SCADA malware caught infecting European energy company

'Nation-state' fingered

By John Leyden

Posted in Security, 12th July 2016 15:33 GMT

Security researchers have identified a strain of malware that has already infected at least one European energy company.

The malware, dubbed SFG, is related to an earlier sample called Furtim, that created a backdoor on targeted industrial control systems. This backdoor might be used to deliver a payload which could be used to “extract data or potentially shut down the energy grid,” security researchers at endpoint security firm SentinelOne Labs warn.

SentinelOne Labs researchers reckon the SFG malware bears all the hallmarks of a nation-state attack - probably of Eastern European origin. The Windows-based malware is designed to to bypass traditional antivirus software and firewalls.

It is also primed to detect when it is being run in a sandbox environment - a technique used to detect advanced malware - or in systems using biometric access control systems.  Where such defences are detected the software would re-encrypt itself and stop working until released from the sandbox environment. These various techniques (anti-debug, anti-sandbox, anti-AV) are designed to help the malware to fly under the radar and avoid detection by security analysts.

Udi Shamir, chief security officer at SentinelOne, commented: “The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.

"It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted.  Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group.”

Technical details about the SFG malware can be found in a blog post by here. ®

Sign up to our NewsletterGet IT in your inbox daily

39 Comments

More from The Register

Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

Jumping the air gap

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Hey, govt hacker bod. Made some really nasty malware? Don't be upset if it returns to bite you

RSA 2018 Cough, cough, EternalBlue, cough, cough Wannacry, splutter, Stuxnet

Infosec brainiacs release public dataset to classify new malware using AI

Data is the secret sauce to advancing AI research

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Researchers create AI attacker to defeat AI malware defender

It's like Spy Vs Spy, but with neural network boffins

Slingshot malware uses cunning plan to find a route to sysadmins

Advanced router code has been in circulation for six years

'R2D2' stops disk-wipe malware before it executes evil commands

'Reactive Redundancy for Data Destruction Protection' stops the likes of Shamoon and Stonedrill before they hit 'erase'