A concerning new malware threat targeting industrial control systems (ICS) has emerged with the ability to terminate critical engineering processes, according to recent findings by cybersecurity firm Forescout.
The research identified two distinct malware types attacking engineering workstations from major industrial automation vendors Mitsubishi and Siemens between August and November 2024.
One of the discovered threats is a variant of the Ramnit worm specifically targeting Mitsubishi systems. The other is a new experimental malware dubbed Chaya_003, which focuses on Siemens workstations and can actively terminate engineering processes.
The attackers behind Chaya_003 employed legitimate services like Discord webhooks for command and control operations, making detection particularly challenging for security teams. The malware demonstrates sophisticated capabilities including system reconnaissance and selective process disruption based on predefined criteria.
Engineering workstations represent a critical component in industrial environments, as they run specialized software needed to program and manage field devices like programmable logic controllers (PLCs). According to SANS Institute data, compromised engineering workstations account for over 20% of incidents in OT/ICS systems.
The Ramnit infections can spread through USB drives or compromised networks with poor segmentation. While the exact infection vector remains unconfirmed, researchers believe the malware may have modified legitimate Windows executables - a pattern observed in other OT software attacks since 2021.
Analysis of Chaya_003 revealed three distinct versions, with some samples masquerading as legitimate system processes to evade detection. The researchers noted clear signs of ongoing development, suggesting the malware is being refined for wider deployment.
To protect against these emerging threats, industrial organizations are advised to:
- Map all workstations on OT networks
- Keep software and security solutions updated
- Avoid direct internet exposure
- Implement proper network segmentation
- Restrict connections to authorized systems
- Deploy solutions capable of detecting malicious activity
The discovery highlights growing risks to industrial control systems as attackers develop more sophisticated tools targeting critical infrastructure components.