Control Corruption without Firmware Infection: Stealthy Supply Chain Attacks via PLC Hardware Implants (MalTag)

Control Corruption without Firmware Infection: Stealthy Supply Chain Attacks via PLC Hardware Implants (MalTag)

연구 분야: Analysis

학회: 2024 ACM/IEEE 15th International Conference on Cyber-Physical Systems (ICCPS)

Critical infrastructures, e.g., power grids, are vital to national security, and their failure would have a significant impact on people’s daily lives on a large scale. They are often automated and computer-controlled, and are under emerging advanced persistent threat (APT) attacks. The programmable logic controllers (PLCs) are the neurons that control the physical system. In most APT attacks, usually, a stealthy backdoor is the core that allows the attacker to hide in the dark without being detected and launch remote malicious operations at a particular moment. However, to achieve further stealthiness and bypass existing software mitigations, it needs to evolve from high-level software into low-level hardware.This paper presents MALTAG, a small parasitical hardware implant that attaches to the PLC’s circuit board. Using MALTAG, the attacker can control the PLC remotely by hijacking the various buses on the boards and modifying the digital signal. This attack can be deployed either during the supply chain or stealthily installed in remote plants. The hardware implant contains a cellular chip that provides a remote control channel to allow the attacker to organize a multi-point distributed attack by controlling several PLCs simultaneously on an interconnected physical plant. We have implemented and evaluated MALTAG on popular and widely deployed Allen Bradley PLCs. The results show that such a hardware backdoor does not change the firmware, thus no integrity violation. MALTAG also induces almost no overhead to the system, thus not affecting the runtime of the PLC. It can secretly change the PLC’s outputs to actuators and/or inputs from sensors without leaving any trace. Furthermore, the attacker can even penetrate air-gapped networks communicating with MALTAG and conduct a simultaneous attack with multiple controlled nodes.