No, SFG isn't Stuxnet 2.0

A new strain of the previously discovered Furtim malware was recently found infecting the Microsoft Windows systems in least one European energy company, if you believe endpoint protection company SentinelOne Labs.

The firm named its discovery SFG. It claimed the malware was most likely a "dropper tool being used to gain access to carefully targeted network users, which is then used either to introduce the payload, which could either work to extract data or insert the malware to potentially shut down an energy grid".

This sounds highly dramatic. The question is, could this be another Stuxnet scandal, or has SentinelOne Labs sensationalised its discovery as a marketing ploy?

The firm suggests SFG looks like the work of a nationstate actor, proffering that it likely originated from somewhere in Eastern Europe.

It claims SFG is a highly sophisticated threat, employing a variety of advanced techniques used to bypass traditional endpoint protection systems, firewalls and even has the technology to detect and evade analysis in a sandbox.

SFG incorporates two known exploits (CVE-2014-4113 and CVE-2015-1701) and can bypass Microsoft Windows’ User Account Control (UAC).

This is where the story gets interesting: the blog post led to the logical, yet unfounded, assumption that SFG is targeting SCADA systems, which in turn meant it was likened to Stuxnet.

However, just after the initial blog post was published, SentinelOne Labs released an update, stating it had no evidence that SFG specifically targeted SCADA systems.

 "The focus of our analysis was on the characteristics of the malware, not the attribution or target.," the firm wrote.

This clarification came as a result of heavy criticism. Robert M. Lee, CEO of critical infrastructure security company Dragos Security, was one such example: he argued that a "single intrusion does not make a campaign, and espionage type activity with “advanced” capabilities does not guarantee the actors work for a nationstate".

Lee’s post is extremely critical not only of SentinelOne Labs’ overly sensationalist reporting, seemingly for the purposes of marketing its wares, but also media organisations who take these analytical leaps to pull in the readers.

APT detection firm Damballa also lent its voice to the chorus: SFG is "just another Furtim build", its researchers said.

"There is no code specific to attacking industrial control systems or SCADA systems. [SFG] does not appear to be a nationstate operation, and there is no specific threat to any particular sector."

As soon as critical infrastructure companies are afflicted by malware, Stuxnet gets a mention and everyone assumes the target was the power grid (or whatever other kind of critical infrastructure service is managed). The old discussions of nationstate actors, conspiracies and espionage will surely emerge, while the actual details relating to the incident will largely go ignored.

In this case, according to Motherboard, the SFG malware wasn’t even discovered on the European energy company’s network – it was found on the so-called dark web.

So, all of these assertions that SFG is directly linked to cyberespionage and that it was targeting the power grid are, unfortunately, nothing more than speculation.

And overuse of words such as sophisticated and advanced in describing every single piece of new malware means that reporting has become trite and malware researchers are falling into the trap of creating hackneyed clichés rather that reporting the basic facts.

The security industry needs to be able to trust the work of researchers. Vendors and researchers taking huge analytical leaps, where ensuing fiction serves no one’s interests (other than their own marketing team), means everyone loses out.