Complex Attack, But Focused Target
Wednesday, September 22, 2010 @ 05:09 PM gHale
By Gregory Hale
Hackers will attack, but they always need a reason and in most cases it boils down to money. How much can you get and how quickly can you get it.
The catch with the Stuxnet virus is it doesn’t truly seem to be about money, but industry experts are saying the attackers are using the highly sophisticated worm as a weapon against a specific target.
“Security experts agree that the purpose of the worm is sabotage of an industrial process,” said Andrew Ginter, chief security officer at Industrial Defender. “The details that have been released regarding the design of the worm no longer support the theory that the purpose was information theft.”
“Whoever designed this knew what they were doing,” said Eric Byres, chief technology officer at Byres Security. “It is pretty clear now it was developed to disable a process and destroy equipment.”
More than a few industry experts say the worm focused on a specific circumstance, a particular PLC program and a particular site.
That is where the speculation begins with experts saying various facilities, including a nuclear reactor in Iran or a nuclear enrichment facility also in Iran were among the targets. No one has confirmed those were the actual targets, officials said. While people will support these theories as much as they possibly can, investigations will be ongoing to find the intended victim, or victims, of the attack.
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
According to analysis of the worm from Siemens, the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means the malware is able, under certain boundary conditions, to influence the processing of operations in the control system. However, this behavior has not yet been verified in tests or in practice.
Also, the behavioral pattern of Stuxnet suggests the virus is apparently only activated in plants with a specific configuration, Siemens said. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
To date, Siemens said 15 systems were infected worldwide. In none of these cases did the infection cause an adverse impact to the automation system, Siemens said.
But those are just the reported cases.
“I do know of a large installation in the U.S. was using Siemens product and while it didn’t suffer a major problem, it had to clean up a huge mess,” Byres said. “As nice as the worm tried to be to its non victims, it still created a mess.”
“The consensus out there is this was a weapon,” Ginter said. “There is a lot of technology in Stuxnet. It has a lot of stuff in it. Now it looks like somebody’s infrastructure has been targeted. It has been proven it can be done; who else will pick up on it? We will see other attacks like this.”
Ginter and Byres said this is not the end, but rather a stark introduction to the type of sophisticated attacks that can hit the industry.
“Whoever designed this knew what they were looking for,” Byres said. “To find one zero day is rare, but to come up with four zero days and to steal certificates and to find and exploit flaws in Siemens code is amazing. It is an amazing professional project. Absolutely no one person could do this.”
“This is a crash lesson for everybody on how to recognize malware,” he said.
“There is no financial interest in this,” Ginter said. “Nobody has figured out how to make money destroying infrastructure.”
“We are going to see more advanced code coming out from criminals and there will be more focused attacks from political or governmental (entities),” Byres said.
Eventually, Ginter said, Stuxnet will go away, but its memory will linger for decades.
“Stuxnet as a threat will die rather quickly,” he said. But, he added, it will stay alive in security professionals’ minds. “We will be talking about this for 10 to 20 years.”
“We are in a weapons race here,” Byres said. “Weapons races never get smaller.”