### New Remote Stuxnet-Style Attack Threat Unveiled by Security Researchers
*By [Your Name], Cybersecurity Correspondent*
Do you remember the “Stuxnet cyberattack” of 2010? Israeli hackers successfully infiltrated Iran’s nuclear facilities with the “Stuxnet virus,” disrupting the country’s long-prepared nuclear research experiments. Stuxnet, the first worm virus targeting industrial control systems, exploited vulnerabilities in Siemens’ control systems (SIMATIC WinCC/Step7) to infect data collection and monitoring systems (SCADA) and write hidden code to programmable logic controllers (PLCs), significantly delaying the launch of Iran’s nuclear power plant.
Recently, security researchers from the Georgia Institute of Technology (GT) released a paper detailing their discovery of malicious software targeting PLCs, enabling hackers to launch Stuxnet-like attacks on Industrial Control Systems (ICS). In the traditional era of PLCs, attackers could target the control logic layer or firmware layer. Firmware attacks could provide advanced device control and are difficult to detect, but deploying malware is challenging. On the other hand, deploying malware in the control logic layer is easier but more likely to be discovered. Importantly, both methods require attackers to have privileged access to the target organization’s industrial network.
In the modern age of PLCs, which often include network servers for remote configuration, control, and monitoring via dedicated APIs and Human-Machine Interfaces (HMI) using standard web browsers, the attack surface for ICS is greatly expanded. The GT researchers warned that while modern PLCs offer many benefits, they also pose significant risks.
To demonstrate these risks, researchers replicated a network-based PLC malware that hides in the controller’s memory. Since devices with browsers in ICS environments execute on the client-side, the malware can exploit the PLC’s legitimate network API to disrupt industrial processes or damage mechanical equipment.
This new PLC malware is easily deployable and difficult to detect. Initial infections can be achieved through physical or network access to the target’s HMI, but the malware can also be deployed by hijacking the HMI directly through the internet using cross-origin vulnerabilities. To ensure persistence, this new type of PLC malware allows JavaScript code to embed deeply in browser caches and execute independently of the web page that installed it. Furthermore, even if files are deleted from the server, they will continue to run for up to 24 hours. Through this method, the malware can survive firmware updates, new HMIs, and hardware replacements.
Once successfully deployed, the capabilities of the malware depend on the API abilities it uses, providing attackers with various avenues for exploitation such as overriding input/output values, abusing HMI inputs, changing setpoints and security settings, falsifying HMI displays, updating admin settings, and even leaking real-time data.
Crucially, researchers found that even if the target PLC is on an isolated network, the malware can establish command and control (C&C) connections. After an attack, the malware can cover its tracks through self-destruction, benign payload overlays, logging out account information, or even restoring factory settings.
The researchers identified that this type of PLC malware could target controllers from Siemens, Emerson, Schneider Electric, Mitsubishi Electric, and Allen-Bradley. Attacks on these controllers involve exploiting new or known vulnerabilities, sometimes requiring FTP passwords, insecure protocols, or insider assistance.
Experts have developed a vendor-agnostic framework for building and analyzing web-based PLC malware, noting that “this framework explores each phase of widely applicable strategies that can be used for most modern PLC models, systematically demonstrating how malicious front-end code disrupts the network properties of PLCs and undermines the integrity of industrial control system environments.” In the future, this framework can serve as a reference case for research involving any PLC vendor and model.
(Source: [SecurityWeek](https://www.securityweek.com/remote-stuxnet-style-attack-possible-with-web-based-plc-malware-researchers))