There's a Stuxnet Copycat, and We Have No Idea Where It Came From

Although the malware might just be a research project, it still went undetected for some time.

After details emerged of Stuxnet, arguably the world's first digital weapon, there were concerns that other hackers would copy its techniques.

Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Although the copycat malware—dubbed IRONGATE by cybersecurity company FireEye—only works in a simulated environment, it, like Stuxnet, replaces certain types of files, and was seemingly written to target a specific control system configuration.

"In my mind, there is little room to say that these are the same actors," behind Stuxnet and IRONGATE, Sean McBride, manager at FireEye iSIGHT Intelligence told Motherboard in a phone interview.

But clearly, and perhaps to be expected, other hackers have paid very close attention to, and copied one of the most powerful pieces of malware ever, raising questions of who else might have decided to see how Stuxnet-style approaches to targeting critical infrastructure can be adapted.

"Now you're getting a blend of techniques, where somebody understands, perhaps from the lessons of Stuxnet, the control systems side of the house"

Stuxnet was famously behind attacks on the Natanz uranium enrichment plant in Iran, and designed to slow down the country's effort at producing nuclear weapons. In sum, the malicious worm, which is widely believed to be the work of the US and Israeli governments, worked by burrowing into the plant and tampering with its centrifuges, and targeted systems made by Siemens.

IRONGATE, meanwhile, works within a simulated Siemens environment called PLCSIM, used for testing programs before they are pushed out into the field. Like Stuxnet, IRONGATE replaces a Dynamic Link Library (DLL), a small collection of code that can be used by different programs at the same time, with a malicious one of its own.

IRONGATE's DLL records five seconds of traffic from the Siemens' system to the user interface, and replays it over again, potentially tricking whoever is monitoring the system into thinking everything is fine, while the malware might manipulate something else in the background.

The FireEye Labs Advanced Reverse Engineering (FLARE) team found several versions of IRONGATE on malware database VirusTotal in the latter half of 2015, and no anti-virus vendors on the site marked the files as malicious. Two samples of the malware were uploaded by different sources in 2014.

"Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that IRONGATE is not viable against operational Siemens control systems and determined that IRONGATE does not exploit any vulnerabilities in Siemens products," FireEye's report reads.

One area where IRONGATE differs from Stuxnet is how it avoids detection. IRONGATE will sense if it's within a VMware virtual machine or a Cuckoo Sandbox environment; common tools that defenders use to catch malware so it can be analysed. Stuxnet only looked for various antivirus programs on the target system, FireEye note.

"Now you're getting a blend of techniques, where somebody understands, perhaps from the lessons of Stuxnet, the control systems side of the house, and then they also have an understanding of the malware side," Robert Caldwell, a manager at FireEye, told Motherboard.

The FireEye team does not think that IRONGATE is the work of Stuxnet's authors. First of all, although Stuxnet went through various iterations over the years, it dates from as far back as 2007. IRONGATE, meanwhile, only stretches to 2012, judging by the compile dates of the malware samples. By this time, Stuxnet's authors "had already developed the capabilities in real life," McBride said. That, and IRONGATE is not the sort of sophistication you would expect from a nation state, Caldwell added. (Some code in the malware "closely matched usage on a control engineering blog dealing with PLCSIM," the report adds).

But, the question remains: Who did write it? FireEye says IRONGATE could be a research project, a proof-of-concept, or just someone seeing what is possible. And that's why FireEye is going public with these details—to find out more about IRONGATE.

"We know that we don't have the whole story with this," Caldwell said. "We're missing key components: what actually executes this malware, what's the process that kicks this off on the system."

This outreach to the ICS community is reminiscent of the early days of Stuxnet, when researchers pooled together resources and reached out to the wider community for more details. Even if IRONGATE does turn out to be a fairly innocuous research project, it's still worrying that a tool which so obviously pinches ideas from Stuxnet went unnoticed for so long.

"That thing sat up there on VirusTotal for years," Dan Scali, senior manager from Mandiant told Motherboard. "The fact that it can go undetected is really scary."

"We sort of stumbled across this," he added. "So what else is out there?"