back to article SCADA malware caught infecting European energy company

Security researchers have identified a strain of malware that has already infected at least one European energy company. The malware, dubbed SFG, is related to an earlier sample called Furtim, that created a backdoor on targeted industrial control systems. This backdoor might be used to deliver a payload which could be used to …

  1. Paul Crawford Silver badge

    Impressive analysis, but infection vector not apparent

    Seems they do a lot to avoid VMs and sandboxes, so why are they not in more common use for security sensitive systems anyway? After all, the actual controllers are dedicated hardware boxes and the SCADA PCs just Windows machines to supervise them. Any reason why those PCs can't be run in a VM?

    But how were those machines infected in the first place?

    Why were they internet connected?

    When will we see serious personal fines and jail time for managers who fail to put sufficient security design, monitoring and management in to critical infrastructure?

    Trusting some AV or firewall vendor who said they would stop trouble is just not good enough. Unless, of course, they are offering to pay the fines and do the jail time if they fail.

    1. The Original Steve

      Re: Impressive analysis, but infection vector not apparent

      Good point, although just cat and mouse.

      A lot of SCADA kit needs special legacy hardware keys to run via parallel or RS232 ports, and often needs its own special 'NIC' to talk its own special protocol to the rest of the SCADA network.

      Tried to virtualize the control systems for a large crisp manufacturer a few years back. Got about 2/3rds done, the rest I couldn't for the reasons above.

      1. Anonymous Coward
        Anonymous Coward

        Re: Impressive analysis, but infection vector not apparent

        Tried to virtualize the control systems for a large crisp manufacturer a few years back.

        Now that's what I call critical infrastructure. Hoy! Ruskies! Walker's SCADA kit is only partly defended.

        Then again, maybe the Ruskies have been attacking, and disrupting the flavour-dosing controls. That creates a lot of over or under-flavoured crisps, which Walkers then have to sell to supermarkets for resale as their own brands.

        1. Anonymous Coward
          Anonymous Coward

          Re: Impressive analysis, but infection vector not apparent

          Now I know who to blame for the bags of air from Walkers, Ruskies!

    2. Sir Runcible Spoon

      Re: Impressive analysis, but infection vector not apparent

      "But how were those machines infected in the first place?"

      Considering the lengths this software went to avoid detection I'm interested in how it was discovered (unless I rushed past that bit to get to the detail).

      There is a ton of stuff in the analysis that could be used to foil this malware, so it's obviously relied on being obscure enough to not be detected, but even something as simple as using internal CNAME's for AV sites would break one aspect of the functionality (i.e. routing all those common AV names to 0.0.0.0).

      Also just putting a few dummy files on the secured system to make it look like it's running AV to make it self terminate - it would be a lot of faffing about, but it's something I would consider doing if I were managing these windows boxes.

    3. Rob pledge

      Re: Impressive analysis, but infection vector not apparent

      Well if its probably a state sponsored attack it's not beyond the the realms of possibility that the infection vector was via a human agent in place or visiting a facility on the power network.

      1. Anonymous Coward
        Anonymous Coward

        Re: Impressive analysis, but infection vector not apparent

        NATO General Breedlove: Fluoridation is the most monstrously conceived and dangerous Russky plot we have ever had to face .... Crisps, Mandrake! Flavored Walker Crisps!!

    4. a_yank_lurker

      Re: Impressive analysis, but infection vector not apparent

      I suspect many SCADA systems are fairly old (> 10 years) and were never really designed to be connected to the Internet. To replace these otherwise functional systems is not trivial and are likely to remain until the plant gets modernized. Many older SCADA systems use what is now obsolete protocols and hardware.

    5. phil 27
      Stop

      Re: Impressive analysis, but infection vector not apparent

      How would virtualizing a out of date operating system with vulnerable ports protect it any better than installing it on bare metal?

      The fail is how the airgapped network got compromised, however I once was involved with writing scanning software that went hunting for interconnects amongst other things on a global "secure" airgapped network, and we found significant numbers when digging through our results. Some people breached with wifi modems to make laptops easier, some as it transited less -ahem- lawful areas etc. Most of the problem was people being lazy and processes not being rigid enough nor penalties severe enough for doing stupid things which compromised the network's security.

