Pierluigi Paganini March 25, 2017

Findings of the MIMICS project conducted by Dragos Threat Operations Center show a malware posing as Siemens PLC application is targeting ICS worldwide.

After the disclosure of the Stuxnet case, the security industry started looking at ICS malware with increasing attention. A malware that infects an industrial control system could cause serious damages and put in danger human lives.

Ben Miller, Director of the Dragos Threat Operations Center, conducted an interesting research based on data regarding ICS incidents collected over the last 13+ years.

The project studied modern industrial control systems (MIMICS) from completely public datasets.

“In this project the Dragos, Inc. team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files being uploaded to encourage a more nuanced discussion around security in the modern ICS.” explains Dragos CEO, Robert M. Lee. 

Miller discovered ~30k samples of infected ICS files and installers dating back to 2003. The most dangerous threats are malware that quickly spread like Sivis, Ramnit, and Virut.

The experts confirmed that the infections of ICSs are not rare, they highlighted that there are only three publicly showcased pieces of ICS tailored malware: Stuxnet, Havex, and BlackEnergy2. There have been rumors around another couple of ICS tailored malware exploited in active campaigns, some of them studied by researchers at IronGate.

One of the most interesting findings of the MIMICS research is that multiple variants of the same malware disguised as software for Siemens programmable logic controllers (PLCs) has been detected 10 times over the last 4 years. The last time this specific ICS malware was discovered was early March.

“Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware.” continues Lee. “Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.”

Researchers encurage asset owners and operators to implement simple best practices such as network security monitoring in order to protect their environments, for example software supply chain validation can be sufficient to drastically a concerning attack vector.

“The last finding we had was driven by the hypothesis that many of the IT security teams and security technologies that are not used to ICS environments may be flagging legitimate ICS software as malicious where it could be inappropriately placed in public databases.” concludes the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ICSs, malware)