14 DAY TRIAL // Cybercriminals have started to focus on industrial machines as several banking Trojans have been seen to be delivered to industrial control systems (ICS) by pretending to be updates for software specific to them.
Recently, a security researcher from Trend Micro discovered a total of 13 different strains of such malware that were disguised as new versions for human machine interface (HMI) software for Siemens Simatic WinCC, GE Cimplicity, and Advantech device drivers, Dark Reading reports.
Malware poses as WinCC software
The researcher believes that these attacks are not targeted and are not carried out with the purpose of cyber espionage or sabotage. They rely on traditional crimeware designed specifically for financial gains, Kyle Wilhoit, senior threat researcher at Trend Micro, said.
ICS/SCADA systems are known to benefit from weak protection since industrial computer equipment most of the times runs on old software that in some cases has even been discontinued and no longer benefits from security updates.
Moreover, upgrading their software has to be carried out at specific times in order to affect the production cycle as little as possible.
Cybercriminals know that they are an easy target and have adapted the malicious programs to fit this environment. Wilhoit said that he discovered a set of 32 samples that pretended to be WinCC software developed by Siemens. In all cases the malware authors used the same naming convention and file structure as in the real product.
Even if they are not part of an industrial espionage or sabotage campaign, the risk associated with this type of malware on this sort of systems is significant since new software added to them could causes malfunctions.
ICS/SCADA is very sensitive
In a presentation in late November at DefCamp security conference in Bucharest, Codenomicon security expert Fadli Sidek said that during a vulnerability assessment on an SCADA network a simple ping sweep caused a robotic arm to behave erratically and swung 180 degrees around; the controller for the arm had been in stand-by mode before the ping sweep.
In another incident, this time on an ICS network, the same operation was carried out with the purpose of identifying the hosts available in the network. The result was disrupting the production cycle, leading to a $50,000 / €42,200 loss to the company.
This shows how sensitive some ICS and SCADA systems are to changes and the unpredictability of the outcome recorded.
Banking Trojans are designed to steal sensitive information and exfiltrate it to a remote location. Moreover, some strains can receive updates in order to extend functionality, or even change the type of targeted information.
Although they should be isolated from Internet, many ICS/SCADA systems are available online. Given this, it may be that the recent findings of the Trend Micro researcher are part of a larger, more sinister picture that could have espionage on the agenda.
At the S4 ICS/SCADA scheduled next week, in Miami, Wilhoit will demonstrate that unsophisticated malware for the industrial machines can be created to a degree that it is invisible to antivirus products.