Researchers at Silicon Valley-based cybersecurity giant FireEye have discovered malware aimed at industrial control systems — only the fourth of its kind.
In a new report, released Thursday, the company details the discovery of the malware, dubbed “Irongate,” last year — saying that it has not been used in actual attacks and that it appears designed to run in a simulation environment rather than on an actual ICS.
‘We acknowledge that Irongate could be a test case, proof of concept, or research activity for ICS attack techniques,’ the researchers write.
The revelation comes at time when Congress and others are increasingly concerned about the prevalence of cyber threats against vital industries, like the electrical grid, that are controlled by ICSs.
ICS and SCADA systems are special kinds of computer equipment that control industrial plants.
Several of FireEye’s channel distribution partners — companies like Parsons and St.Louis-based Belden — specialize in protecting similar industrial technologies from hackers.
FireEye explains in their report that they do not know who created Irongate or why. There is no evidence to suggest the malware has been used in the real world, according to the report.
Nonetheless, Irongate could be dangerous because it is designed to manipulate data files to alter operations tied to temperature and pressure in the machine controlled by the ICS. In the case of an electrical power plant, this could translate into physical damage to actual hardware.
The Irongate discovery is significant, Mandiant senior manager and researcher Dan Scali said, because it highlights “the significant challenges the industry faces in discovering threats to ICS and effectively detecting attacks on ICS environments.”
FireEye researchers say that Irongate is only the fourth kind of malware to be found that’s designed to work on ICS — the most notable until now being Stuxnet, a computer worm reportedly developed by the United States in tandem with Israel to cripple Iran’s nascent nuclear program.
In an email interview, Scali went on to say that though Irongate is part of a “small sample size” the growing prevalence of such malware is concerning.
Irongate was found on VirusTotal, a free online service owned by Google and used to scan suspicious computer files and detect malware. The malware had been sitting on the database unalayzed for nearly 2 years, according to FireEye.
“We are witnessing an evolution in the industry’s understanding of ICS threats. Stuxnet proved that cyber attacks could cause physical consequences in the real world. For two or three years after that, we mainly saw researchers get interested in ICS and discovered hundreds of vulnerabilities in ICS technology,” described Scali.
He added, “we are starting to discover malware samples and hear about real incidents that show attackers (or others) are weaponizing those vulnerabilities. Asset owners must be able to monitor their ICS environments for these types of threats.”