      Lock it down, secure it, get maintainence agreements including code fixes for the life time of the kit in the original contract when buying, take steps to establish a in house policy and responsibilities and delegation to keep it patched and integral but sticking it in a vm isn't going to help, especially as the next step would be to combine all of those windows machines into a single host, giving yet another vector for a sophsiticated attack to jump about sight unseen by any network probes..

      The reason the malware looks for the vm environment is a large amount of security researchers spin the vulnerable machine up in a vm because theyre looking at x different device types a week, and to have each one as a physical box to be maintained for the audit record of testing would make life awkward. Its a lazy convienience thing, not a good practice one, you cant beat electrical seperation done properly.

      1. Charles 9

        Re: Impressive analysis, but infection vector not apparent

        "Lock it down, secure it, get maintainence agreements including code fixes for the life time of the kit in the original contract when buying, take steps to establish a in house policy and responsibilities and delegation to keep it patched and integral but sticking it in a vm isn't going to help, especially as the next step would be to combine all of those windows machines into a single host, giving yet another vector for a sophsiticated attack to jump about sight unseen by any network probes.."

        Um, who's got the budget for that who can get it past the accountants? Most higher-ups don't take a long view, especially if they have investors (also very short-sighted) to appease.

        1. phil 27

          Re: Impressive analysis, but infection vector not apparent

          Anyone who wants their control network to survive a determined attack. Someone with a scada network controlling assets isn't in the same category as your local webhost or SME with a single server in the corner and they should realize the value of protecting it properly. I've worked on projects where a unprotected device put upstream of the boundary firewalls would last maybe a minute or two before getting compromised such was their exposure to attack. They had rigid control, quality targets, correct processes and investment and boy did they need it.

          High profile attacks like Talktalk and others have highlighted the need to do a thorough job of securing things to a wider audience given the beancounters saved them a small sum skimping on security only to find significant amounts of value wiped off shortly after the attacks.

          Talktalk have been recruiting security staff like mad since then given the amount of times I've been messaged on linked in from recruiters about it, so its a good chance at least their subset of investors and accounts are acutely aware of that lesson. If your an influencer at early adoption stage, its part of your overall governance to instill the need for security best practices at the procurement stage too, not just slap them on as a afterthought and there are some from that procurement involvement here I hope taking notes to improve things.

          The industry at large has massive amounts of work to do on this front, and the security industry has to sort its own house out also. If you give recommendations to secure things and the business decides to take the risk against your advice for financial reasons, that is their decision but you have done what you can and they must own the fall out if it happens. And you get to say "I told you so" in a very sombre and professional manner...

          1. Charles 9

            Re: Impressive analysis, but infection vector not apparent

            "Anyone who wants their control network to survive a determined attack. "

            Then they get overridden by the board, who have to answer to the investors.

            "High profile attacks like Talktalk and others have highlighted the need to do a thorough job of securing things to a wider audience given the beancounters saved them a small sum skimping on security only to find significant amounts of value wiped off shortly after the attacks."

            And then the public forgets them next week, guaranteed. Meanwhile, the other investors will simply go, "Glad it wasn't me." Unless we see a board overthrow BEFORE a breach hits, I don't think the investors really care.

  2. Anonymous Coward
    Anonymous Coward

    wow

    People don't realize with this SCADA stuff war won't simply be something you watch on CNN. When they can't charge their iPhones then the anarchy will begin. Many people also don't realize they are also three days away from not being able to get food. Oh well carry on nothing to see.

    1. NomNomNom

      Re: wow

      I have many neighbours around me, I won't run out of food in an emergency for quite some time

      1. Anonymous Coward
        Anonymous Coward

        Re: wow

        Lol like my buddy said when the crap hits the fan the single best item to have to guarantee food is a 45.

        1. lukewarmdog

          Re: wow

          Your buddy is going to listen to old vinyl records?

          Oh I see.. you can then use them as frisbees to kill zombies like in Shaun of the Dead.

          I was watching an in-game chat yesterday which started off all bravado, who had how many guns and whose farm was bigger. It finally descended into who would eat the worst foods. One guy would shoot deer to survive, someone else said good luck when you run out of deer, they'd shoot dogs. Dogs, scoffed another, when I was on wilderness camp we would survive on squirrels and frogs. Oh sure, said the next guy, I've heard humans fed on a diet of frogs taste the best.

