Stuxnet Worm

[greenaccord02]

I make a joke about linux and people get their drawers in a knot. It was a good natured joke. Sorry it took things off topic. No offense intended.

There are some serious hackers out there whose skills will be used as weapons. They are always one step ahead of the security companies. This was big news 10 years ago. I don't think we have to worry about skynet coming online until at least Q4 2012.

 

[OVERKILL]

Nuclear facilities shouldn't have their networks bridged to the Internet in the first place.

And from what I've read, the infection came from a memory key initially and that is how it is/was (first) spread.

Big article on it in the sec area of DSL Reports. Good read and discussion going on there as well.

The general consensus is that it has already found it's target.

 

[ToyotaNSaturn]

Originally Posted By: OVERK1LL
Nuclear facilities shouldn't have their networks bridged to the Internet in the first place.


My thoughts exactly. The ONLY way to achieve C2-level security is to remove the network cable from the computer and disallow any disk drive/USB connections for storage at all.

 

[Nick R]

I'm no expert on this, but I belive they are connected to the internet so they can be monitored remotely to watch for impending problems, or in the event of a disaster and the plant itself is inaccessible, the rods can be lowered, pumps switched, etc remotely, without possibly sending workers into a high -radiation zone.

And the internet is the most reliable, in-place method of doing so. But they should have much better security protocols. I could probably ask my dad what OS they run (if any) for Naval Reactors, but he may or may not be allowed to tell me.

 

[TooManyWheels]

Originally Posted By: ToyotaNSaturn
Originally Posted By: Drew99GT
I read that Avira (German company) was the first company to detect this worm.


Avira. Wasn't that a song from the Oak Ridge Boys?


Mistress of the Dark?

 

[Garak]

Originally Posted By: Nick R
I'm no expert on this, but I belive they are connected to the internet so they can be monitored remotely to watch for impending problems, or in the event of a disaster and the plant itself is inaccessible, the rods can be lowered, pumps switched, etc remotely, without possibly sending workers into a high -radiation zone.


You may be onto something there, but that doesn't change the fact that there should be no internet connectivity. There are federal government networks in Canada that are completely disconnected from the internet. The networks have their own dedicated, high security lines. Yes, it's expensive, but it's also secure. The policy on those networks absolutely forbids any connection to the internet via cable, DSL, or even phone line. If there's a break in the line and digging has to happen, it's kind of interesting to watch. A big tent goes up to house the techs, and armed police stand guard.

That doesn't prevent someone from doing something stupid or intentionally dangerous, like something with a USB stick. However, such security should be a no brainer when it comes to a nuclear facility. It would seem to me that they're all worried about an air strike or an invasion and make all kinds of promises about wiping nations off the map, yet they leave the computer network open to attack.

 

[Mystic]

According to what I was able to find out at the Kaspersky, Symantec, and ESET websites there are different ways Stuxnet can be spread. One way is with a USB stick, and also through the internet. Where I work we have specialized equipment that is hooked up to the internet. Occasionally we will get messages that updates are available, but we never allow an update without permission from the IT department. There is some incredibly detailed information available on Stuxnet from the ESET website in the form of a PDF.

Some people believe that the Stuxnet worm already achieved whatever it was supposed to achieve. Although it spread widely it apparently had particular targets and would do whatever it was supposed to do only if those targets were identified.

There was an 'accident' at the Iranian facility where they are apparently trying to produce Uranium 235. A high ranking Iranian official resigned after that. And the Iranian reactor was delayed. It is unknown if these incidents are in some way related to Stuxnet. But the Iranians have admitted that at least 30,000 IP addresses in Iran were infected with Stuxnet. It is unknown how many computers that represents.

Personally I hope the Iranians are not able to develop nuclear weapons. But I worry what will happen if people who write malware are able to copy the Stuxnet worm. Perhaps the worm would be too complex for the typical malware team to copy anyway.

The worm is so complex it is believed that professional programmers working for a nation-state would have been required to write the code. IT is believed that at least 5-10 programmers would have been required.

 

[Drew99GT]

I saw on the news that this worm is so powerful, it can actually cause physical damage to the computer system! It can do things like up voltages and such and burn out computer and system hardware!

