SFG malware was not designed to target SCADA systems in the energy industry

Pierluigi Paganini July 19, 2016

Security experts from Damballa that analyzed the SFG malware confirmed that it was not designed to target SCADA systems in the energy industry

Recently, experts from the SentinelOne security firm spotted a sophisticated malware dubbedSFG, a spawn of Furtim malicious code, targeting at least one European energy company.

Media speculated the existence of a powerful SFG malware, a sort of new Stuxnet, that was spread by an unknown government to target companies in the energy industry.

Now experts from Damballa that have analyzed the SFG threat confirmed that is not so complex as initially speculates.

Researchers from Damballa clarified that the SFG malware is a financial malware that doesn’t include the code to compromise SCADA systems in the energy industry.

“This month, reports surfaced of a sophisticated malware threat found on computers of a European power generation and distribution company.  The malware was dubbed “SFG” and the reports linked it to a malware strain named “Furtim” by the security researchers who first recognized and analyzed it in May 2016.  Soon, the press was calling this “SCADA malware” and reports implied that a “nation-state” was using it to target the electric grid.” reads the analysis published by Damballa.

Key findings of the Damballa analysis are:

  • The SFG malware is just another Furtim build
  • It doesn’t include specific code to targeting ICS or SCADA systems
  • It uses known financially-incentivized cybercriminal infrastructure

SFG malware energy industry

Damballa believes that the SFG malware is the result of a cyber criminal organization, instead of a nation-state actor.

“[SFG] does not appear to be a nation-state operation, and there is no specific threat to any particular sector.”

SentinelOne agreed on the above affirmation, confirming that it does not have evidence that the malware was targeting SCADA systems.

“There has been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems,” reads the update issued by the SentinelOnethe firm.

“We want to emphasise that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.”

Even if electric grids are no more at risk, researchers fromDamballa highlighted that the SFG malware is also sophisticated. The experts focused on the use of the new ‘fluxxy (aka “Dark Cloud”)’ botnet that was used by threat actors behind recent Pony and Gozi ISFB campaigns.

The popular investigator Brian Krebs mentioned the botnet in a recent post on Carding Sites.

This same botnet was used to spread populat threats, including Carberp, Gozi ISFB, Pony, TeslaCrypt, Rock Loader, Qakbot/Quakbot, GameOver ZeuS/Zbot, KINS, ICE IX, Zemot/Rerdom, Necurs, Tinba, and Rovnix campaigns.

Now that we know this threat, we must prevent it will be improved to target SCADA systems.

“Considering the total compromise this malware effects on systems, and how well it can operate below the radar, we should do our best to keep Furtim/SFG off the electric grid… and every other system.” closed the post published by Damballa.

“We should focus our intelligence efforts on mapping this fast-flux infrastructure and working with authorities to disrupt, degrade, and destroy it.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SFG malwre, energy)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment