Irongate attacks ICS Siemens Step 7 PLCs—Similar to Stuxnet

A new family of ICS-focused malware, dubbed Irongate, interferes with industrial process running within a simulated Siemens control system environment.

Borrowing from Stuxnet, a new family of ICS-focused malware, dubbed Irongate, interferes with industrial process running within a simulated Siemens control system environment.

Back in 2010, researchers found a sophisticated piece of malware called Stuxnet which only attacked systems running Siemens Step 7 PLCs. Otherwise the malware sat dormant. Stuxnet primarily attacked centrifuges used in Iran’s nuclear development program.

Researchers from FireEye said they found something similar in pouring over old VirusTotal data. Irongate runs only within Siemens simulated control system environments and was designed specifically for a custom-compiled user application in a Siemens Step 7 PLC simulation environment.

“While Stuxnet is orders of magnitude technically more advanced, Irongate borrows some similar traits,” said Sean McBride, senior threat intelligence analyst with FireEye told Threatpost.

Irongate allows man-in-the-middle attacks by recording normal activity and then playing that activity back on the display while it alters industrial control systems.

FireEye notes that a sample of Irongate was submitted to VirusTotal in 2012, but that very few of the AV engines picked it up.

“Our ability as an industry to understand and detect threats is improving, but it’s not sufficient as evidenced by an example such as this,” said Rob Caldwell, manager of FireEye Labs Advanced Reverse Engineering told Threatpost. “We need to get better at understanding what the threats are to industrial control systems and how to detect them to better defend against them.”