          I'm kinda hoping we run out of power at some point so I just don't have to play with those guys any more.

          1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            Re: wow

            >they'd shoot dogs. Dogs, scoffed another

            Scoff all you want but eating and using only dogs is why Amundsen conquered the South Pole instead of becoming a lime Popsicle on the Ross Ice Shelf.

        2. Anonymous Coward
          Anonymous Coward

          Re: wow

          "Lol like my buddy said when the crap hits the fan the single best item to have to guarantee food is a 45."

          Not if the food keeper raises you a .357 Magnum...

      2. Anonymous Coward
        Anonymous Coward

        Re: wow

        I have many neighbours around me, I won't run out of food in an emergency for quite some time

        Daaaad! Not long pig for tea again

  3. amanfromMars 1 Silver badge

    Oh that things were so simple ...... in a world full of opportunities and vulnerabilities

    Udi Shamir, chief security officer at SentinelOne, commented: “The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.”

    Hi, Udi Shamir,

    There is practically zero cost in the free sharing of smarter sophisticated intellectual property between developers and/or across live open source platforms which creates software of advanced nature.

    Nation states might seek to purchase and use it though, thus leading one to jump to erroneous conclusions, just as easily as they could purchase protection and security against it use from its developers who may very well be dedicated non state actors/anonymous rogue freelancing agents.

    1. Charles 9

      Re: Oh that things were so simple ...... in a world full of opportunities and vulnerabilities

      "There is practically zero cost in the free sharing of smarter sophisticated intellectual property between developers and/or across live open source platforms which creates software of advanced nature."

      Two words: trade secrets.

  4. Lotaresco
    Flame

    Never as easy as it seems from an armchair

    SCADA like "cloud" covers a multitude of sins. Many systems are supplied by vendors as modular units running on their own hardware. Virtualising the kit isn't easy or even possible in many cases. Many vendors won't license their code to run in a VM (not that running in a VM protects against anything).

    The vendors are also incredibly naïve. I've had meetings with companies tendering to supply SCADA systems and have been on the receiving end of presentations where someone explains that their controllers run on Windows CE (an out of support version) and their actuators and sensors are all proprietary and only work with that version of the controller. "But don't worry because the system is air-gapped so it can't be infected." Then when you ask how it will be maintained they say an engineer will download patches and code via the internet onto his laptop (which he also uses for home banking, p0rN, childrens' games and submitting his timesheets) and connect his laptop to the controller to upload the patches. Simples!

    They can't see anything wrong with this or why I'm twitching like a tasered catfish.

    But all of the vendors are like this and SCADA systems are niche products so where do you go to buy a system that wasn't designed by idiots?

    1. Nunyabiznes

      Re: Never as easy as it seems from an armchair

      "They can't see anything wrong with this or why I'm twitching like a tasered catfish"

      Thanks for the laugh!

      Glad I'm not the only one.

    2. Paul Crawford Silver badge

      Re: Never as easy as it seems from an armchair

      But all of the vendors are like this and SCADA systems are niche products so where do you go to buy a system that wasn't designed by idiots?

      This is why we need the law to step in and for security folks to draw up regulations, including things like operating in a VM as an essential attribute, otherwise no sale (and no insurance or license for a business which fails to follow the rules).

      Sure there will be a lot of bitching at first, but niche market or not, we need a nice big stick to beat them with so all of the usual software good practice is followed. Things like forcing a declaration on matters like hard-coded passwords, support back-doors, operation with AV/VM tools, respect for proper multi-user practice (i.e. no need for interfaces to run as admin), 10 year or more support that will include replacing any protocol or SSL certificate found to be weak or compromised, etc, etc, etc.

      1. Charles 9

        Re: Never as easy as it seems from an armchair

        "This is why we need the law to step in and for security folks to draw up regulations, including things like operating in a VM as an essential attribute, otherwise no sale (and no insurance or license for a business which fails to follow the rules)."

        But the vendors have more bribing power than the citizens. They can just lie and bribe anyone they need to swear by it. Or they can make themselves "too big to fail" as in if they go, so does a good chunk of the country.

