A new piece of industrial control malware has been discovered. Dubbed SFG, Sentinel One Labs discovered the piece on the information networks of a yet-unnamed European energy company.
It appears quite sophisticated. It not only collects information on the infected system but opens a backdoor through which a destructive payload could be launched, “to potentially shut down an energy grid”.
Attacks on critical infrastructure can be deployed by a range of actors including cyber-criminals, hacktivists and most commonly, nation states.
Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk, told SCMagazineUK.com, “Cyber-criminals are shifting their focus to industrial facilities as a lucrative target in which they can blackmail facilities through techniques such as ransomware. For nation states, identifying weaknesses in critical infrastructures of adversaries can be used strategically in case of conflicts in which cyber-attacks can be launched to paralyse a nation’s key sectors, such as power, water and transportation.”
This piece of malware, as is the case with so many attacks on industrial control and SCADA systems, points towards a nation-state, the kind of actor with the rare ability and resources to write malware of this sophistication.
Tim Erlin, director, security and IT risk strategist at Tripwire, told SC,“The motivations for nation state attackers are very different from the financially motivated cyber-criminals we’re used to dealing with. Nation state attackers are often better resourced, more patient, and more interested in causing material harm to life and safety than their criminal counterparts.”
It’s nothing new. The Russian state is still widely believed to be behind the Black Energy group which shut down power to 225,000 people in Ukraine last winter by attacking a power company.
In fact, our SCADA systems are replete with vulnerabilities. Gates pointed to the fact that a simple search on www.cve.mitre.org for SCADA systems will show 162 known vulnerabilties, many of which allow remote code execution. From there, attackers can get remote access and ultimately take over a compromised system.
Gates added, “Cyber attackers who have gained remote access and can remain persistent in a network can cause a loss of view, manipulation of view, loss of control and denial of control for operators running critical infrastructure. Exploiting these ‘operational vulnerabilities’ could result in a catastrophic event.”
Full article: SCADA malware discovered in European energy company (SC Magazine UK)