Stuxnet

Official confirmation of a hacking attack on US electrical power infrastructure from the CIA, following a BBC report that attacks involing a bug in Windows shortcuts had been used in Mid-July and that
Early attacks using the bug were aimed at the software control systems for critical infrastructure such as power stations..

According to the Darkgovernment story, “Most of the activities we have seen over the past several months has involved intrusions into enterprise or corporate networks that’s the
front office area of a control plant or power plant — those intrusions aren’t coming in,” Sean McGurk, director of control system security at the National Cyber Security Division, told ABC News. “The activity we have seen most recently that is most interesting, has to do with actually accessing control networks… Now the control networks are those networks that actually perform the physical functions, whether its building automobiles, generating power or purify water.”

McGurk said the attack was unique mostly because it was “very targeted, very sophisticated.”

Citing the US National Infrastrcuture Plan, McGurk said: “Up to 85 percent of the nation’s critical infrastructure is operated by private companies”. According to the AP. Vulnerabilities often appear to hackers due to out-dated security measures….”

The BBC say “The bug allowed attackers to craft booby-trapped shortcuts that allow them to take over a target computer. Many users set up shortcuts to get to programs and places in Windows that they use regularly. Microsoft said it released the patch because it had seen an increase in the number of attacks on the vulnerability. The fix will be sent out to those that automatically update their machines. It will also be available via the Windows Update site. The flaw was found in mid-July and allows malicious hackers to embed commands in shortcuts that are executed when that quick link is used or viewed. Every version of Windows is vulnerable to the flaw. The first exploits of the flaw were seeded via infected USB drives and network connections. While exploitation of the flaw was limited initially, the tempo of attacks via the bug has escalated since it was discovered and publicised.”

IT World says: “The malicious code, called Stuxnet, is designed to exploit a Windows Zero Day flaw to find and steal industrial data from SCADA systems running Siemens Simatic WinCC or PCS 7 software. So far the malware is thought to have infected more than 15,000 computers worldwide, mostly in Iran, Indonesia and India.Though the code is ostensibly designed to steal industry secrets, its ability to cause far worse harm raised considerable alarm among security experts.Until fairly recently, most SCADA systems ran on segmented networks which made them relatively safe from external attacks. However, many utility companies , including the largest ones, have more recently started to connect SCADA systems to broader businesses networks with direct Internet connections, making them easier to attack.”

Computerworld confirms that “Late Friday, Microsoft issued a security advisory warning of the issue, saying it affects all versions of Windows, including its latest Windows 7 operating system. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said. The systems that run the Siemens software, called SCADA (supervisory control and data acquisition) systems, are typically not connected to the Internet for security reasons, but this virus spreads when an infected USB stick is inserted into a computer. Once the USB device is plugged into the PC, the virus scans for a Siemens WinCC system
or another USB device… It copies itself to any USB device it finds, but if it detects the Siemens software, it immediately tries to log in using a default password. Otherwise it does nothing….To get around Windows systems that require digital signatures — a common practice in SCADA environments — the virus uses a digital signature assigned to semiconductor maker Realtek. The virus is triggered anytime a victim tries to view the contents of the USB stick….Its unclear how the authors of the virus were able to sign their code with Realteks digital signature, but it may indicate that Realteks encryption key has been compromised. The Taiwanese semiconductor maker could not be reached for comment Friday. ”

According to a security researcher, “That technique may work, because SCADA systems are often badly configured, with default passwords unchanged”. Siemens have issued security advice about Stuxnet. As of 3 August, Siemens said: “Currently we are aware of in total five customer cases worldwide. A production plant has so far not been affected.”

The virus was discovered in July 2010 by VirusBlokAda, based in Belarus. Their description of it is here.

Interesting to note
1. the focus on SCADA systems particularly.
2. Apparently the virus payload is designed to gather information than to cause harm. Only a specialist attacker would want this sort of data.
3. The advanced level of knowledge: targetting a particular SCADA system, and using a genuine, plausible encryption key.

Leave a Reply

Your email address will not be published. Required fields are marked *