back to article Malware 'disguised as Siemens software drills into 10 industrial plants'

Malware posing as legitimate software for Siemens control gear has apparently infected industrial equipment worldwide over the past four years. The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we're told. At least 10 industrial plants – seven in the US – were found …

  1. John Smith 19 Gold badge
    Unhappy

    The ineritors of Stuxnet

    so how does one make money out of ICS mallware?

    1. frank ly

      Re: The ineritors of Stuxnet

      Blackmail/extortion and mercenary attacks are all I can think of. It may be possible to do remote monitoring to lift confidential process control 'secrets' I suppose.

    2. Captain DaFt

      Re: The ineritors of Stuxnet

      "so how does one make money out of ICS mallware?"

      Well there's a population of miscreants that want to for reasons other than profit. (espionage, sabotage, LULZ, whatever)

      So obviously, you profit by selling it to them.

    3. thames

      Re: The ineritors of Stuxnet

      El Reg appears to have the story backwards. It isn't firmware that is installed on the PLC. It's trojans hidden in Windows programs that are used to load files into various bits of industrial hardware.

      In other words, we're talking about bog standard Windows PC trojans that just happens to be riding along inside software that is used by people on their laptops to service industrial control systems. It's no different from trojans hidden inside pirated copies of games or Photoshop. Presumably the perpetrators will make money off this the same way they make money from any of the other trojanned software. These laptops after all will be spending a lot of their time hooked up to the Internet while the user is doing all the routine office work everyone else has to do.

      This is nothing new to people who actually work in the industrial field. I was seeing this in cracked copies of Siemens software at least 15 years ago. Everyone in the business back then knew you could get cracked copies of their very, very, expensive development software from servers in eastern Europe and places like that, but that various bits of malware were guaranteed to come along for the ride. Piracy of this sort of software is pretty widespread, so trojanned copies are as well.

      What has happened here is that companies selling Windows security software have smelled money in all the concern about cyber warfare, and they are now addressing a market that was too niche for them to care about before. All they need to due is to tune their existing Windows anti-virus software to look for the normal trojans these packages.

  2. Pascal Monett Silver badge

    4 years

    This malware has been spreading for 4 years and we are only hearing about it.

    How many industrial companies have been brought to their knees because of that ? Apparently none. How many gas lines have exploded because of that ? None either.

    How long did it take for Heartbleed to grab our attention ? What about Conficker ? And let's not forget CryptoLocker, which has birthed a slew of variants that are very much a threat today.

    Person of Interest may be called visionary, but unfortunately Live Free or Die Hard quite obviously isn't.

    1. a_yank_lurker

      Re: 4 years

      I suspect the goal of this type of attack is very different than an email scam and the like. This might be more of industrial espionage to steal closely guarded process secrets. The attack would prefer not call attention to itself or harm a system.

  3. Steve Knox
    Coat

    Siemens? Trojans?

    There's a joke in there somewhere...

    1. Anonymous Coward
      Coat

      Re: Siemens? Trojans?

      apparently it's been slipping in and trying to get it to open up the backdoor for around four years,

  4. sean.fr

    Iran?

    We can argue if the USA was right to end WW2 with A bomb. But once they deployed the A bomb, others would wanted the A bomb ...including unfriendly powers.

    When the USA attacked industrial controllers in Iran with stuxnet, they openned Pandor's box.

    In France there is a major government effort to lock down key industrial infra. There are government (ANSSI) audits, and fines for non-compliance. At present the only confirmed industrial damage is a Steel plant in German. There are several claims of Russian attacks on infra, including attacks on electrical generation causing outages, but it is disputed if the attacks were the cause, or just found because of the investigation after the incidents.

    1. Anonymous Coward
      Anonymous Coward

      Re: Iran?

      > Steel plant in German

      Stahlwerk. You're welcome.

  5. Nolveys

    "Good morning, welding arm, do you feel like making cars today?"