 

[Mystic]

Well, it is clear now that cyper warfare on various kinds of industrial facilities is now possible. Others will no doubt try the same thing, if they have a high enough skill level and enough funding to do the same. People could try to do things like shutting down power plants, halting production at industrial plants, blackmail, etc.

I thing that critical processes taking place in industrial, power, and other kinds of facilities needs to be isolated somehow from the outside world. There might be a need to be able to access the outside world through the internet, but there has to be much higher levels of security. Just one major incident at a nuclear energy plant would totally justify the funding for the extra security.

Like I said, where I work we sometimes receive information about available updates for software in specialized equipment from the internet. Our equipment is actually hooked up to the internet. We never permit the updates without approval. But I can only speak for myself. Somebody else sitting in the same chair when I am not there might make a different decision. And certain high ranking officals still want and need to be able to access information through the internet. It is a complex situation.

 

[OVERKILL]

Originally Posted By: Mystic
According to what I was able to find out at the Kaspersky, Symantec, and ESET websites there are different ways Stuxnet can be spread. One way is with a USB stick, and also through the internet. Where I work we have specialized equipment that is hooked up to the internet. Occasionally we will get messages that updates are available, but we never allow an update without permission from the IT department. There is some incredibly detailed information available on Stuxnet from the ESET website in the form of a PDF.

Some people believe that the Stuxnet worm already achieved whatever it was supposed to achieve. Although it spread widely it apparently had particular targets and would do whatever it was supposed to do only if those targets were identified.

There was an 'accident' at the Iranian facility where they are apparently trying to produce Uranium 235. A high ranking Iranian official resigned after that. And the Iranian reactor was delayed. It is unknown if these incidents are in some way related to Stuxnet. But the Iranians have admitted that at least 30,000 IP addresses in Iran were infected with Stuxnet. It is unknown how many computers that represents.

Personally I hope the Iranians are not able to develop nuclear weapons. But I worry what will happen if people who write malware are able to copy the Stuxnet worm. Perhaps the worm would be too complex for the typical malware team to copy anyway.

The worm is so complex it is believed that professional programmers working for a nation-state would have been required to write the code. IT is believed that at least 5-10 programmers would have been required.


Yes, the ESET article was fantastic. I read it this afternoon.

This is really a failing of systems. None of these computers should have had Internet Access directly in the first place. For the Windows boxes a WSUS box with multiple interfaces that sees the outside world for downloading of updates, then another interface that speaks to the physical LAN to provide those updates to clients is a pretty "basic" method to provide updates while preventing the clients access to the resources outside their LAN. For remote monitoring, the connections should all be dedicated links as Garak touched on.

Essential infrastructure should not be connected to a global WAN. The very premise is so flawed in nature I don't even know where to begin.

 

[Garak]

Originally Posted By: OVERK1LL
This is really a failing of systems. None of these computers should have had Internet Access directly in the first place. For the Windows boxes a WSUS box with multiple interfaces that sees the outside world for downloading of updates, then another interface that speaks to the physical LAN to provide those updates to clients is a pretty "basic" method to provide updates while preventing the clients access to the resources outside their LAN. For remote monitoring, the connections should all be dedicated links as Garak touched on.


Quite right. I speak from former professional experience. For certain federal government computers, only certain people were allowed to do upgrades (as Mystic mentioned for his organization). I was one of the two people in this province authorized to perform upgrades. I dealt extensively with Network Associates at the time to customize installations, upgrades, and security on the dedicated link network.

Basically, upgrades of whatever software had to come from the clear net somewhere, or shipped on CD or DVD. They were then checked by other security people and myself. Then I posted the update on the dedicated network. Prior to that, I had to go to each computer and point them in the right direction to grab the updates.

That's where part of my hatred for commercial software and Windows stems. Many people in the field have no comprehension as to how dedicated networks work, their topography, what speed limitations might be encountered, and so forth. The people at Network Associates had no concept and I had to devise an update protocol from the ground up. Then, there are always other pieces of software that try to update themselves, find no internet connection, and then puke all over themselves.

