What's new

Cyber Missile to destroy Iran's nuclear plant?

Zeluvaa

FULL MEMBER
Jul 12, 2010
196
0
176
It's a long read, but very interesting. :tup:

Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?


Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.

The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.
Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.
"Until a few days ago, people did not believe a directed attack like this was possible," Ralph Langner, a German cyber-security researcher, told the Monitor in an interview. He was slated to present his findings at a conference of industrial control system security experts Tuesday in Rockville, Md. "What Stuxnet represents is a future in which people with the funds will be able to buy an attack like this on the black market. This is now a valid concern."

A gradual dawning of Stuxnet's purpose
It is a realization that has emerged only gradually.

Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.
But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.
But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.
"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."
A guided cyber missile

On his website, Langner lays out the Stuxnet code he has dissected. He shows step by step how Stuxnet operates as a guided cyber missile. Three top US industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Monitor.
"His technical analysis is good," says a senior US researcher who has analyzed Stuxnet, who asked for anonymity because he is not allowed to speak to the press. "We're also tearing [Stuxnet] apart and are seeing some of the same things."
Other experts who have not themselves reverse-engineered Stuxnet but are familiar with the findings of those who have concur with Langner's analysis.
"What we're seeing with Stuxnet is the first view of something new that doesn't need outside guidance by a human – but can still take control of your infrastructure," says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy's Idaho National Laboratory. "This is the first direct example of weaponized software, highly customized and designed to find a particular target."
"I'd agree with the classification of this as a weapon," Jonathan Pollet, CEO of Red Tiger Security and an industrial control system security expert, says in an e-mail.
One researcher's findingsLangner's research, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls "fingerprinting," qualifies Stuxnet as a targeted weapon, he says.

Langner zeroes in on Stuxnet's ability to "fingerprint" the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.

Stuxnet's ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.
"Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."

So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.
"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

For those worried about a future cyber attack that takes control of critical computerized infrastructure – in a nuclear power plant, for instance – Stuxnet is a big, loud warning shot across the bow, especially for the utility industry and government overseers of the US power grid.
"The implications of Stuxnet are very large, a lot larger than some thought at first," says Mr. Assante, who until recently was security chief for the North American Electric Reliability Corp. "Stuxnet is a directed attack. It's the type of threat we've been worried about for a long time. It means we have to move more quickly with our defenses – much more quickly."
Has Stuxnet already hit its target?It might be too late for Stuxnet's target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after.

A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

Could Stuxnet's target be Iran's Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?
Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered.
"This will all eventually come out and Stuxnet's target will be known," Langner says. "If Bushehr wasn't the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that."

Israel, USA or Russia seems to be the most likely point of origin for this Malware.

This is just like Skynet from Terminator, a proto-version ;)


PS: Can mods move it to appropriate section if its, not already there.
 

somebozo

ELITE MEMBER
Jul 11, 2010
18,874
-4
18,587
Country
Pakistan
Location
Saudi Arabia
Alright a question for idiotcy 101..

If busher is completely disconnected from the outside world and doesnt even have its own tcp / ip network how the hell is this malware going to affect them??
Also they are russing a russian flavor of linux termed as one of the most secure linux distor's in the world.
 

Pakistani_Athiest

FULL MEMBER
Apr 6, 2010
414
0
248
Alright a question for idiotcy 101..

If busher is completely disconnected from the outside world and doesnt even have its own tcp / ip network how the hell is this malware going to affect them??
Also they are russing a russian flavor of linux termed as one of the most secure linux distor's in the world.

Leave it be, my friend. They wouldn't understand.
 

Zeluvaa

FULL MEMBER
Jul 12, 2010
196
0
176
The malware can be transmitted using infected memory stick as well ;)

Besides it only speculates that it MAY have attacked the nuclear power plant. I don't know how it can do it as the article does not mention how!
 

Vassnti

SENIOR MEMBER
May 29, 2009
3,168
1
2,399
Country
New Zealand
Location
Australia
stuxnet-saturation-2010-07-16.png


Hacker exchange

In addition to these attack attempts, about 13% of the detections we’ve witnessed appear to be email exchange or downloads of sample files from hacker sites. Some of these detections have been picked up in packages that supposedly contain game cheats (judging by the name of the file).

Threat details

What is unique about Stuxnet is that it utilizes a new method of propagation. Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. We anticipate other malware authors taking advantage of this technique. Stuxnet will infect any usb drive that is attached to the system, and for this reason we’ve classified the malware as a worm. This classification for the malware should not be confused with another vector used by this worm, the newly disclosed vulnerability (CVE-2010-2568) covered in today’s advisory. The vulnerability itself is not wormable.

The Stuxnet Sting - Microsoft Malware Protection Center - Site Home - TechNet Blogs
 

Vassnti

SENIOR MEMBER
May 29, 2009
3,168
1
2,399
Country
New Zealand
Location
Australia
Israel, USA or Russia seems to be the most likely point of origin for this Malware.

This is just like Skynet from Terminator, a proto-version ;)

.

Or perhaps the Australians,

Tracking down the culprit won't be easy.

"A lot more work needs to be done before any kind of credible attribution regarding Stuxnet can be performed," Securicon's Parker pointed out.

