6 Malware Tools Designed to Disrupt Industrial Control Systems (ICS)
Stuxnet was the first known malware built to attack operational technology environment. Since then, there have been several others.
April 20, 2022
Already have an account?
A recent attempt by Russia's infamous Sandworm threat group to disrupt operations at a Ukrainian power company has once again drawn attention to the — still somewhat limited — collection of publicly known tools designed specifically to disrupt industrial control systems.
For the attack, Sandworm used an updated version of a malware tool dubbed Industroyer/CrashOverride that gave the threat actors a way to manipulate equipment at substations to trigger power outages. Ukraine's computer emergency response team (CERT-UA) thwarted the attack before any damage was done. It determined the attackers had wanted to decommission high-voltage electric substations and other infrastructure elements at the targeted facility.
Industroyer is one of a handful of highly sophisticated tools that security researchers have discovered in recent years designed to give attackers access to systems controlling operational equipment at power facilities, oil and gas firms, and other critical infrastructure organizations.
Unlike other malware, which often share commonalities in features and functions, ICS-specific malware tools have tended to be highly customized for targeted environments. Stuxnet, one of the first publicly known instances of malware designed to cause physical damage to systems, was optimized to damage equipment at Iran's uranium enrichment facility in Natanz. The version of Industroyer used in the recently foiled attack in Ukraine was fine-tuned to disrupt the particular systems at the targeted facility.
Daniel Kapellmann Zafra, senior technical analysis manager at Mandiant, says ICS-specific malware has become more complex, sophisticated, and easier to use. While Stuxnet was snuck into the Iranian facility via a USB drive, the newest malware tools in its class are designed for network break-in.
"Newer OT [operations technology] malware is developed in ways in which the actor can rely on intermediary systems across OT to deploy the malware remotely, making it more convenient for the actor to use it against a target," Kapellmann Zafra says. Newer tools are also more flexible, meaning they can be tweaked to a certain extent so they can be deployed against more than one target.
Deral Heiland, principal security researcher at Rapid7, says the ICS-specific tools often leverage normal functionality of the targeted ICS/SCADA environment and associated management and control protocols. Attackers have gained a better understanding of once relatively obscure ICS/SCADA communication protocols — such as Codesys and Profinet — and are using that knowledge to develop sophisticated tools.
Here is a look at six malware tools designed specifically to attack ICS environments.
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024