6 Malware Tools Designed to Disrupt Industrial Control Systems (ICS)
Stuxnet was the first known malware built to attack operational technology environment. Since then, there have been several others.
April 20, 2022
![Simulation of an electric transformer substation on a monitor Simulation of an electric transformer substation on a monitor](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf9e4bccb849588be/64f175dfdf86f7091d579633/scada_SWKStock_shutterstock.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Chunni4691 via Shutterstock
A recent attempt by Russia's infamous Sandworm threat group to disrupt operations at a Ukrainian power company has once again drawn attention to the — still somewhat limited — collection of publicly known tools designed specifically to disrupt industrial control systems.
For the attack, Sandworm used an updated version of a malware tool dubbed Industroyer/CrashOverride that gave the threat actors a way to manipulate equipment at substations to trigger power outages. Ukraine's computer emergency response team (CERT-UA) thwarted the attack before any damage was done. It determined the attackers had wanted to decommission high-voltage electric substations and other infrastructure elements at the targeted facility.
Industroyer is one of a handful of highly sophisticated tools that security researchers have discovered in recent years designed to give attackers access to systems controlling operational equipment at power facilities, oil and gas firms, and other critical infrastructure organizations.
Unlike other malware, which often share commonalities in features and functions, ICS-specific malware tools have tended to be highly customized for targeted environments. Stuxnet, one of the first publicly known instances of malware designed to cause physical damage to systems, was optimized to damage equipment at Iran's uranium enrichment facility in Natanz. The version of Industroyer used in the recently foiled attack in Ukraine was fine-tuned to disrupt the particular systems at the targeted facility.
Daniel Kapellmann Zafra, senior technical analysis manager at Mandiant, says ICS-specific malware has become more complex, sophisticated, and easier to use. While Stuxnet was snuck into the Iranian facility via a USB drive, the newest malware tools in its class are designed for network break-in.
"Newer OT [operations technology] malware is developed in ways in which the actor can rely on intermediary systems across OT to deploy the malware remotely, making it more convenient for the actor to use it against a target," Kapellmann Zafra says. Newer tools are also more flexible, meaning they can be tweaked to a certain extent so they can be deployed against more than one target.
Deral Heiland, principal security researcher at Rapid7, says the ICS-specific tools often leverage normal functionality of the targeted ICS/SCADA environment and associated management and control protocols. Attackers have gained a better understanding of once relatively obscure ICS/SCADA communication protocols — such as Codesys and Profinet — and are using that knowledge to develop sophisticated tools.
Here is a look at six malware tools designed specifically to attack ICS environments.
Stuxnet was the first — publicly known, at least — instance of malware narrowly designed to disrupt a specific industrial control system environment. The worm garnered widespread attention in 2010 when it was discovered that it was used in an attack that physically destroyed numerous centrifuges at an Iranian uranium enrichment facility in Natanz. The attacks are thought to have occurred several years prior to its 2010 discovery, and many believe it was part of a US-led effort to degrade Iran's developing nuclear capabilities at the time.
Unlike modern ICS threats, which can be deployed remotely, Stuxnet traveled on USB sticks and spread via Windows systems. The malware looked for Siemens programmable logic controllers that were being used to monitor electro-mechanical equipment at the Iranian uranium enrichment facility. When Stuxnet found them, the malware sent malicious instructions that essentially caused the equipment to spin out of control even as it kept sending false information about its status back to the PLCs.
McAfee, one of numerous vendors that pored over and analyzed the threat, has identified several malware tools that have contained artifacts of Stuxnet code in them. The list includes the keystroke logging Duqu, which was designed to steal data from ICS environments; Flame, a USB-borne spyware tool; and Havex, another ICS specific tool for gathering information from critical infrastructure organizations.
Triton/Trisis is malware that was used in a targeted attack on a Saudi Arabian oil refinery in 2017. The malware targeted several models of Triconex, a safety instrumentation system (SIS) from Schneider Electric, that the oil refinery was using to monitor critical burn management and sulfur recovery systems at the plant. If the malware had worked as intended, it could have potentially triggered explosions and the release of dangerous gases at the facility. But as it turned out, safety controls on the Schneider Electric SIS devices spotted the threat actor's attempts to install the malware and triggered an automatic shutdown of the entire refinery on two separate occasions.
Triton/Trisis was designed solely to exploit Schneider safety instrumentation systems at the oil refinery. As such, Dragos at the time assessed the malware as posing no threat to other Schneider Electric customer environments. However, the security vendor assessed that the tactics, techniques, and procedures that the threat actor used in the attack would be replicated by others.
Mandiant described the malware as having multiple capabilities including reading and writing programs and individual functions and querying the state of Schneider SIS controllers; sending specific commands such as "halt" to controllers; and remotely reprogramming them with a malicious payload.
