Targeted malware aimed at European power plant

Targeted malware aimed at European power plant
© Getty

Targeted, sophisticated malware was recently found aimed at specific European power plants  and is likely the result of a nation-state attack, a security company reported Tuesday.  

In a blog post, SentinelOne claimed it had reverse-engineered malware known as a dropper, a kind of injection mechanism for a payload that contained more specific instructions. 

ADVERTISEMENT

The dropper was built to evade specific antivirus companies – including expensive, industrial systems — and avoid a bevy secure testing environments known as sandboxes. It targeted specific systems in an Eastern European power company, terminating if it tried to infect highly-protected systems that ran plant security, like biometrics or RFID. It also was designed not to install on two specific computers, identified by a code embedded in their network cards. 

“We think it was a state actor because of the amount of resources it would have taken to build. Normally, in malware, we only see one or two checks for sandboxes,” said Joseph Landry, the main author of the report. “And also because of the Windows expertise involved in designing the malware.”

Landry said the malware used obscure Windows functions that would have required intimate knowledge of the specific versions it was targeting. 

Landry did not offer definitive evidence of what nation would have been behind the attack beyond its target, which SentinelOne is not revealing. He did, however, say that the malware was more “professionally” written than most nations’. 

Even among major actors in international cyberattacks, many nations produce less efficiently programmed tools, and others, such as Iran, often have young coders who place Easter eggs in the source code, such as team name.

With the exception of Norton, the antivirus vendors sidestepped by the malware are mostly European. The malware as discovered would not work in the United States. 

“But you can work around any antivirus,” said Landry, who emphasized that good industrial security required a multi-tiered approach.