Stuxnet was the first known malware built to attack operational technology environment. Since then, there have been several others.

7 Slides

A recent attempt by Russia's infamous Sandworm threat group to disrupt operations at a Ukrainian power company has once again drawn attention to the — still somewhat limited — collection of publicly known tools designed specifically to disrupt industrial control systems.

For the attack, Sandworm used an updated version of a malware tool dubbed Industroyer/CrashOverride that gave the threat actors a way to manipulate equipment at substations to trigger power outages. Ukraine's computer emergency response team (CERT-UA) thwarted the attack before any damage was done. It determined the attackers had wanted to decommission high-voltage electric substations and other infrastructure elements at the targeted facility.

Industroyer is one of a handful of highly sophisticated tools that security researchers have discovered in recent years designed to give attackers access to systems controlling operational equipment at power facilities, oil and gas firms, and other critical infrastructure organizations.

Unlike other malware, which often share commonalities in features and functions, ICS-specific malware tools have tended to be highly customized for targeted environments. Stuxnet, one of the first publicly known instances of malware designed to cause physical damage to systems, was optimized to damage equipment at Iran's uranium enrichment facility in Natanz. The version of Industroyer used in the recently foiled attack in Ukraine was fine-tuned to disrupt the particular systems at the targeted facility.

Daniel Kapellmann Zafra, senior technical analysis manager at Mandiant, says ICS-specific malware has become more complex, sophisticated, and easier to use. While Stuxnet was snuck into the Iranian facility via a USB drive, the newest malware tools in its class are designed for network break-in.

"Newer OT [operations technology] malware is developed in ways in which the actor can rely on intermediary systems across OT to deploy the malware remotely, making it more convenient for the actor to use it against a target," Kapellmann Zafra says. Newer tools are also more flexible, meaning they can be tweaked to a certain extent so they can be deployed against more than one target.

Deral Heiland, principal security researcher at Rapid7, says the ICS-specific tools often leverage normal functionality of the targeted ICS/SCADA environment and associated management and control protocols. Attackers have gained a better understanding of once relatively obscure ICS/SCADA communication protocols — such as Codesys and Profinet — and are using that knowledge to develop sophisticated tools.

Here is a look at six malware tools designed specifically to attack ICS environments.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights