Malicious NuGet Packages Plant “Time Bomb” Attacks Targeting Industrial Control Systems
Nine malicious packages discovered on the NuGet package repository are designed to disrupt industrial processes by introducing delayed write corruption to Programmable Logic controllers (PLCs), researchers at Socket have warned. The packages, identified as part of a supply chain attack, lay dormant for a period before initiating attacks that can compromise safety systems and production parameters.
The malicious packages, including one called Sharp7Extend, exploit vulnerabilities in industrial control systems (ICS) by injecting malicious code into legitimate software dependencies. Sharp7Extend, for example, contains code that attempts to read an invalid configuration value, causing initialization to fail. However, this is a distraction from the packages’ primary function: a secondary mechanism that introduces a delayed corruption of PLC write operations. This delayed effect, combined wiht random process termination, creates a sophisticated, evolving attack.
Socket researchers found that after a delay of 30 to 90 minutes, PLC writes passing through a filter within the malicious code have an 80% chance of being corrupted. This corruption can lead to actuators failing to receive commands, setpoints not updating, safety systems failing to engage, and production parameters being altered-perhaps causing significant operational disruption and safety hazards.
“The combination of immediate random process termination (via BeginTran()) and delayed write corruption (via ResFliter) creates a sophisticated multi-layered attack that evolves over time,” Socket researchers stated.
The origins and ultimate goals of the attackers remain unknown. However, organizations utilizing any of the nine identified packages are strongly advised to promptly audit their assets and assume compromise if present. Specific recommendations for those using Sharp7Extend include auditing PLC write operations for integrity, checking safety system logs for missed commands or failed activations, and implementing write-verification for critical operations.
the nine identified malicious packages are:
* Sharp7Extend
* [other package names not provided in source text]
This incident highlights the growing threat of supply chain attacks targeting ICS environments. Attackers are increasingly leveraging legitimate software distribution channels like NuGet to inject malicious code into critical infrastructure, making detection and prevention significantly more challenging.