      2. Doctor Syntax Silver badge

        Re: Never as easy as it seems from an armchair

        "10 year or more support"

        Easy to promise but what good's your regulation or contract if the vendor's in liquidation? You'll need a source code escrow scheme, assuming the source isn't open anyway.

    3. a_yank_lurker

      Re: Never as easy as it seems from an armchair

      Tasered catfish? lol! Sounds more like fried catfish, extra crispy.

    4. PNGuinn
      Happy

      Tasered catfish.

      Strikes me the problem can't be solved until all those kind of vendors are well tasered like catfish.

      Just internet connect the taser and we can all have some fun.

  5. Anonymous Coward
    Anonymous Coward

    "But don't worry because the system is air-gapped so it can't be infected." Then when you ask how it will be maintained they say an engineer will download patches and code via the internet onto his laptop (which he also uses for home banking, p0rN, childrens' games and submitting his timesheets) and connect his laptop to the controller to upload the patches. Simples!

    BINGO!!

  6. John Deeb

    What a conjecture

    ""It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions"

    What a conjecture! Reverse engineering antivirus solutions or reverse engineering recent state-sponsored malware caught in the wild which would contain already much of the basic know-how, what's the difference exactly?

  7. Anonymous Coward
    Facepalm

    How were those machines infected in the first?

    None of that matters, all you need to concentrate on is that it has all the hallmarks of a nation-state attack by some no good commie atheist salo eaters.

    1. Sir Runcible Spoon

      Re: How were those machines infected in the first?

      Didn't I see this comment on /.?

      https://it.slashdot.org/comments.pl?sid=9375045&cid=52501057

      I also see that it was discovered on a dodgy site somewhere - not from an actual infection

  8. Anonymous Coward
    Anonymous Coward

    A third tier AV company

    trying to become bigger by hinting that that they have caught a nation state being naughty.

    This has the hallmarks of poor security design and lack of controls.

    1. Sir Runcible Spoon

      Re: A third tier AV company

      "This has the hallmarks of poor security design and lack of controls"

      I hate to break it to you Mr/Mrs/Ms/Dr AC, bu network security in the real world is a dogs mess no matter where you look.

      1. Charles 9

        Re: A third tier AV company

        When your basic infrastructure depends on a third party, who by default can never be completely trusted, you have a problem.

        Problem is, EVERYTHING relies on trusting a third party. So what happens to civilization?

        1. amanfromMars 1 Silver badge

          Re: A third tier AV company

          When your basic infrastructure depends on a third party, who by default can never be completely trusted, you have a problem.

          Problem is, EVERYTHING relies on trusting a third party. So what happens to civilisation? .... Charles 9

          Civilisation and IT move over to trusting Virtual Machines, Charles 9, with AI in Advanced IntelAIgent Command with Remote NEUKlearer HyperRadioProActive IT Control.

          Try to fight and deny it be so if you will, but you will not find a foe to defeat nor a friend to hinder such Future Progess.

          1. Anonymous Coward
            Anonymous Coward

            Re: A third tier AV company

            "Civilisation and IT move over to trusting Virtual Machines, Charles 9, with AI in Advanced IntelAIgent Command with Remote NEUKlearer HyperRadioProActive IT Control.

            Try to fight and deny it be so if you will, but you will not find a foe to defeat nor a friend to hinder such Future Progess."

            I suspect IT people are savvy enough to recognize Rise of the Machines...

            1. amanfromMars 1 Silver badge

              Re: Upper Top Tier Company Leaderships ..... Smarter Monitoring Mentorships

              ........ for All Seeing Eye Systems ‽ .

              I suspect IT people are savvy enough to recognize Rise of the Machines... .... Anonymous Coward

              The massive scale and vast depth of Man's stupidity has me thinking of leaving nothing to chance and always trying to ensure they be led simply by the nose to what they be missing and needing, AC. Recognising others more than just simply aware of the changed fields of power and energy in command and control of assets and liabilities, is most refreshing and encouraging.

  9. John Smith 19 Gold badge
    Unhappy

    STUXNET.

    Now any nation can play "disrupt your (potential) enemies infrastructure"

    Wonder if this happens to Merkins wheather they'll declare war on the source?

    The precedent is Iran, and they did not.

    Could America manage to behave as well?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon