Breaking News

Hacking industrial processes with and undetectable PLC Rootkit

Two security researchers have developed an undetectable PLC rootkit that will present at the upcoming Black Hat Europe 2016.

The energy industry is under unceasing attack, cyber criminals, and state-sponsored hackers continue to target the systems of the companies in the sector.
The Stuxnet case has demonstrated to the IT community the danger of cyber attacks, threat actors could spread a malicious code to interfere with processes inside a critical infrastructure.
A new attack to be revealed at Black Hat Europe conference silently overtakes industrial network processes.

The security researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, an independent security researcher, have developed an undetectable PLC rootkit. The security duo will present the undetectable PLC rootkit at the upcoming Black Hat Europe, that will be held in London in November.

The security duo will also present a version of the PLC attack that leverages shellcode.  The title of the presentation if Ghost In The PLC: Designing An Undetectable Programmable Logic Controller Rootkit.

The researchers believe that their PLC rootkit could be dangerous more than Stuxnet because it is stealth and affects directly the PLC differently from Stuxnet that was designed to target SCADA systems running on Windows architecture.It’s much less likely to be discovered because it sits at the lower-level of the system.

The PLC rootkit was developed to compromise the low-level components of a PLC system, it could be considered a cross-platform PLC threat because it is able to infect PLC manufactured by almost any vendor.

“It’s a race to the bottom” Abbasi told DarkReading. “Everybody has access to higher-level [SCADA operations]. Attackers in the future will go to lower level assaults” such as this to evade detection, he says.

Hacking a PLC system directly could more simple for Vxers because such kind of devices don’t implement many detection mechanisms, this means that a PLC running a real-time operating system could me more exposed to cyber attacks.

In August, a group of researcher presented at the Black Hat USA presented a PLC worm that spreads among PLCs, it was dubbed by the creator PLC-Blaster.

Abbasi and Hashemi explained their PLC rootkit doesn’t target the PLC logic code like other similar threats making hard its detection.

Furthermore, the researchers explained that the activity of the PLC rootkit will go unnoticed even to systems that monitor the power consumption of the PLC.

“The overhead imposed of our attack outside of kernel is below one percent, which means even those approaches which monitor the power usage of PLC for attack detection will be useless,” explained Abbasi.

The malware interferes with the connection between PLC runtime and logic with the I/O peripherals. The malware resides in the dynamic memory of the industrial component and manipulates the I/O and PLC process, while the PLC is communicating with I/O block composed of output pins that handle the physical control of the process.

The PLC receives signals from the field from the input PINs (i.e. level of the liquid in a pipe) and controls the process through actuators that receive instructions from the output PINs of the PLC (i.e. control of a valve).

Clearly manipulating the I/O signals it is possible to interfere with industrial process in a stealthy way, and this is what the PLC rootkit does.

“Our attack instead targets the relation between PLC runtime and logic with the I/O peripherals of it. In our attack, the PLC logic and PLC runtime remain intact,” said Abbasi. ” “in PLCs, the I/O operations are one of the most important tasks.”

As explained by the duo, the attack is feasible due to lack of hardware interrupt on the PLC’s SoC and intensified by Pin Control subsystem inability for hardware level Pin Configuration detection.

Abbasi and Hashemi are currently studying defensive countermeasures to detect and protect PLCs from such kind of threats.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PLC rootkit, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Earth Krahang APT breached tens of government organizations worldwide

Trend Micro uncovered a sophisticated campaign conducted by Earth Krahang APT group that breached 70…

1 hour ago

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

13 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

15 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

21 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

23 hours ago

Email accounts of the International Monetary Fund compromised

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year,…

1 day ago

This website uses cookies.