A team of security experts from Kaspersky ICS-CERT has unearthed a concerning issue in industrial control systems (ICS) environments. They have discovered a new type of malware that is capable of bypassing air-gapped defenses, a typical measure employed to ensure data security. The researchers have been focused on investigating cyberattacks against ICS and critical infrastructure in Eastern Europe, and their findings have revealed a novel second-stage malware that allows threat actors to infiltrate air-gapped systems and establish a permanent presence for data exfiltration purposes.
To achieve their objectives, the attackers first employ known remote access and data collection tools to gain initial access to the ICS network. Once inside, they deploy a modular and sophisticated malware against the air-gapped ICS networks. This malware contaminates removable storage drives with a worm that then exfiltrates targeted data. By following this process, the attackers are just a step away from transmitting the stolen data out of the environment.
The malware responsible for exfiltrating data from air-gapped systems consists of at least three modules, each assigned different tasks such as profiling and handling removable drives, capturing screenshots, and planting second-stage malware on newly connected drives. This information has been shared in a report released by Kaspersky, shedding light on the increasingly advanced tactics employed by cyberattackers.
The researchers also discovered another second-stage implant used in the attacks. This implant sends stolen data from a local computer to Dropbox, a popular file hosting service. This means that even if the initial stages of the attack were detected and thwarted, the attackers still had a means of getting the stolen data out of the network.
One of the key challenges faced by security teams is the attackers’ ability to evade detection. The cybercriminals hide encrypted payloads in their own binary files and utilize DLL hijacking to embed the malware in the memory of authorized applications. These deliberate efforts to obfuscate their actions highlight the sophistication of the attackers’ tactics, according to Kirill Kruglov, a senior security researcher at Kaspersky ICS CERT.
To complete the cyberattack chain and successfully exfiltrate data, a third set of tools is required to upload the stolen data to a command and control server (C2). Kruglov stated that their team will continue to investigate this aspect of the attack in order to determine the full extent of the threat.
The discovery of this novel malware capable of infiltrating air-gapped systems is a significant concern for the security community. Air-gapping has long been considered an effective defense mechanism to protect sensitive data and critical infrastructure. However, as cybercriminals become more sophisticated, their ability to breach these defenses signals a need for heightened security measures and continuous monitoring of network activity.
The implications of such a breach extend far beyond individual organizations. The potential compromise of critical infrastructure, such as power grids and industrial facilities, poses a significant risk to society as a whole. As cyberattacks increasingly target these essential systems, governments and organizations must work together to strengthen defenses and protect against emerging threats.
In conclusion, the discovery of a worm that can bypass air-gapped defenses in industrial control systems is a concerning development for the cybersecurity community. The sophisticated and modular malware employed by attackers highlights the need for continual vigilance and the adoption of advanced security measures. With cyberattacks becoming more prevalent and sophisticated, it is essential to invest in robust defense systems to safeguard critical infrastructure and protect sensitive data from falling into the wrong hands.