"Triton was particularly relevant because it targeted safety systems, which implies intentionality of possible physical destruction," says Mandiant's Kapellmann Zafra. The malware was developed to target a very specific asset that communicated via a mostly undocumented proprietary protocol, which meant the threat actor likely had to reverse-engineer the device to develop the malware, he says.
Incontroller/PipeDream is the most recently discovered ICS-specific malware threat. The US Cybersecurity and Infrastructure Security Agency (CISA) and others have identified the malware as posing a particularly big threat to organizations in the energy sector, such as liquefied natural gas and electric power providers.
Incontroller, the name by which Mandiant is tracking it, consists of three malware tools designed to target programmable logic controllers (PLCs) from Schneider Electric and Omron and any servers based on Open Platform Communications Unified Architecture (OPC UA). Attackers can use the malware to conduct reconnaissance on target industrial environments and to manipulate PLCs in ways that could result in plant disruptions, safety failures, and potentially catastrophic physical destruction.
Incontroller/PipeDream does not exploit any vulnerabilities to compromise target systems. Instead, it communicates and interacts with PLCs using Modbus and Codesys, two common industrial protocols. The malware's ability to leverage native functionality makes it hard to spot in industrial setts, according to Dragos, which is tracking the threat as PipeDream. Dragos has attributed the malware to a likely Russia-based threat group that it is calling Chernovite.
Incontroller/PipeDream's three main components are a tool for scanning for and collecting data from OPC environments; a framework that can identify and interact with Schneider and other Modbus-based PLCs via Modbus and Codesys; and a tool specifically designed to attack Omron devices over HTTP and Telnet. Mandiant is tracking the three threats as Tagrun, Codecall, and Omshell.
"Incontroller simply [utilizes] native functionalities from assets and known protocols to communicate without the need to develop complex exploits of vulnerabilities," says Kapellmann Zafra, senior technical analysis manager at Mandiant. "In essence, it shows that it is often possible to just use a device/network’s native functionalities to modify a physical process."
Industroyer — or CrashOverride, as it is also called — is believed to be the first known instance of malware solely targeted at the electric grid. Security researchers first observed the malware being deployed in a December 2016 attack on Ukraine's electric grid that resulted in an hour-long power outage in parts of Kyiv. Multiple vendors have attributed the malware to Sandworm, a Russia-based threat group.
One notable feature of the malware is the fact that it doesn't target any specific technology or exploit any vulnerability. Instead, it uses native ICS communications protocols to interact with industrial systems and issue malicious commands to them in a manner that would not trigger any alerts.
Analysis of the malware by firms such as ESET and Dragos have shown it is comprised of four payload components that work in stages to first map a target environment and to figure out what commands to use for gaining control of switches and circuit breakers in high-voltage substations. The security vendors have described the malware as giving attackers a way to manipulate them to "de-energize" substations or to trigger operating conditions that would cause the substation to "island" itself off from the rest of the grid as a precautionary measure.
Earlier this month, Ukraine's Computer Emergency Response Team (CERT-UA) thwarted another Sandworm attempt to disrupt the power grid, this time using a new, and more customized version of Industroyer featuring just one of the four payloads contained in the original version.
Industroyer, Industroyer2, and Incontroller were designed in a manner as to make them viable for use in different attack scenarios. "They can be deployed against more than one victim as they have some capabilities to customize the attack within certain boundaries — such as the communication protocols they use," says Mandiant's Kapellmann Zafra.
BlackEnergy is malware that was originally used in distributed denial-of-service attacks and for downloading spam and malware. The malware is best known for its role in a December 2015 cyberattack on Ukrainian power company Prykarpattya Oblenerg that knocked 30 substations off the grid and triggered a six-hour blackout that hit some 100 cities. Researchers have attributed the attack to Russia's Sandworm advanced persistent threat group.
The attack involved the threat actors gaining access to a Windows-based human-machine interface (HMI) system at the power company and essentially using it to manipulate circuit breakers in a way as to trigger a power outage. Researchers analyzing the attack found evidence of BlackEnergy and a wiper called KillDisk on the compromised power company's network. There are still some questions over the role that BlackEnergy played in triggering the outage — or even if it played any at all.
But the fact that it was part of Sandworm's attack chain — and the fact that BlackEnergy was used in subsequent attacks on a Ukrainian mining company and railway operator — made it a threat to industrial control system environments everywhere. The US Cybersecurity and Infrastructure Security Agency (CISA) said its analysis showed that attacks involving BlackEnergy on ICS environments in the US and elsewhere had been going on since at least 2011. CISA identified HMI products from several vendors that had been targeted by BlackEnergy including Siemens, GE, and Advantech/Broadwin.
Havex is a remote-access Trojan (RAT) that Russian advanced persistent threat group Dragonfly (aka Energetic Bear) was first observed using in 2014 against ICS/SCADA systems deployed at organizations in the energy sector. Initially, the malware was used to collect data from infected systems and the environments in which the systems were running.
