- Socket found nine NuGet packages with delayed sabotage targeting industrial control systems
- Sharp7Extend can destroy Siemens S7 PLCs and randomly crash host processes
- Malicious code is activated in 2027-2028; users are encouraged to review and remove affected packages
Thousands of critical infrastructure organizations, as well as those working in other, equally important verticals, were hit by a treacherous attack that attempted to sabotage their industrial control units (ICD) two years later, experts have discovered.
Cybersecurity researchers Socket recently found nine packages on NuGet that contained sabotage payloads to be activated in 2027 and 2028 if certain conditions were met.
NuGet is the package manager for .NET that provides open source .NET libraries that software developers can easily integrate into their projects.
Thousands of victims
According to Socket, the packages targeted all three major database providers used in .NET applications – SQL Server, PostgreSQL and SQLite, adding that the most dangerous is Sharp7Extend. This package is aimed at Sharp7 library users.
“By appending ‘Extend’ to the trusted Sharp7 name, the threat actor exploits developers searching for Sharp7 extensions or enhancements,” Socket explained.
The account that hosted them is shanhai666 and according to Bleeping Computerhave had all these delisted in the meantime. Before that happened, the packs managed to collect almost 10,000 downloads.
While almost all the code in the packages (99%) was clean, that 1% could prove fatal. It was written to run when the app talks to databases or Siemens S7 PLCs.
Siemens S7 industrial control units can usually be found in manufacturing plants, energy and utilities, oil, gas and chemical industries, building automation and transportation.
The payload only fires between August 8, 2027 and November 29, 2028 and does two destructive things: randomly kills the host process 20% of the time (causing instant stops) and, in the Sharp7Extend package, either aborts initialization and/or, after a 90-minute PLC delay, destroys the 8% write chance with a 90-minute PLC delay.
Who uploaded these packages and for what purpose remains a mystery. Users are advised to audit their assets for the packages and remove them immediately.
Here is the full list of malicious packages detected so far:
SqlUnicorn.Core
qlDbRepository
SqlLiteRepository
SqlUnicornCoreTest
SqlUnicornCore
SQLRepository
MyDbRepository
MCDbRepository
Sharp7Extend
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
