Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

By Darren Pauli


Malware hyped as aimed at the heart of power plants is nothing of the sort according to security outfit Damballa, which has put its name to analysis claiming the "SFG" malware is run-of-the-mill code without sufficient smarts to target SCADA systems.

The so-called SFG malware is the spawn of Furtim, and hit headlines as targeting industrial control systems when all it does is creates backdoors for regular data exfiltration and payload dropping.

Security outfit SentinelOne Labs found SFG and said it spotted the code infecting systems owned by a European energy company. SentinelOne said those attacks looked like the work of a nation-state.

But Damballa says the malware is a regular financially-driven menace that lacks SCADA (supervisory control and data acquisition) targeting.

"SFG is just another Furtim build," Damballa researchers say.

"There is no code specific to attacking industrial control systems or SCADA systems.

"[SFG] does not appear to be a nation-state operation, and there is no specific threat to any particular sector."

SentinelOne has since backtracked on its claims after copping criticism for its analysis, saying it does not have evidence that the malware was targeting SCADA systems.

"There has been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems," the company says in an update.

"We want to emphasise that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target."

Comparison of the original post found in Bing's cache against the updated reveals claims that the targeted energy was European deleted, along with a footer marketing call that readers within the energy sector should reach out to the firm.

Researchers say it uses a "kitchen sink" approach to detecting the sandboxes, honeypots, and analysis efforts of white hats in a "cobbled together" mash taken from years-old malware code.

Yet it is the "most comprehensive" copy and paste effort to date.

Damballa finds the malware is also impressive in its use of the new 'fluxxy' fast flux infrastructure in which carding sites are built on a network of bot-bitten Russian and Ukrainian home computers that constantly shifts site IP addresses.

That fluxxy network powers malware campaigns including Carberp; Gozi ISFB; Pony; TeslaCrypt; GameOver ZeuS/Zbot, and Tinba.

"We should focus our intelligence efforts on mapping this fast-flux infrastructure and working with authorities to disrupt, degrade, and destroy it," Damballa says. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

BSides London How Stuxnet, Shamoon, et al ran riot

Brit police forces spend peanuts on cybercrime training

£1.3m over three years? Get with the times, plod

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

SCADA malware caught infecting European energy company

'Nation-state' fingered

Malware targeting cash machines fetches top dollar on dark web

Demand massively outstrips supply, researchers find

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers

Back to school soon – for script kiddies as well as normal kids. Hackers peddle cybercrime e-classes via Telegram

Bitcoin rather than student loan required for fraud classes

Silence! Cybercrime's Pinky and the Brain have nicked $800k off banks

One does dev, the other ops, and they're believed to be former white hats

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube