Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

By Darren Pauli


Malware hyped as aimed at the heart of power plants is nothing of the sort according to security outfit Damballa, which has put its name to analysis claiming the "SFG" malware is run-of-the-mill code without sufficient smarts to target SCADA systems.

The so-called SFG malware is the spawn of Furtim, and hit headlines as targeting industrial control systems when all it does is creates backdoors for regular data exfiltration and payload dropping.

Security outfit SentinelOne Labs found SFG and said it spotted the code infecting systems owned by a European energy company. SentinelOne said those attacks looked like the work of a nation-state.

But Damballa says the malware is a regular financially-driven menace that lacks SCADA (supervisory control and data acquisition) targeting.

"SFG is just another Furtim build," Damballa researchers say.

"There is no code specific to attacking industrial control systems or SCADA systems.

"[SFG] does not appear to be a nation-state operation, and there is no specific threat to any particular sector."

SentinelOne has since backtracked on its claims after copping criticism for its analysis, saying it does not have evidence that the malware was targeting SCADA systems.

"There has been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems," the company says in an update.

"We want to emphasise that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target."

Comparison of the original post found in Bing's cache against the updated reveals claims that the targeted energy was European deleted, along with a footer marketing call that readers within the energy sector should reach out to the firm.

Researchers say it uses a "kitchen sink" approach to detecting the sandboxes, honeypots, and analysis efforts of white hats in a "cobbled together" mash taken from years-old malware code.

Yet it is the "most comprehensive" copy and paste effort to date.

Damballa finds the malware is also impressive in its use of the new 'fluxxy' fast flux infrastructure in which carding sites are built on a network of bot-bitten Russian and Ukrainian home computers that constantly shifts site IP addresses.

That fluxxy network powers malware campaigns including Carberp; Gozi ISFB; Pony; TeslaCrypt; GameOver ZeuS/Zbot, and Tinba.

"We should focus our intelligence efforts on mapping this fast-flux infrastructure and working with authorities to disrupt, degrade, and destroy it," Damballa says. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Kaspersky Lab loses the privilege of giving Twitter ad money

Twitter's loss is the EFF's gain

Sir, you've been using Kaspersky Lab antivirus. Please come with us, sir

US govt bans agencies from using Russian outfit's wares

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder

It's 'nyet' again, yet again, for Kaspersky: Appeal against US govt ban snubbed by Washington DC court

Appeals judges shoot down Russian vendor's plea

Kaspersky Lab's move from Russia to Switzerland fails to save it from Dutch oven

Netherlands turns up the heat as transparency plans unveiled

Kaspersky cybercrime investigator cuffed in Russian treason probe

Reports link arrest to receipt of money from foreign companies

Citation needed: Europe claims Kaspersky wares 'confirmed as malicious'

Motion passed to eject Russian software from bloc institutions

'We've nothing to hide': Kaspersky Lab offers to open up source code

Response to US fretting over alleged ties to Russian snoops

Brit bank Barclays' Kaspersky Lab diss: It's cyber balkanisation, hiss infosec bods

Analysis It's 2017: Is the splinternet nearer than ever?