It does make a much more secure system. Even if software is infected, the only thing it can actually do is damage data. It can't send data to the wrong hands, since there is no connection to the outside internet world, and no modem connection for phantom dialers.

For any country trying to protect secrets, allowing highly classified information on any computer connected to the internet or having mission critical computers connected to the internet is the peak of bungling.

Even encryption doesn't cut it in such a case, if it's still connected to the internet. The weak link is someone decrypting things and sending them where they don't belong. If there is no connection to the internet, the data security can be protected by physical searches for USB drives and other media upon entry to and exit from the facility.

 

[Drew99GT]

It's my understanding that the Bushehr nuclear facility in Iran is and has always been completely isolated and never hooked up to the internet. This worm ended up on the laptops of Russian officials who are helping the Iranians, upon which it got into the facility computer system.

I read it most likely was initially spread through social engineering - ie, members of a conference for power plant or industrial software were given demo CDs and such, which were infected with Stuxnet.

 

[Mystic]

Yes, from what I have been able to find out it looks like there was some kind of conference or whatever and Stuxnet was able to get into the Iranian facilities through USB sticks or CDs. By the way, it is possible that reactor was actually Japanese and not Russian. Not sure about that. Some security people are really putting down the Siemens equipment.

It is interesting in that ESET material that there is an implication that hackers or crackers or whatever you want to call them actually have a tool that can defeat the Kaspersky anti-virus ('anti-Kaspersky').

The first time I saw that equipment at my own facility was hooked up to the internet and could be updated through the internet I was surprised. I think updating should be done by only certain personnel through means of carefully checked CDs or USB sticks. I don't think anybody should be allowed to bring in their own USB sticks or CDs to a secure facility. I see no reason why some equipment needs to have an internet connection whatsoever. Although I guess in the case of a nuclear reactor that might be necessary. But any internet connections need to be very secure.

According to what I have heard the federal government secures important data through the 'red computer-black computer' concept. Any computer with internet access is automatically considered insecure. Really important information is on computers never hooked up to the internet and protected by major physical security. Updates for those secure computers is done offline.

 

[Mystic]

I have looked over the information in that PDF from the ESET website and I have to say that is some of the most interesting and extensive information on malware I have ever seen! Some other antivirus companies talked about Stuxnet like it was just another piece of malware and not something different. Kaspersky and Symantec had pretty good information but nothing like ESET.

But there seems to be an implication that malware writers actually have a tool that enables them to do things such as defeating a sandbox, shutting off the Windows XP firewall, and even defeating the Kaspersky antivirus. Do they really possess such a tool?

 

[ToyotaNSaturn]

Interesting how this attack was pretty much geared toward Siemens PLC (Programmable Logic Controllers) and the method of injection was USB memory sticks.

The worm looks like it doesn't do it's damage until it sniffs out certain registers on those Siemens controllers.

Legitimate certificates from Realtek and one other name-brand vendor were used in this attack.

Sure looks like modern warfare of the nuclear kind.

 

[Garak]

Originally Posted By: Drew99GT
It's my understanding that the Bushehr nuclear facility in Iran is and has always been completely isolated and never hooked up to the internet. This worm ended up on the laptops of Russian officials who are helping the Iranians, upon which it got into the facility computer system.

I read it most likely was initially spread through social engineering - ie, members of a conference for power plant or industrial software were given demo CDs and such, which were infected with Stuxnet.


Yep, social engineering. So, if that's true, we have a failure in physical security. No outside media should be used, nor outside laptops connected. Like geeze, this isn't a scenario where their biggest loss would be destruction of a customer mailing list.

 

[Mystic]

Microsoft, Kaspersky and Symantec are releasing results of their studies of the Stuxnet worm. There is information available at the Threatpost website. There are explantions about how Stuxnet works and also demonstrations are how Stuxnet can cause industrial and power plant equipment to malfunction.

It appears that Stuxnet was developed by a nation-state and there is some indication now which nation-state may have been involved.

 

[Mystic]

A srange kind of message was found in the Stuxnet worm. And also researchers have found a date. I am not going to go into details but some people believe that these messages may indicate what country was involved. Unless of course somebody is trying to mislead as to what country was involved.