A new piece of sophisticated malware has been discovered on the networks of an unnamed European energy company with what researchers believe is the potential to shut down an energy grid.
Endpoint protection firm Sentinel One Labs discovered the malware and dubbed it SFG, revealing it not only collects information on the infected system but opens a backdoor through which a destructive payload could be launched.
It affects all versions of Windows and has been produced to overcome next-generation firewalls and anti-virus software. The malware also shuts down when put into a sandboxed environment or a virtual machine to escape the notice of security teams.
This piece of malware, according to Sentinel One Labs, “exhibits traits seen in previous nation-state rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources”.
Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk, said attackers were shifting their focus to industrial facilities given the lucrative opportunities for blackmail through things like ransomware.
"For nation-states, identifying weaknesses in critical infrastructures of adversaries can be used strategically in case of conflicts in which cyber-attacks can be launched to paralyse a nation's key sectors, such as power, water and transportation," Bouhdada said.
Due to its sophistication, this piece of malware likely points towards a nation-state, according to Tim Erlin, director of security and IT risk strategist at Tripwire.
"The motivations for nation-state attackers are very different from the financially motivated cyber-criminals we're used to dealing with. Nation-state attackers are often better resourced, more patient, and more interested in causing material harm to life and safety than their criminal counterparts," he said.
Not new, but still scary
This type of attack is nothing new: the Russian state is still widely believed to be behind the Black Energy group, which shut down power to 225,000 people in Ukraine last year by attacking a power company.
The most famous piece of critical infrastructure malware was Stuxnet. Believed to be developed by American and Israeli intelligence, Stuxnet was let loose on an Iranian nuclear refinery. It both collected intelligence and wreaked havoc, destroying thousands of centrifuges used to enrich uranium.
Some of the principal problems with industrial control systems or critical infrastructure like railways or power plants is they tend to have been built before cyber-security was a consideration. When they are then retrofitted with security systems, it's not always easy to tell where holes have been left.
Stephen Gates, chief research intelligence analyst at NSFOCUS, said most people don't realise that critical infrastructures is being controlled by "computers that are just as vulnerable as our phones, laptops, servers, etc".
In fact, many industrial control systems are replete with vulnerabilities. Gates pointed to the fact that a simple search on www.cve.mitre.org for SCADA systems will show 162 known vulnerabilities, many of which allow remote code execution. From there, attackers can get remote access and ultimately take over a compromised system.
"Cyber attackers who have gained remote access and can remain persistent in a network can cause a loss of view, manipulation of view, loss of control and denial of control for operators running critical infrastructure. Exploiting these ‘operational vulnerabilities' could result in a catastrophic event," Gates said.