Talk to Me: Stuxnet, Flame a Global Alert

Wednesday, June 6, 2012 @ 05:06 PM gHale


By Gregory Hale
Critical infrastructure organizations should be on alert because they will be the target of a cyber attack before long.

Over exaggerated hyperbole from folks watching the cyber security environment? Hardly. Just cold hard facts.

If Flame taught the industry anything, it is professional hackers can get in and find out details and nuances of any system they want to. It seems Flame did just that, as Duqu did before that. What they are looking for and what they have in store for potential victims remains to be seen. But for now, operators of critical infrastructure should be on alert. Not only because of the possibility of being collateral damage in a cyber war incident, but also because, as Night Dragon showed, there are organizations, companies, and countries trying to get in and steal vital information.

RELATED STORIES
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back

In the Night Dragon case, the attackers compromised perimeter security through SQL injection attacks on extranet web servers; targeted spear-phishing attacks aimed at mobile workers’ laptops, and took control of corporate VPN accounts. They were able to get in and find out financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems.

Companies today need to protect against any possible attack vector from any source globally. Just take a look at Stuxnet.

As ISSSource reported last September, we know Stuxnet was the creation of a joint U.S., Israel project. What continues to astound is the thought other operators of critical energy sources, like electric, water, oil, coal, and nuclear among others are not moving faster to create a solid defense in depth posture to keep out the bad code that can lead to the destruction of a facility.

The idea originally espoused once we learned about the originators of the Stuxnet worm and the targeted victims was: “It was the good guys against the bad so we are not a target.” That mindset seems to be winning out throughout the manufacturing automation industry. Unfortunately, that is a very misguided thought process. Protection is paramount.

Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The code, which is currently out on the Internet, used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

The worm used at least four zero-day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.

As ISSSource’s Richard Sale reported back in October, Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009, said former senior intelligence officials, one of whom worked for the National Intelligence office.

At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, these sources said.

The groundwork for the plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.

In 2008, shortly after Siemens brought in the system for analysis, the Department of Homeland Security got wind of it and teamed with INL to study Siemens PCS 7 or Step 7 platform which runs all sorts of sensors and machines in the process control system, the sources said.

As it turned out the system they were testing was also the same system running the nuclear enrichment plant in Natanz.

While the technical plan of creating the Stuxnet virus was ongoing, Israel was training operatives, or as it turned out double agents, to plant the worm using a corrupt “memory stick.32,” said former and serving U.S. intelligence officials.

These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility.

“Iranian double agents would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.

These acts against Iran will not go unpunished. It only makes sense Iran will find a way to fight back in this new era of cyber warfare. But put that thought aside for a moment, code is out there that has proven it can get into systems and take them over. Stuxnet code is on the Net and there for the picking. A modified version or just a copy cat can end up sitting on a system of choice just lurking and waiting for a moment to pounce.

Stuxnet is scary code. The cold hard fact is more manufacturers need to focus on creating a defense in depth plan.
Gregory Hale is the founder and editor of ISSSource.com.



Leave a Reply

You must be logged in to post a comment.