Connect with us

Hi, what are you looking for?



Non-Targeted Malware Hits 3,000 Industrial Sites a Year: Study

Malware attacks on ICS

Malware attacks on ICS

Thousands of industrial facilities have their systems infected with common malware every year, and the number of attacks targeting ICS is higher than it appears, according to a study conducted by industrial cybersecurity firm Dragos.

There have been an increasing number of media reports on malware infections affecting critical infrastructure and other industrial facilities, and while attention from the press can have some benefits, most experts agree that overhyped media reporting is likely to have a negative impact on ICS security.

Existing public information on ICS attacks shows numbers that are either very high (e.g. over 500,000 attacks according to unspecified reports cited by Dragos), or very low (e.g. roughly 290 incidents per year reported by ICS-CERT). Dragos has set out to provide more realistic numbers on malware infections in ICS, based on information available from public sources such as VirusTotal, Google and DNS data.

As part of a project it calls MIMICS (malware in modern ICS), Dragos has identified roughly 30,000 samples of malicious ICS files and installers dating back to 2003. Non-targeted infections involving viruses such as Sivis, Ramnit and Virut are the most common, followed by Trojans that can provide threat actors access to Internet-facing environments.

The company’s analysis showed that approximately 3,000 unique industrial sites are hit by traditional, non-targeted malware every year. The actual number of affected organizations is likely higher, but Dragos believes this can be a useful base metric for the community.

These incidents may not be as severe as targeted attacks and they are unlikely to cause physical damage or pose a safety risk. However, they can cause liability issues and downtime to operations, which leads to increased financial costs, Robert M. Lee, CEO and founder of Dragos, told SecurityWeek.

One example provided by the expert is the incident involving a German nuclear energy plant in Gundremmingen, whose systems got infected with Conficker and Ramnit malware. The malware did not cause any damage and it was likely picked up by accident, but the incident did trigger a shutdown of the plant as a precaution.

Learn More at the 2017 Singapore ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

Dragos’ research has also showed that targeted ICS intrusions are not as rare as they appear to be. While Stuxnet, Havex and BlackEnergy are the only pieces of malware known to specifically target ICS systems, the security firm has identified a dozen intrusions involving ICS-themed malware.

These types of threats, disguised as legitimate ICS software, target operators and engineers. Dragos believes ICS-themed malware can be highly efficient in evading security products as many vendors simply don’t know how to tell apart legitimate from rogue ICS software.

One ICS-themed malware that attracted the attention of researchers has been disguised as software for Siemens programmable logic controllers (PLCs). The threat, described by Dragos as crimeware, has been submitted to public malware databases ten times between 2013 and March 2017. The samples were initially detected by antiviruses as false positives and later as a basic piece of malware.

“In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software,” Lee said in a blog post.

Dragos has not linked the Siemens-themed malware to a specific threat actor, Lee told SecurityWeek.

Another noteworthy finding of the MIMICS project is related to operational security (OPSEC). Researchers discovered that public malware databases often contain legitimate ICS software components that have been erroneously flagged as malicious. Experts identified various such components, including human-machine interface (HMI) and data historian installers, and key generators.

“This means that adversaries can simply download these software files and leverage access to them for their own learning and practicing,” Lee explained. “Keeping our legitimate software out of the hands of the adversaries helps lengthen the time it takes them to target our environments.”

Dragos has identified more than 120 project files in the public databases it has analyzed, including maintenance reports, Nuclear Regulatory Commission (NRC) reports, and substation layouts.

“There are a few lessons here: have a discussion with the IT security teams (outsourced or on-site) on what is legitimate and what should not be submitted to the internet, validate what your security technologies are submitting to databases such as VirusTotal […], and be proactive in looking at such databases for your own files and information,” Lee said.

Related: What’s Ahead for ICS Cyber Security in 2017

Related: ENISA Report Provides ICS-SCADA Protection Recommendations

Related: Exploring Risks of IT Network Breaches to Industrial Control Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.