Stuxnet Still On ICSes

Friday, June 12, 2015 @ 04:06 PM gHale

It may have been discovered five years ago, but Stuxnet continues to live on as there are still systems infected with the virus, said a Czech security firm.

In 2013 and 2014 there were at least 153 distinct infected machines with Stuxnet, according to a report entitled, “Internet Attacks Against Nuclear Power Plants” from Kleissner & Associates.

‘Skilled’ New Duqu APT Launches
Stuxnet Loaded by Iran Double Agents
Duqu Still at Work
Attacker ‘Hides in Plain Sight’
Oil Industry Under Attack

ISSSource reported Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad. The virus ended up detected in 2010, but had been on the Iranian system for at least a year prior.

While just over 47 percent of these computers were in Iran, infections were also in India, Indonesia, Saudi Arabia, Kazakhstan and China. At least six of the machines ran SCADA development software, which sees use in industrial control of equipment, especially power plants.

Kleissner & Associates has been monitoring the infections via its Virus Tracker sinkhole servers. The security firm gained control of two of the command and control servers and pointed them to Virus Tracker in efforts to keep track of the malware.

Kleissner pointed out while the malware is still running, it cannot end up controlled by the original attackers as his company now owns the command and control domains. But as infections are ongoing, the firm said this meant companies weren’t doing a good job when it came to cleaning up an outbreak.

“Regardless of original intent, backdoor access is not exclusive to a designated team or attacker,” the paper said. “Everyone has access. Researching other malware families reveals this to be the case for most, if not all of backdoor enabled malware. As soon as someone reverse engineers the protocol and extracts the keys, they can control any similarly infected devices. Securing the command & control protocol with proper state of the art public – private key encryption would certainly hinder 3rd parties from taking over infected systems. But our research shows that many infections remain active for years (perhaps decades). In which case, evolving technologies could easily compromise antiquated encryption standards (if any) and circumvent an infection’s safeguards.”

Kleissner said there are nuclear facilities out there today that have administrative systems infected with common malware and in turn these systems could end up attacking industrial control systems.

When talking about intruding nuclear power plants by use of malware there has to be the distinction whether to infect administrative or industrial machines, the paper said.

“Our Virus Tracker sinkhole data reveals many nuclear facilities have administrative systems infected with common viruses. This is not surprising,” the paper said.

Infected administrative computers could end up used to mount deeper attacks on machine control systems. Best practices dictate isolating industrial machines control systems from other internal networks with no direct line to the Internet, the paper said.

To overcome the “air gap” USB thumb drives, for example, can intentionally and unintentionally infect machine control systems by exploiting “0-day” vulnerabilities as practiced by Stuxnet. Other attack vectors involve installing backdoors in industrial (or networking) devices before they arrive for installation at a targeted facility or using social engineering techniques to install backdoors through vectors such as fraudulent updates.

Click here to download the Internet “Internet Attacks Against Nuclear Power Plants” report.