STUXNet

[phongn]

For those interested in the details (and please ignore the Fox News hyperbole above!), Symantec has a very good dossier on Stuxnet.

[Stark]

What's hyperbolic about 'cyber cruise missile'? :v

Its amusing how vested interests blow it out of proportion; that dossier is a bit more interesting than these terrible articles.

[Pelranius]

The myrtle and the execution date could very well be red herrings.

[Skgoa]

STUXnet is featured in several talks at this year's chaos communication congress, which is happening in Berlin right now. Yesterday a Microsoft security specalist talked about how they analyzed it and found the vulnerabilities it used. 5 in total, 4 zero-days and it took them 3 days to find everything. The talk about disassembling that is being held this moment has much info on what it does to the Siemens controllers, once it got onto the system. ("they have been sitting on this since 2007.")
Redordings will be available soon, here is a streamdump of the Microsoft talk: http://terrania.net/27C3/c3.ex23.de/saa ... -31-43.wmv

[Thanas]

As soon as they are available, could you post a link to them?

[Skgoa]

The Microsoft talk has been released. On the mirror I am using, the link is:
http://ramses.wh2.tu-dresden.de/CCC/27C ... tuxnet.mp4
Its 448 MB, can't say anything about the quality, as I watched it live.
Be aware: the speaker talks very fast and is assuming a bit of computer/hacking knowledge. Even I didn't get every detail, but the important bits should be understandable for everyone.

[Skgoa]

ghetto edit: Of particular interest to me is that these attacks aren't the usual memory/code injection voodoo, but 100% effective and efficent - some of these vulnerabilities blow a huge hole into the OS's security. Reacting to this talk, a german security expert has revised his cost estimate of this worm to €2-3 million. It makes you wonder what else the attackers have, that they did not need to use this time.
(And its nice to see Microsoft send someone to a hacker conference to admit these very embarassing vulnerabilites.)

[phongn]

Looks like the main mirror is here

[Thanas]

Thanks Phong, very much appreciated. Downloading now.

[Thanas]

Sadly, the audio seems to be malfunctioning on at least one talk - the one about copyright enforcement Direct MP4 link.

Anybody else have this problem? I use VLC player.

[Darth Holbytlan]

My Mac wouldn't play the audio on the STUXnet talk. I ended up listening to it on YouTube.

[phongn]

My Mac wouldn't play the audio on the STUXnet talk. I ended up listening to it on YouTube.

QuickTime doesn't appear to support MP3 audio in MP4 containers; you can try using VLC.

Anybody else have this problem? I use VLC player.

VLC on OSX plays it fine.

[slebetman]

Ars has a more historical perspective on STUXNet. Most of it is circumstantial but interesting nonetheless. Full article: http://arstechnica.com/tech-policy/news ... tuxnet.ars

The interesting bits (bolding mine):

The INL began setting up a test lab to research industrial control systems in 2002 after US officials became concerned that al Qaeda might be investigating methods to conduct cyber attacks against critical infrastructure systems in the US.
...
The research paid off. In 2004, INL presented the first demonstration of a remote SCADA hack at the KEMA Control Systems Cyber Security Conference in Idaho Falls. The purpose of the demonstration was to show that recently identified vulnerabilities in Apache software could be used to compromise a control system remotely. The attack was conducted from Sandia National Laboratory against a system at INL in Idaho Falls. The attack was designed to show how firewalls and other traditional security systems would fail to guard against a remote intrusion. But it also demonstrated a man-in-the-middle maneuver that would hide the attacker’s malicious activity from employees monitoring display screens at the targeted facility—something that Stuxnet later accomplished remarkably well.

A second remote SCADA hack was demonstrated at the KEMA Control System Cyber Security Conference in 2006 in Portland, Oregon. This one was conducted by a different DoE lab, the Pacific Northwest National Laboratory. The attack involved compromising a secure VPN to change voltages on a simulated Olympic Peninsula electric system while, again, altering operator displays to conceal the attack.

Then in February 2007 DHS got word of a potential vulnerability in industrial control systems. If the vulnerability—dubbed “Aurora”—were exploited, DHS learned, it could result in physical damage to equipment. It was something that Weiss and a handful of other security experts had long worried about, but no one had ever actually seen it done.

A month later, INL conducted a private test—dubbed the Aurora Generator Test—that successfully demonstrated the vulnerability. The test involved a remote attack via dial-up modem on an industrial control system generator, which left the generator a spinning mess of metal and smoke. The proof-of-concept demonstration showed that a remote digital attack could result in actual physical destruction of a system or components. The vulnerability, and measures to mitigate it, were discussed in closed sessions with the NERC Critical Infrastructure Protection Committee. Word about the test leaked out and in September that year, the Associated Press published a video of the demonstration showing a generator emitting smoke after being hacked.

All of these demonstrations served to establish that a remote stealth attack on an industrial control system was entirely feasible.

