A group of researchers discovered a rare instance of malicious computer software cleverly designed to mask the disruption of an industrial machine that's being used, for instance, at an energy or chemical plant.
The team from FireEye, a cybersecurity firm, stumbled across the malware last year while researching viruses that attack industrial control systems. They dubbed it Irongate.
The researchers say it's only the fourth such class of malware ever found. The most well-known example of this kind of malware is Stuxnet, which damaged nearly 1,000 centrifuges at an Iranian nuclear facility and was discovered in 2010. Stuxnet was jointly created by the United States and Israel, though neither country has officially acknowledged its involvement.
The FireEye team does not know who created Irongate or why, and the researchers say the malware is designed to work only on software that simulates a real machine.
But, the team said, its characteristics are still noteworthy.
For instance, researchers said the malware records five seconds of normal control activity and then plays it back over and over to deceive a control room operator into thinking everything is fine.
At the same time, as the operator sees only normal activity on his screen, the malware is able to substitute computer files that alter the temperature and pressure on a specific type of Siemens control system.
"You're talking about physical equipment that needs to be monitored to be stable," said Stephen Ward, FireEye communications director. "So if you can make them think everything’s fine here, don’t worry, they have no ability to respond. That’s alarming."
The firm could find no clues to authorship.
"It could be research activity or it could be some sort of testing of concepts for a future attack," said Dan Scali, a team member.
Whatever it is, he said, "it highlights challenges we have in the industry in detecting these types of threats."
Team member Rob Caldwell said there have been no signs that the malware has been used in the real world.
The researchers found the malware on VirusTotal, a free online service and Google subsidiary that analyzes suspicious computer files and facilitates the detection of worms and other malware.
They marveled that it had sat on the database, unanalyzed, for two years before they spotted it.
Irongate also has an ability to detect and evade "sandboxes," or software programs that try to protect systems by test-running suspicious computer code before it is allowed to enter a network to see what the code does. When Irongate detects a sandbox, it shuts itself down.
They found a couple of similarities to Stuxnet.
Both Stuxnet and Irongate were designed to work on a single, highly specific process. With Stuxnet, it was control systems running uranium-enrichment centrifuges at Natanz. With Irongate, it is a specific simulated industrial process relying on Siemens software.
Both pieces of malware replace data files to manipulate a machine's operation. Stuxnet accelerated the spinning of the centrifuges. Irongate appears to alter temperature and pressure.
But unlike Stuxnet, which was much more powerful, Irongate works only in a simulated environment. And Stuxnet was launched by two countries seeking to alter the behavior of a third — Iran. With Irongate, the creator's motive is unknown.
"Our hope," Scali said, "is we will get more information from the community" of researchers.