SCADA malware caught infecting European energy company

'Nation-state' fingered

By John Leyden


Security researchers have identified a strain of malware that has already infected at least one European energy company.

The malware, dubbed SFG, is related to an earlier sample called Furtim, that created a backdoor on targeted industrial control systems. This backdoor might be used to deliver a payload which could be used to “extract data or potentially shut down the energy grid,” security researchers at endpoint security firm SentinelOne Labs warn.

SentinelOne Labs researchers reckon the SFG malware bears all the hallmarks of a nation-state attack - probably of Eastern European origin. The Windows-based malware is designed to to bypass traditional antivirus software and firewalls.

It is also primed to detect when it is being run in a sandbox environment - a technique used to detect advanced malware - or in systems using biometric access control systems.  Where such defences are detected the software would re-encrypt itself and stop working until released from the sandbox environment. These various techniques (anti-debug, anti-sandbox, anti-AV) are designed to help the malware to fly under the radar and avoid detection by security analysts.

Udi Shamir, chief security officer at SentinelOne, commented: “The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.

"It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted.  Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group.”

Technical details about the SFG malware can be found in a blog post by here. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

BSides London How Stuxnet, Shamoon, et al ran riot

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram