Thousands of industrial facilities have their systems infected with common malware every year, and the number of attacks targeting ICS is higher than it appears, according to a study conducted by industrial cybersecurity firm Dragos.
There have been an increasing number of media reports on malware infections affecting critical infrastructure and other industrial facilities, and while attention from the press can have some benefits, most experts agree that overhyped media reporting is likely to have a negative impact on ICS security.
Existing public information on ICS attacks shows numbers that are either very high (e.g. over 500,000 attacks according to unspecified reports cited by Dragos), or very low (e.g. roughly 290 incidents per year reported by ICS-CERT). Dragos has set out to provide more realistic numbers on malware infections in ICS, based on information available from public sources such as VirusTotal, Google and DNS data.
As part of a project it calls MIMICS (malware in modern ICS), Dragos has identified roughly 30,000 samples of malicious ICS files and installers dating back to 2003. Non-targeted infections involving viruses such as Sivis, Ramnit and Virut are the most common, followed by Trojans that can provide threat actors access to Internet-facing environments.
The company’s analysis showed that approximately 3,000 unique industrial sites are hit by traditional, non-targeted malware every year. The actual number of affected organizations is likely higher, but Dragos believes this can be a useful base metric for the community.
These incidents may not be as severe as targeted attacks and they are unlikely to cause physical damage or pose a safety risk. However, they can cause liability issues and downtime to operations, which leads to increased financial costs, Robert M. Lee, CEO and founder of Dragos, told SecurityWeek.
One example provided by the expert is the incident involving a German nuclear energy plant in Gundremmingen, whose systems got infected with Conficker and Ramnit malware. The malware did not cause any damage and it was likely picked up by accident, but the incident did trigger a shutdown of the plant as a precaution.
Dragos’ research has also showed that targeted ICS intrusions are not as rare as they appear to be. While Stuxnet, Havex and BlackEnergy are the only pieces of malware known to specifically target ICS systems, the security firm has identified a dozen intrusions involving ICS-themed malware.
These types of threats, disguised as legitimate ICS software, target operators and engineers. Dragos believes ICS-themed malware can be highly efficient in evading security products as many vendors simply don’t know how to tell apart legitimate from rogue ICS software.
One ICS-themed malware that attracted the attention of researchers has been disguised as software for Siemens programmable logic controllers (PLCs). The threat, described by Dragos as crimeware, has been submitted to public malware databases ten times between 2013 and March 2017. The samples were initially detected by antiviruses as false positives and later as a basic piece of malware.
“In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software,” Lee said in a blog post.
Dragos has not linked the Siemens-themed malware to a specific threat actor, Lee told SecurityWeek.
Another noteworthy finding of the MIMICS project is related to operational security (OPSEC). Researchers discovered that public malware databases often contain legitimate ICS software components that have been erroneously flagged as malicious. Experts identified various such components, including human-machine interface (HMI) and data historian installers, and key generators.
“This means that adversaries can simply download these software files and leverage access to them for their own learning and practicing,” Lee explained. “Keeping our legitimate software out of the hands of the adversaries helps lengthen the time it takes them to target our environments.”
Dragos has identified more than 120 project files in the public databases it has analyzed, including maintenance reports, Nuclear Regulatory Commission (NRC) reports, and substation layouts.
“There are a few lessons here: have a discussion with the IT security teams (outsourced or on-site) on what is legitimate and what should not be submitted to the internet, validate what your security technologies are submitting to databases such as VirusTotal [...], and be proactive in looking at such databases for your own files and information,” Lee said.