Improved, Stuxnet-Like PLC Malware Aims to Disrupt Critical Infrastructure

We Keep you Connected

Improved, Stuxnet-Like PLC Malware Aims to Disrupt Critical Infrastructure

A newly developed PLC malware does not require physical access to target an ICS environment, is mostly platform neutral, and is more resilient than traditional malware aimed at critical infrastructure.
March 5, 2024
The proliferation of programmable logic controllers (PLCs) with embedded Web servers in them has given attackers a way to launch potentially catastrophic, remote attacks against operational technology (OT) for industrial control systems (ICS) in critical infrastructure sectors.
To highlight the threat, a team of researchers from the Georgia Institute of Technology has developed malware that an adversary could use to remotely access an embedded Web server within a PLC, and attack the underlying physical system. An attacker could use the malware to manipulate output signals to actuators, to falsify sensor readings, disable safety systems, and execute other actions that could trigger potentially devastating outcomes, including even loss of life, the researchers said.
PLCs are the components of ICS that control the operation of physical processes and machinery within various manufacturing, industrial, and critical infrastructure settings. A PLC receives input from various connected sensors and other input sources, and uses the data to send commands to physical systems based on pre-programmed controlled logic. The goal with PLC malware in general is to influence the output in such a way as to disrupt or to sabotage the physical process which a PLC might be controlling.
Often, malware targeting PLCs and ICS systems have required attackers to have some kind of prior physical or network access to the target environment, and has often been platform specific and easily erasable via factory resets. In the paper, Georgia Tech researchers Ryan Pickren, Tohid Shekari, Saman Zonouz and Raheem Beyah described their Web-based PLC malware as fundamentally different.
Most PLC malware typically infects the firmware or control logic of the controllers, whereas the new Web-based malware attacks the front-end Web layer in PLCs with malicious JavaScript, eliminating some of the limitations such malicious code has faced in the past.
"This approach has significant advantages over existing PLC malware techniques (control logic and firmware), such as platform independence, ease-of-deployment, and higher levels of persistence," the researchers said.
But, the cyberattack outcomes for the new strain are the same as other successful PLC attacks. In the $1 billion Stuxnet campaign for instance — which some have attributed to the US and Israeli governments — the attackers targeted Siemens PLCs to cause high-speed centrifuges at Iran's Natanz uranium-enrichment facility to spin so fast they essentially tore themselves apart.
Since then, there have been several other attacks that have highlighted the damage that adversaries can unleash on systems that control physical processes. Notable examples include the BlackEnergy malware that Russian threat actors used to disrupt Ukraine's power grid in 2016; the Triton/Trisis attack on a Schneider safety system at a petrochemical plan in Saudi Arabia; and INCONTROLLER, a set of malware tools targeted at PLCs from Schneider and Omron.
The Web-based attack that that the researchers developed basically involved a test scenario where a threat actor executes a Stuxnet-like attack on a widely used PLC that, in this case, controlled an industrial motor similar to one used to power centrifuges during uranium enrichment. Like many modern PLCs, the one that the researchers used for the researcher featured a Web-based interface for remote monitoring, programming, and configuration.
For the test scenario, the researchers assumed that the facility where the PLC is situated had engineering workstations that were connected both to the business network and the industrial network. The researchers also assumed that the attacker had some basic knowledge about the physical process that the test PLC controlled and a few other non-specific details of the environment.
In their paper, the researchers described how an attacker could gain initial access to the PLC by remotely injecting malicious code to the Web server in a variety of ways and then use its legitimate application programming interfaces (API) to disrupt the underlying machinery. One of test scenarios involved the attacker tricking an ICS operator into visiting a malicious Web page that automatically downloads the PLC malware into the PLCs Web application by chaining three separate zero-day vulnerabilities that the researchers discovered in the Web application.
Among other things, the Web-based PLC (WB PLC) malware that the researchers developed would have allowed an attacker to physically damage the industrial motor that it was controlling, abuse admin settings for further compromise, and to steal data for industrial espionage purposes.
"Our Web PLC malware resides in PLC memory, but ultimately gets executed client-side by various browser-equipped devices throughout the ICS environment," the researchers noted.  "From there, the malware uses ambient browser-based credentials to interact with the PLC's legitimate Web APIs to attack the underlying real-world machinery." This kind of malware is easier to deploy control and is mostly platform-agnostic, they said.
Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Forrester Report: The Total Economic Impact Of Bizagi’s Low-Code Intelligent Process Automation Platform
Why You’re Wrong About Operationalizing AI
Upgrade your cybersecurity in the era of AI
Causes and Consequences of IT and OT Convergence
Stopping Active Adversaries: Lessons from the Cyber Frontline
Endpoint Best Practices to Block Ransomware
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.