Sandworm malware targets GE Cimplicity HMI

Industrial CyberSecurity
Spread the love

Oct 29, 2014– After the discovery of Stuxnet in 2010, there seemed to be a lull in the rate of discovery of malware that specifically targeted industrial systems. If you recollect Stuxnet was the first really widespread, sophisticated and highly targeted malware that was directed at Siemens Control Systems including the SIMATIC range of PLCs. If you have not read about it, you can do so here. Hence Industrial Safety professionals, cybersecurity professionals, industrial control system professionals and others started saying that Stuxnet was more of a one-off event, it couldn’t happen again, the possibility was far fetched, etc etc.

However this was not to be. In the past one year there have been as many as three more widespread malware attacks, sophisticated, clever and designed to make the most of vulnerabilities that are found in many standard control systems used in the world. The latest one is the Sandworm attack and it seems targeted at GE’s CIMPLICITY HMI (Human Machine Interface), used in several hundred or even more SCADA (Supervisory Control and Data Acquisition Systems) used worldwide. Though Sandstorm has been making news from as far back as June and seems to belong to the family of HAVEX RAT malware, this new feature about it must worry all present users of GE CIMPLICITY systems.

Kyle Wilhoit and Jim Gogolinski of Trend Micro first broke the news on the Trend Micro website and they say that ” “As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.” These directories are likely excluded in anti-virus deployments.

The development shows that users of Industrial Control Systems  including DCS, PLC, SCADA, SIS and similar systems have to start building defenses against cyber attacks, as by the time a system is compromised, it may be too late. Unlike banking systems or  the recent iCloud hack/ exploit, the attacks on Industrial Control Systems could result in direct manifestations of physical, undesired consequences such as valves opening/closing that lead to potential explosions or toxic releases, machines getting damaged, power blackouts and other mindblowing disastrous events.