A Trend Micro analysis showed the malware could download and execute additional code designed — among other things — to find and connect to servers based on Open Platform Communications (OPC) architecture and to gather information that could later be used to compromise the devices.
Many of Dragonfly's early attacks that used Havex were targeted at companies in the energy sector and appeared to be an attempt to understand the environment. The group distributed the malware via phishing emails and by compromising sites belonging to providers of ICS software and planting malicious code in their products, which target organizations later unwittingly downloaded on their networks.
In 2017, Symantec and others reported observing the threat actor deploying the malware in attacks designed to gain full control of operational systems at energy sector organizations in the US, Switzerland, and Turkey. The security vendor determined the attacks had been going on since at least December 2015, and had provided the threat actors full access to systems controlling critical equipment at power facilities.
An August 2021 US indictment — unsealed last month — that accused three officers of the Russian Federal Security Service of participating in the attacks shed more light on the success that Dragonfly achieved with its malware campaign. The indictment showed the attackers had targeted numerous companies with their backdoor, including power transmission companies, utilities, oil and gas suppliers, and nuclear power operators. In all, Dragonfly installed the Havex RAT on some 17,000 devices deployed at organizations in the US and elsewhere.
Havex is a remote-access Trojan (RAT) that Russian advanced persistent threat group Dragonfly (aka Energetic Bear) was first observed using in 2014 against ICS/SCADA systems deployed at organizations in the energy sector. Initially, the malware was used to collect data from infected systems and the environments in which the systems were running.
A Trend Micro analysis showed the malware could download and execute additional code designed — among other things — to find and connect to servers based on Open Platform Communications (OPC) architecture and to gather information that could later be used to compromise the devices.
Many of Dragonfly's early attacks that used Havex were targeted at companies in the energy sector and appeared to be an attempt to understand the environment. The group distributed the malware via phishing emails and by compromising sites belonging to providers of ICS software and planting malicious code in their products, which target organizations later unwittingly downloaded on their networks.
In 2017, Symantec and others reported observing the threat actor deploying the malware in attacks designed to gain full control of operational systems at energy sector organizations in the US, Switzerland, and Turkey. The security vendor determined the attacks had been going on since at least December 2015, and had provided the threat actors full access to systems controlling critical equipment at power facilities.
An August 2021 US indictment — unsealed last month — that accused three officers of the Russian Federal Security Service of participating in the attacks shed more light on the success that Dragonfly achieved with its malware campaign. The indictment showed the attackers had targeted numerous companies with their backdoor, including power transmission companies, utilities, oil and gas suppliers, and nuclear power operators. In all, Dragonfly installed the Havex RAT on some 17,000 devices deployed at organizations in the US and elsewhere.
A recent attempt by Russia's infamous Sandworm threat group to disrupt operations at a Ukrainian power company has once again drawn attention to the — still somewhat limited — collection of publicly known tools designed specifically to disrupt industrial control systems.
For the attack, Sandworm used an updated version of a malware tool dubbed Industroyer/CrashOverride that gave the threat actors a way to manipulate equipment at substations to trigger power outages. Ukraine's computer emergency response team (CERT-UA) thwarted the attack before any damage was done. It determined the attackers had wanted to decommission high-voltage electric substations and other infrastructure elements at the targeted facility.
Industroyer is one of a handful of highly sophisticated tools that security researchers have discovered in recent years designed to give attackers access to systems controlling operational equipment at power facilities, oil and gas firms, and other critical infrastructure organizations.
Unlike other malware, which often share commonalities in features and functions, ICS-specific malware tools have tended to be highly customized for targeted environments. Stuxnet, one of the first publicly known instances of malware designed to cause physical damage to systems, was optimized to damage equipment at Iran's uranium enrichment facility in Natanz. The version of Industroyer used in the recently foiled attack in Ukraine was fine-tuned to disrupt the particular systems at the targeted facility.
Daniel Kapellmann Zafra, senior technical analysis manager at Mandiant, says ICS-specific malware has become more complex, sophisticated, and easier to use. While Stuxnet was snuck into the Iranian facility via a USB drive, the newest malware tools in its class are designed for network break-in.
"Newer OT [operations technology] malware is developed in ways in which the actor can rely on intermediary systems across OT to deploy the malware remotely, making it more convenient for the actor to use it against a target," Kapellmann Zafra says. Newer tools are also more flexible, meaning they can be tweaked to a certain extent so they can be deployed against more than one target.
Deral Heiland, principal security researcher at Rapid7, says the ICS-specific tools often leverage normal functionality of the targeted ICS/SCADA environment and associated management and control protocols. Attackers have gained a better understanding of once relatively obscure ICS/SCADA communication protocols — such as Codesys and Profinet — and are using that knowledge to develop sophisticated tools.
Here is a look at six malware tools designed specifically to attack ICS environments.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024