Skip to Content

FireEye Caught Sneaky Malware Targeting Siemens Industrial Systems

Sewage treatment plant in JordanSewage treatment plant in Jordan
An employee of a sewage treatment plant points on a blueprint of a SCADA system.Thomas Imo—Photothek via Getty Images

Here’s a worrisome observation: Hackers are learning to design malicious software that goes after critical infrastructure and evades capture.

Computer security researchers at the cybersecurity firm FireEye (FEYE) said on Thursday that they discovered malware that targets industrial control systems, machines that undergird the operations of utilities and manufacturing plants. The malware, dubbed “irongate,” affects simulated Siemens (SIEMENS-AG) computing environments, the team said.

Get Data Sheet, Fortune’s technology newsletter.

FireEye’s researchers stumbled upon the code on the site VirusTotal, a Google-owned (GOOG) search engine that checks malware samples against antivirus scans, in late 2015. Two unidentified sources uploaded two separate versions of the malware a year earlier; neither of the samples triggered an alarm at the time, the team said.

According to FireEye’s blog post, Siemens said the malware is not yet advanced enough to impact real-world systems. Irongate “is not viable against operational Siemens control systems,” the company said, and it “does not exploit any vulnerabilities in Siemens products.” (Fortune has reached out to Siemens for further clarification and will update this post if we hear back.)

For less sophisticated cyberattacks, watch:

The newly uncovered malware seems to take its cue from Stuxnet, a shadowy cyberattack allegedly designed by the United States and Israeli intelligence agencies to knock out the centrifuges used in Iran’s nuclear program. The researchers note that while the malware “does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications,” it does incorporate “some of the same features and techniques”—for example, in the way they both manipulate certain digital processes in SCADA systems, check for defenses before detonating, and mask their tracks.

Some defining characteristics of the code: It can cause a man-in-the-middle attack—intercepting and meddling with data traffic—and can evade digital sandboxes, defensive tools that security managers use to analyze and block potential malware programs. You can learn more about the inner workings of the malware as well as its indicators of compromise in the FireEye post.

“We have generally not seen a lot of progress since Stuxnet to address the issues that Irongate brings up,” Dan Scali, a senior manager at FireEye, told Threatpost, a security blog sponsored by the Russian cybersecurity firm Kaspersky. “The concern is as the capability to do these types of attacks gets easier over time we need to bolster our defenses as a counterweight.”

The researchers said they have determined very little about the malware’s provenance. They speculated that it could be a “test case, proof of concept, or research activity for ICS [industrial control systems] attack techniques.”