New malware, according to researchers at SentinelOne, is effective at bypassing the typical static and behavioral detection techniques used by anti-malware software, and performs numerous anti-sandboxing techniques. The malware is also designed to bypass certain types of authentication, such as facial recognition and fingerprint biometrics.
Researchers Joseph Landry and Udi Shamir suspect that the code was written by an eastern European nation state because of its complexity and ability to evade being detected. Their analysis shows that the malware is not designed to only hit SCADA systems, as has been reported, but has hit at least one energy company.
The malware likely leverages a dropper to gain access. Once in, the malware will introduce its payload to either exfiltrate data or attack energy grid availability. The vulnerabilities it targets affect all versions of Microsoft Windows. It has been developed to bypass traditional antivirus solutions, next-generation firewalls and even more recent endpoint solutions that use sandboxing techniques to detect advanced malware.
According to the researchers, “The sample starts by rigorously checking its environment. If in a sandbox or under manual inspection by an analyst, the sample will prematurely terminate. If the sample finds specific antivirus software installed, it will carefully enable and disable specific functionality to evade behavioral detection.”
Ever since the Stuxnet worm — believed to have directly targeted an Iranian-based uranium enrichment infrastructure — attacks on industrial control systems have become more common. The range of bad actors covers extortionists to nation states.
In my talks with security analysts over the years, the prevalent line of thinking is that there is good reason to assume that these systems aren’t adequately secured, and that many in the critical infrastructure aren’t properly prepared.
Most troubling, in light of this new malware analyzed by SentinelOne, is how “open” the inside networks of these critical infrastructure organizations are. Should a threat make it to the inside, it’s likely have a devastating impact.
To mitigate threats from such attacks, those in the energy industry and in charge of critical infrastructure must segment their internal networks better, use multi-factor authentication, and monitor and be able to respond to internal breaches very quickly.
One last (scary) note: Because this malware was identified within an internal forum, it’s highly likely criminals will take this malware and begin using it against organizations in the energy industry. So be prepared.