SFG malware discovered in European energy company

Industrial control systems are a favourite target for nation-state actors
Industrial control systems are a favourite target for nation-state actors

A new piece of malware has been discovered on the information networks of an unnamed European energy company.

It appears quite sophisticated according to Sentinel One Labs who discovered it. SFG, as Sentinel One Labs call it, not only collects information on the infected system but opens a backdoor through which a destructive payload could be launched. Sentinel One speculates that it could deliver malware to   “potentially shut down an energy grid”.

It affects all versions of Windows and has been produced, by what the researchers believe to  be many developers, to overcome next generation firewalls and anti-virus software. Furthermore, the malware shuts down when put into a sandboxed environment or a virtual machine to escape the notice of security teams.

This piece of malware, according to the disclosing blogpost, “exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources”.

Attacks on critical infrastructure can be deployed by a range of actors including cyber-criminals, hacktivists and most commonly, nation states.

Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk, told SCMagazineUK.com, “Cyber-criminals are shifting their focus to industrial facilities as a lucrative target in which they can blackmail facilities through techniques such as ransomware. For nation states, identifying weaknesses in critical infrastructures of adversaries can be used strategically in case of conflicts in which cyber-attacks can be launched to paralyse a nation's key sectors, such as power, water and transportation.”

Due to its sophistication this piece of malware likely points towards a nation-state. Tim Erlin, director, security and IT risk strategist at Tripwire, told SC, “the motivations for nation state attackers are very different from the financially motivated cyber-criminals we're used to dealing with. Nation state attackers are often better resourced, more patient, and more interested in causing material harm to life and safety than their criminal counterparts.”

It's nothing new. The Russian state is still widely believed to be behind the Black Energy group which shut down power to 225,000 people in Ukraine last winter by attacking a power company.

Perhaps the most famous piece of critical infrastructure malware was Stuxnet. Believed to be developed by American and Israeli intelligence, Stuxnet was let loose on an Iranian nuclear refinery. It both collected intelligence and wreaked havoc, destroying thousands of centrifuges used to enrich uranium.

In the UK, there have already been several attacks against national rail infrastructure. Erlin added that although these were not outright destructive attacks, “reconnaissance activities in critical infrastructure should be taken very seriously. We should expect that these attackers are doing their homework before executing any serious campaigns.”

Some of the principal problems with industrial control systems or critical infrastructure like railways or power plants is they tend to have been built before cyber-security was even a consideration. When they are then retrofitted with security systems, it's not always easy to tell where holes have been left.

Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC,“Most people don't realise that the critical infrastructures in our countries are being controlled by computers that are just as vulnerable as our phones, laptops, servers, etc.”

In fact, many industrial control systems are replete with vulnerabilities. Gates pointed to the fact that a simple search on www.cve.mitre.org  for SCADA systems will show 162 known vulnerabilities, many of which allow remote code execution. From there, attackers can get remote access and ultimately take over a compromised system.

Gates added, “Cyber attackers who have gained remote access and can remain persistent in a network can cause a loss of view, manipulation of view, loss of control and denial of control for operators running critical infrastructure. Exploiting these ‘operational vulnerabilities' could result in a catastrophic event.”

The article was edited to clarify the nature of the malware found - it was not specifically SCADA malware but rather malware which could facilitate an attack on SCADA and industrial control systems. The story has now been corrected to reflect this. 

Sign up to our newsletters