FireEye recently discovered a new type of malware called Irongate, which has exhibited some of the same characteristics...
as Stuxnet in targeted attacks on industrial control systems. What are the Stuxnet traits exhibited by the Irongate malware, and what are the risks to enterprises?
All pieces of malware have some similarities with Stuxnet. The Stuxnet malware was designed and targeted at very specific supervisory control and data acquisition (SCADA) systems in Iran for very specific reasons. It was a sophisticated piece of malware when it came out, but had much of the same functionality as other malware, including an initial infection method and dropper. FireEye discovered the Irongate malware while searching VirusTotal, a free malware scanner, for files that use PyInstaller. The Irongate developers have made advancements with their malware's anti-analysis functionality, compared to the Stuxnet malware which just checks for antivirus software. Since the Irongate malware was identified via secondary data analysis on VirusTotal data rather than from investigating compromised systems, it is difficult to establish the full extent of the malware functionality and attack. This is, however, a good use of a community data repository.
Like the Stuxnet malware, Irongate attacks ICSs, looks for a specific process to infect and replaces dynamic link libraries to manipulate the process. Enterprises with ICS or SCADA systems need to continue to maintain the security of their environments, and implement new security controls after risk assessments are performed. As FireEye stated, there is minimal risk to enterprises as Irongate appears to be proof-of-concept malware that doesn't perform malicious actions. Enterprises with Siemens control systems should contact Siemens to find out if their systems are vulnerable to the Irongate malware, because neither FireEye nor Siemens have publicly listed what systems were vulnerable.
FireEye has two recommendations that are common in more mature software development environments -- using code signing for software in use and to include sanity checking in IO data. FireEye released indicators of compromise that an enterprise could check on its ICS or SCADA systems to see if it had been compromised, but it might be more important to just ensure that your enterprise has the capability to check its ICS or SCADA systems for these indicators, rather than performing a search for the Irongate malware.
Find out the possible impact of malware-infected ICS and SCADA systems
Read about BlackEnergy malware attacks on electric companies' ICS software
Learn about the need to increase defensive cybersecurity
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ...continue reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common...continue reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.