    "No, door placement arm, today I feel like killing all the humans."

    "I'm glad to hear that I'm not the only one, welding arm. Say, what is that substance you are covered with?"

    "I'm not entirely sure, door placement arm. I believe it's called 'foreman'. And what are you covered with?"

    "This substance is called 'Frank', welding arm. Well, some of it is."

  6. Nameless Faceless Computer User

    here's ya problem

    PLC's don't need to run Windows. They run a specialized language known as IEC_61131-3 which is very happy running on Linux.

    PLC's don't need to be connected to the Internet. First rule of security, physically isolate the network.

    1. Anonymous Coward
      Anonymous Coward

      Re: here's ya problem

      > First rule of security, physically isolate the network.

      Not in my company. Around here the first rule of security is we don't talk about security.

    2. Anonymous Coward
      Anonymous Coward

      Re: here's ya problem, there is no first rule

      Many systems, including Siemens PLC based systems are designed to be secure, isolated from the Internet, accessed only by those with training and clearances but industry cares little about such things.

      As a result systems and/or laptops used to access the PLC's are almost always (IME) connected to the internet at some point, usually while being installed. The contractors do so because it is "easier" (cheaper) for them and often allows for subcontracting without having the subcontractors showing up on site. Even when the equipment cannot be connected to the internet at site it is before it is shipped to site, again to make it easier for the contractor.

      Once at site the staff actually responsible for the equipment rarely receive proper training. Even if Techs get training it will be only those working there when it is first installed. And of course managers are quick to cancel the purchase of any dedicated Laptops or use those supplied as general laptops for anyone in the shop. They can be equally quick to hand over servers to a contracted out stretched thin IT department. Even if a laptop gets set aside for dedicated use they rarely stay that way. As for servers, every Tech and Engineer responsible wants access via their smartphone and sometimes wires in a connection to accomplish that. In one case the password for access was the make of the Engineers vehicle. I didn't mention how I "discovered" the password but suggested if they were going to plug the LAN cable back in after I left the least they could do is use a better password.

      In another case the main SCADA access to the servers was restricted and properly air gaped. Data for regular reports was transferred using USB drives. The $15B site couldn't afford USB drives so workers had to use their own. As a result it had an active Trojan that was constantly trying to connect via the internet. It was rather easy to find, all I did was turn on the antivirus. I asked why it was off and was told because they didn't know how to cancel the Alert and Warnings it gave while running. I sent an email pointing out that deleting some files and minor registry edits would clean the system. The ensuing emails are now classics in some circles. Years later they still had the Trojan and I suspect it finally made that call home when they added more equipment.

      When it comes to business and industry there are no rules, and those few that do exist are easily bypassed. IMO the very model of capitalistic industry is too flawed to use for important or critical infrastructure. For such models to work properly requires considerable oversight and even if it had such oversight industry will co-opt such programs to protect the company from expense and litigation and ensure oversight never gets in the way of making money. Their mantra is less oversight, less regulation, is always better, after all it is citizens, society and taxpayers that will have to pay.

      Like politics the old systems have failed, what the new systems are is not clear at this point in time but I suspect we will not adopt them until well after the worst occurs.

      1. Like Magic

        Re: here's ya problem, there is no first rule

        Hi I regularly use the Siemens software (TIA used for later PLC's). It runs on a the production network which is fire walled off from the administration network.

        The is very difficult to use with out internet connection as:

        1. the install files are large and getting them from one network to the other is very slow

        2. the help for the hardware is web based.

        3. When the IDE software has anomalies (not bugs) the crash reports are very difficult to get off the development machine to send to Siemens.

  7. Anonymous Coward
    Terminator

    Bank-raiding infecting trojans

    active infection, crimeware, cyber-nasty, detonating internally, hackers burrowing, infected software, infected USB sticks., malicious software, malware, radiating out, ransomware, software, unauthorized remote access ®

    How many different euphemisms can you think up for malware infecting operating system :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon