly European: two French universities known for tech research, one French producer of industrial machine products, two German producers of industrial application and machine products, a Russian construction company, and one California company (about which no information has been provided). The "watering holes" are also European, located in Germany, Switzerland, and Belgium.
If the targets had been American, Chinese, or Middle-Eastern, people might more immediately jump to the conclusion that the attacks were politically motivated and carried out by nation-state actors. Being that they're mostly in Western Europe may instead point at organized crime, probably motivated by financial gains.
"This does look like professional-class malware," says Andrew Ginter, vice president of industrial security at Waterfall Security, "which rules out some suspects. It rules out hacktivists, because they are not well funded enough. That leaves organized crime and nation-states."
Ginter says that he is not surprised that this attack is possible and that it manipulates weaknesses in the supply chain of industrial security systems, because experts (himself included) have been warning of such things for years.
"It's nothing like Stuxnet," he says, explaining that this is a more generalized threat as opposed to one laser-focused on one target, "but it's confirmation that all those things people have been telling you is true. It's disturbing."
Ginter says the potential for soft spots in the supply chain has been and will continue to be a problem, especially in safety systems, which have sometimes been counterfeited for profit.
"Control systems will always have a softer interior than IT systems," but that's for legitimate reasons. It's not just because of the possibility of outages, but rather that of explosions or other physical disasters. "It's because every change to the safety system is a threat to your life."
However, he points out that, although the supply chain is being used as the infection vector, there are other stages of attacks that can be dealt with -- the website or the communications between infected machines and C&C servers, for example.
Digital Bond's Peterson takes it a step further:
F-Secure’s discovery of this ICS malware leads to a question... shouldn’t DHS / INL / ICS-CERT be scouring malware data and samples to identify ICS malware?
Developing a process and tools to identify potential ICS malware in large samples seems like an ideal project for DHS / INL / ICS-CERT. Then give it, don’t try to sell it a la Sophia, to those with large samples with some agreement to share the results. The ICS world would get some great threat data from the often touted, but rarely of value, public/private partnership. Big win.
ICS-CERT has issued an alert here.