Malware 'disguised as Siemens software drills into 10 industrial plants'

Four years of active infection, claims security biz Dragos

By John Leyden


Malware posing as legitimate software for Siemens control gear has apparently infected industrial equipment worldwide over the past four years.

The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we're told. At least 10 industrial plants – seven in the US – were found running the infected software, a study by industrial cybersecurity firm Dragos claims.

According to the Maryland-based biz, this particular malware was specifically thrown at industrial control equipment. Exactly what it does, or did, is not explained, although it is described as "crimeware". Dragos CEO Robert Lee writes:

Starting in 2013, there were submissions from an ICS environment in the US for Siemens programmable logic controller control software. The various anti-virus vendors were flagging it as a false positive initially, and then eventually a basic piece of malware. Upon our inspection, we found ... variations of this file and Siemens theme 10 times over the last four years, with the most recent flagging of this malicious software being this month in 2017.

In short, there has been an active infection for the last four years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.

This malware is separate to common-or-garden adware and bank-raiding Trojans that find their way onto PCs. Dragos conservatively estimates that 3,000 industrial sites a year are infected by traditional cyber-pests. These infections were largely opportunistic Trojans – such as Sivis, Ramnit, and Virut – brought in by staff using infected USB sticks.

Dragos revealed its findings during a keynote at the SANS ICS Security Summit in Orlando, Florida.

Edgard Capdevielle, chief exec at industrial control security specialists Nozomi Networks, said: "That ICS themed malware exists is not surprising, but it is concerning. The reality is that ICS networks today face all the same security challenges as every other IT network, but lack similar security options.

"Historically ICS was designed to be completely segregated and confined by physical boundaries. However, each new IP address punches another hole in the metaphorical wall that separates Information Technology (IT) and Operational Technology (OT). Having established IT connectivity, it's difficult to put the genie back in the bottle and each of these avenues is a potential point of weakness that can be compromised – by hackers burrowing in or malware (such as ransomware) detonating internally and then radiating out."

Andrew Cooke, head of cyber consulting at Airbus Defence and Space CyberSecurity, added: "Malware is prevalent in a wide range of industrial systems, often spread by an infected USB stick or by unauthorized remote access. But while the majority of malware found in these systems is low level, it can still pose a serious risk for the organizations concerned. Sophisticated attackers often use these methods to gain valuable intelligence about the way that a system is operated, configured and run." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Ukraine claims it blocked VPNFilter attack at chemical plant

We won't say who we think it is but we'll point with our elbow...

Bank-account-raiding Goznym malware bust: Five suspects collared, five still on the run. $100m feared stolen

Most exciting Enid Blyton book yet – Five accused of international fraud?

Scare Force: Pakistan military hit by Operation Shaheen malware

State-sponsored attack looks to infiltrate nuclear Air Force

Meet the Great Duke of... DLL: Microsoft shines light on Astaroth, a devilishly sneaky strain of fileless malware

DLL or no DLL?

Phuck off, phishers! JPMorgan Chase crafts AI to sniff out malware menacing staff networks

Machine-learning code predicts whether connections are legit or likely to result in a bad day for someone

Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

BSides London How Stuxnet, Shamoon, et al ran riot

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Android PDF app with just 100m downloads caught sneaking malware into mobes

Scram CamScanner, says Kaspersky

Phishing scam targets ... actual fishermen in eastern Ukraine

Hook, line and stinker

Hey you smart, well-paid devs. Stop clicking on those phishing links and bringing in malware muck on your shoes

At Node Summit, coders served some humble pie