Security researchers have discovered new malware designed to bypass traditional physical and cybersecurity which could be used in an attack to shut down an energy grid.
SentinelOne’s Joseph Landry and Udi Shamir explained in a lengthy analysis that despite some reports in the media, the malware has not been crafted to specifically target Scada systems, although it has been used to attack at least one energy company.
However, they did reveal that it’s likely to have been designed by an eastern European nation state, based on its sophistication, the “extreme measures it takes to evade detection,” and the fact it exhibits behavior seen in previous nation state rootkits.
They continued:
“The malware is most likely a dropper tool being used to gain access to carefully targeted network users, which is then used either to introduce the payload, which could either work to extract data or insert the malware to potentially shut down an energy grid. The exploit affects all versions of Microsoft Windows and has been developed to bypass traditional antivirus solutions, next-generation firewalls, and even more recent endpoint solutions that use sandboxing techniques to detect advanced malware. (Biometric readers are non-relevant to the bypass / detection techniques, the malware will stop executing if it detects the presence of specific biometric vendor software).”
That vendor is access control system manufacturer ZKTeco.
What makes this threat even more rare is that it was found on an underground forum – an unusual place for a piece of nation state malware.
Leo Taddeo, chief security officer at Cryptzone and former head of the FBI's cybercrime division in New York, claimed it’s not a case of ‘if’ but ‘when’ the malware is deployed by cyber-criminals.
“In order to counter this type of sophisticated malware, we need to harden the interior of networks with strong user authentication and microsegmentation,” he added.
“These measures make it harder for malware to gain a foothold and propagate from internet facing network segments to the inner core. They also make it more likely for detection and prevention tools to spot the malware and signal an alert to security teams."