Improved, Stuxnet-Like PLC Malware Aims to Disrupt Critical Infrastructure

The proliferation of programmable logic controllers (PLCs) with embedded Web servers in them has given attackers a way to launch potentially catastrophic, remote attacks against operational technology (OT) for industrial control systems (ICS) in critical infrastructure sectors.

To highlight the threat, a team of researchers from the Georgia Institute of Technology has developed malware that an adversary could use to remotely access an embedded Web server within a PLC, and attack the underlying physical system. An attacker could use the malware to manipulate output signals to actuators, to falsify sensor readings, disable safety systems, and execute other actions that could trigger potentially devastating outcomes, including even loss of life, the researchers said.

PLCs are the components of ICS that control the operation of physical processes and machinery within various manufacturing, industrial, and critical infrastructure settings. A PLC receives input from various connected sensors and other input sources, and uses the data to send commands to physical systems based on pre-programmed controlled logic. The goal with PLC malware in general is to influence the output in such a way as to disrupt or to sabotage the physical process which a PLC might be controlling.

A Stuxnet-Like, Web-Based PLC Malware

Often, malware targeting PLCs and ICS systems have required attackers to have some kind of prior physical or network access to the target environment, and has often been platform specific and easily erasable via factory resets. In the paper, Georgia Tech researchers Ryan Pickren, Tohid Shekari, Saman Zonouz and Raheem Beyah described their Web-based PLC malware as fundamentally different.

Most PLC malware typically infects the firmware or control logic of the controllers, whereas the new Web-based malware attacks the front-end Web layer in PLCs with malicious JavaScript, eliminating some of the limitations such malicious code has faced in the past.

"This approach has significant advantages over existing PLC malware techniques (control logic and firmware), such as platform independence, ease-of-deployment, and higher levels of persistence," the researchers said.

But, the cyberattack outcomes for the new strain are the same as other successful PLC attacks. In the $1 billion Stuxnet campaign for instance — which some have attributed to the US and Israeli governments — the attackers targeted Siemens PLCs to cause high-speed centrifuges at Iran's Natanz uranium-enrichment facility to spin so fast they essentially tore themselves apart.

Since then, there have been several other attacks that have highlighted the damage that adversaries can unleash on systems that control physical processes. Notable examples include the BlackEnergy malware that Russian threat actors used to disrupt Ukraine's power grid in 2016; the Triton/Trisis attack on a Schneider safety system at a petrochemical plan in Saudi Arabia; and INCONTROLLER, a set of malware tools targeted at PLCs from Schneider and Omron.

PoC Cyberattack: Easier to Deploy & More Persistent

The Web-based attack that that the researchers developed basically involved a test scenario where a threat actor executes a Stuxnet-like attack on a widely used PLC that, in this case, controlled an industrial motor similar to one used to power centrifuges during uranium enrichment. Like many modern PLCs, the one that the researchers used for the researcher featured a Web-based interface for remote monitoring, programming, and configuration.

For the test scenario, the researchers assumed that the facility where the PLC is situated had engineering workstations that were connected both to the business network and the industrial network. The researchers also assumed that the attacker had some basic knowledge about the physical process that the test PLC controlled and a few other non-specific details of the environment.

In their paper, the researchers described how an attacker could gain initial access to the PLC by remotely injecting malicious code to the Web server in a variety of ways and then use its legitimate application programming interfaces (API) to disrupt the underlying machinery. One of test scenarios involved the attacker tricking an ICS operator into visiting a malicious Web page that automatically downloads the PLC malware into the PLCs Web application by chaining three separate zero-day vulnerabilities that the researchers discovered in the Web application.

Among other things, the Web-based PLC (WB PLC) malware that the researchers developed would have allowed an attacker to physically damage the industrial motor that it was controlling, abuse admin settings for further compromise, and to steal data for industrial espionage purposes.

"Our Web PLC malware resides in PLC memory, but ultimately gets executed client-side by various browser-equipped devices throughout the ICS environment," the researchers noted.  "From there, the malware uses ambient browser-based credentials to interact with the PLC's legitimate Web APIs to attack the underlying real-world machinery." This kind of malware is easier to deploy control and is mostly platform-agnostic, they said.