The timing is important, because by early 2008, Iran was busy installing centrifuge cascades in module A26 at the Natanz enrichment plant—the module that experts believe was later targeted by Stuxnet.
...
In March 2008, Siemens and INL researchers met to map out a vulnerability test plan for the Siemens PCS7 system, the system that was targeted by Stuxnet. INL had tested Siemens SCADA systems previously but, according to Weiss, this is believed to be the first time INL was examining the Siemens PLC.

In May, Siemens shipped a test system from Germany to the Idaho Falls lab.

That same month, the DHS became aware of a vulnerability in the firmware upgrade process used in industrial control systems. Firmware is the resident software, such as an operating system, that comes installed on a piece of hardware. In order to ease maintenance and troubleshooting of systems, vendors like to install patches or upgrades to software remotely, but this can expose the system to attack if the upgrade process has a vulnerability. A vulnerability was found, which DHS dubbed “Boreas.”

DHS issued a private alert—which was later inadvertently made public—saying that the vulnerability, if exploited, “could cause components within the control system to malfunction or shut down, potentially damaging the equipment and/or process.”

Stuxnet, it turns out, involved a type of remote firmware upgrade to the Siemens PLC, since it involved injecting malicious code into the ladder logic of a PLC. Boreas in retrospect, says Weiss, who is currently an independent consultant with Applied Control Systems and the author of Protecting Industrial Control Systems, showed that the concept of injecting code into the ladder logic was feasible.

“The Boreas alert never specifically discussed ladder logic or PLCs,” says Weiss. “But it showed that if you can remotely change firmware, you can cause real problems.”

Two months later, Siemens and INL began conducting research and tests on the Siemens PCS7 system to uncover and attack vulnerabilities in it. By November, the researchers had completed their work and delivered their final report to Siemens in Germany. They also created a PowerPoint presentation to deliver at a conference, which the Times mentions. What the Times doesn’t say is that German researcher Ralph Langner discovered the PowerPoint presentation on Siemens’ website last year. And after blogging about it in December, Siemens removed it from the Web, but not before Langner downloaded it.

In June 2009, seven months after INL and Siemens completed their report, the first sample of Stuxnet was found in the wild. The code was found by the Russia-based computer security firm Kaspersky, although no one at Kaspersky knew at the time what they possessed. That sample, now known as “Stuxnet Version A,” was less sophisticated than Version B of Stuxnet, which was later discovered in June 2010 and made headlines. Version A was picked up through Kaspersky’s global filtering system and sat in obscurity in the company’s malware archive until Version B made headlines and Kaspersky decided to sift through its archive to see if any samples of Stuxnet had been vacuumed up earlier than 2010. Kaspersky researcher Roel Schoewenberg told Threat Level the company was never able to pinpoint geographically where the 2009 sample originated.

The damage:

At the time Version A was discovered in June 2009, there were 12 centrifuge cascades in module A26 at Natanz that were enriching uranium. Six others were under vacuum. By August, the number of A26 cascades that were being fed uranium had dropped to 10, and 8 were now under vacuum but not enriching.

Was this the first indication that Stuxnet had reached its target and was beginning to sabotage centrifuges? No one knows for certain, but in July of that year, the BBC reported that Gholam Reza Aghazadeh, the long-time head of Iran’s Atomic Energy Organization, had resigned after 12 years on the job. The reason for his resignation was unknown. But around the same time that he resigned, the secret-spilling site WikiLeaks received an anonymous tip that a “serious” nuclear incident had recently occurred at Natanz.

Over the next months, while the world was still ignorant of Stuxnet’s existence, the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900. The decline began around the time Version A of Stuxnet was captured by Kaspersky’s filter. By November 2009, the number of A26 enriching cascades had dropped to 6, with 12 cascades under vacuum, according to the International Atomic Energy Agency, which issues quarterly reports on Iran’s nuclear programs.

Between November 2009 and January 2010, module A26 suffered a major problem, with at least 11 cascades directly affected. During this period, Iran decommissioned or replaced 1,000 IR-1 centrifuges of the total 8,692 it had installed.

Nonetheless, the rate of low enriched uranium (LEU) production increased significantly during this same period, and remained high for months afterward, though the rate was still far below what the IR-1 centrifuges are designed to produce, according to the Institute for Science and International Security.

In June 2010, an obscure security firm in Belarus discovered Stuxnet Version B on a system belonging to an unnamed client in Iran. Within a couple of months, Stuxnet had spread to more than 100,000 computers, most of them in Iran. It took weeks of research for experts to reverse engineer the code and determine that it was targeting a very specific facility and that its primary aim was to subtly sabotage that facility by altering the frequency of something at the facility.

Last month, ISIS revealed that the frequencies programmed into Stuxnet’s code were the precise frequencies that would have been needed to sabotage the IR-1 centrifuges at Natanz.