Stuxnet Advanced Attack

Stuxnet appears to be one of the most sophisticated cyber attacks ever detected. The size and scope of the effort required to launch the attack leads analysts to suspect it came from a national security cyber team with tremendous resources. And the target may have been the SCADA control systems inside the Bushehr nuclear plant in Iran.

‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought – [krebsonsecurity.com]

The Kaspersky analyst said that whoever is responsible for writing the Stuxnet worm appears to be quite familiar with the way that SCADA systems are configured. Stuxnet, which targeted specific SCADA systems manufactured by Siemens, also disguised two critical files by signing them with the legitimate digital signatures belonging to industrial giants Realtek Semiconductor Corp. and JMicron.

“If you look at the way they must have organized the entire attack, it’s very impressive,” Schouwenberg said. “These guys are absolutely top of the line in terms of sophistication.”

News of just how successful this stealthy malware family has been in compromising SCADA systems is still trickling out. Earlier today, IDG News’s Robert McMillan quoted Siemens as saying the worm had infected SCADA systems in at least 14 plants in operation, although Siemens said the infections did not impair production at those plants or cause any malfunction. Stuxnet has infected systems in the U.K., North America and Korea, however the largest number of infections, by far, have been in Iran, IDG reports.

Stuxnet is a directed attack — ‘hack of the century’ – [langner.com]

Ralph’s analysis

Now that everybody is getting the picture let’s try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?

1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).

2. The attack involves heavy insider knowledge.

3. The attack combines an awful lot of skills — just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.

4. The target must be of extremely high value to the attacker.

5. The forensics that we are getting will ultimately point clearly to the attacked process — and to the attackers. The attackers must know this. My conclusion is, they don’t care. They don’t fear going to jail.

6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won’t work any more. It’s a one-shot weapon. So we can conclude that the planned time of attack isn’t somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let’s check where something blew up recently.

Is Stuxnet the ‘best’ malware ever? – [networkworld.com]

The malware, which weighed in a nearly half a megabyte — an astounding size, said Schouwenberg — was written in multiple languages, including C, C++ and other object-oriented languages, O Murchu added.

“And from the SCADA side of things, which is a very specialized area, they would have needed the actual physical hardware for testing, and know how the specific factory floor works,” said O Murchu.

“Someone had to sit down and say, “I want to be able to control something on the factory floor, I want it to spread quietly, I need to have several zero-days,'” O Murchu continued. “And then pull together all these resources. It was a big, big project.”

One way that the attackers minimized the risk of discovery was to put a counter in the infected USB that allowed it to spread to no more than three PCs. “They wanted to try to limit the spread of this threat so that it would stay within the targeted facility.” O Murchu said.

And they were clever, said Schouwenberg.

Once inside a company, Stuxnet used the MS08-067 exploit only if it knew that the target was part of a SCADA network. “There’s no logging in most SCADA networks, and they have limited security and very, very slow patch cycles,” Schouwenberg explained, making the long-patched MS08-067 exploit perfect for the job.

Put all that together, and the picture is “scary,” said O Murchu.

So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that both O Murchu or Schouwenberg believe it couldn’t be the work of even an advanced cybercrime gang.

SEE ALSO:
…other “News” articles

Comments are closed.