SentinelOne Discovers Nation State SCADA Attack Targeting Western European Energy Companies
July 2016 by SentinelOne
SentinelOne Labs has discovered a new form of sophisticated malware, which has already infected at least one European energy company. The malware, dubbed SFG: is the mother ship of an earlier malware sample called Furtim, which targets the industrial automation control systems with sophisticated malware and acts as dropper to deliver a payload which could be used to extract data or potentially shut down the energy grid.
The SentinelOne labs team behind the report has reverse-engineered the SFG malware to reveal a highly sophisticated binary code, which has all the hallmarks of a nation state attack - probably of Eastern European origin. According to the researchers, the software itself is likely to form part of a sophisticated multi-staged targeted attack, typically consisting of three phases: evasion of the existing security defenses; reconnaissance to report back the structure of the target network and feed back information to the command and control server and detonation of the payload.
The malware has been developed to work on devices running any version of Microsoft Windows software and has been carefully crafted to bypass traditional antivirus software and firewalls -including those using both static and heuristic techniques. It is also primed to detect when it is being run in a sandbox environment - a technique used to detect advanced malware - or in systems using biometric access control systems. Where such defenses are detected the software would re-encrypt itself and stop working until released from the sandbox environment in order to avoid detection by security analysts.
According to Udi Shamir, Chief Security Officer at SentinelOne, “The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature. It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted. Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group.”
This new malware, which has hitherto been unknown and undetected, is the mother ship of Furtim, originally reported in May 2016, which was just a subset of the complete programme. The discovery of this new malware, sheds extra light on the nature of latter day targeted attacks on critical national infrastructure and the level of sophistication employed to evade detection. The malware sample which is extremely rare is likely to have infected other organisations which, as a result of this research, will now be able to be identify and remove it.