A possible clue is that one of the Stuxnet rootkit device drivers includes a debug string that contains the words "myrtus" and "guava." Both plants belong to the Myrtaceae family, which also includes the eucalyptus plant.

Welcome to TechNewsWorld

"It's possible that the Stuxnet worm was created or funded by a nation-state," Tom Parker, director of security consulting services at Securicon, told TechNewsWorld. "Due to the range of technologies utilized in Stuxnet, and diverse programming styles between the root kit, the dropper and the exploit, it's unlikely to be the work of one individual."

The worm was spread through the use of infected USB sticks. Wouldn't that method be too sloppy for any self-respecting intelligence agency? It couldn't ensure which targets were hit or even whether the worm was properly distributed.

"We don't know how Patient Zero got infected," Schouwenberg explained. "I'd argue that it's very likely that the initial targets were carefully selected. However, because Stuxnet operates as a worm, it may well have ended up in unintended places," he added.
 

fallstuff

ELITE MEMBER
Nov 20, 2009
8,726
0
6,362
Country
Bangladesh
Location
United States
Stuxnet-A View From an Energy Perspective

The Stuxnet malware that recently surfaced is one key example of why McAfee is involved in protecting critical infrastructure such as the energy sector from attacks.

Stuxnet is the first piece of malware that exploits a zero-day vulnerability in Windows to target control systems and utility companies. It is apparent that the Stuxnet creator used a combination of vulnerability knowledge, hacking pragmatism and possible physical security breaches to execute an attack targeted at critical infrastructure systems.

The advanced knowledge that the Stuxnet attack displays is intriguing for two main reasons. First, the malware executes and propagates by exploiting a previously unknown Windows vulnerability. Second, the malware components include two drivers with rootkit behavior that are digitally signed, which is unusual for malware.

These two points have been covered broadly in the media. I’d like to focus on the potential impact on compromised systems, the complexity of the coordination of different vectors of attack, as well as what this means for the energy sector.

Here’s what we know so far about how Stuxnet operates:

1. A user connects a USB drive (or any removable media) to a system
2. The infected drive exploits the zero-day Windows Shell Code vulnerability to run the malware
3. The malware searches the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database. (Fortunately one of the certificates used to sign the malware has been revoked, with another one pending.)
4. The malware uses a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database

What is the potential impact of this event? The target is the Siemens SIMATIC WinCC Supervisory Control and Data Acquisition (SCADA) system. This software acts as the HMI (Human Machine Interface) for a utility’s industrial control systems. An HMI hosts and displays graphical information of control systems that operate key generation and transmission facilities for electricity in a power plant.

HMIs consistently monitor health, uptime and the overall operational status of control systems in a plant. In many cases HMIs are set up to have control over the process flows between control systems. The graphical information in a HMI provides is like a map, just like a diagram of a computer network. The malware potentially hands the map of a piece of critical infrastructure to a malicious entity.

Control Systems Security vs. IT Security
There are many differences between control systems and IT systems. IT has a mantra of delivering confidentiality in tandem with availability, whereas control systems were designed for the elusive seven 9s of availability. Typically control systems are on a separate network from IT systems and are managed by a completely separate team.

The traditional change management processes can be lengthy in a control systems environment due to the constant need for 24/7/365 availability. As a result, patch updates, security updates and remedial hot fixes or workarounds might not always be the first priority.

In this example, Siemens used hardcoded passwords in its application to provide access to its SQL databases. The company has warned that changing these passwords could compromise the availability of the systems. Many security researchers have taken the proverbial hammer to Siemens for this apparent security violation. However, given the need for availability in this environment, it is very common.

The U.S. Department of Energy (DOE), National Institute of Standards and Technology and many private entities have made a call to bridge the gaps between the disciplines of IT and control systems. This could be done through establishment of traditional IT process and compliance frameworks like the National Energy Regulatory Council (NERC).

The need for control systems protection has been discussed for a while, however the threats are nascent. The events that have occurred in the control systems space have been either proof-of-concept attacks, accidental instances, disgruntled employees, or targeted attacks at a specific instance with forensics too limited to assess the intended effect.

This started to change in 2009, when on April 7 NERC released a public warning that targeted instances of malware from foreign entities were left behind in the electrical grid. We’re seeing another example of this with the Stuxnet attack that is making headlines today.

Let’s look at the sophistication of Stuxnet, assuming that the intent is to compromise our power grid and deliver critical details to rogue elements.

Finding a zero day vulnerability that allows code execution in Microsoft Windows requires expertise, certainly, but we have seen examples of that many times before. Understanding how to attack control systems demonstrates an unusual amount of sophistication.

The attacker would know that typical SCADA systems have limited network access and limited physical access through Ethernet ports and USB devices. Now we add in the attacker’s knowledge of the Siemens control systems, what role it plays in the control systems space and finding the default hard-coded password to access the database. That shows another level of sophistication.

Finally, how did the attacker forge the certificate credentials? Alltogether, this is an unusually sophisticated attack.

How to Defend Against Stuxnet


How could one protect against this attack? McAfee has several different tools that deal with this particular threat. We will need to break this attack down into three components and address the solution for each.

First the malware, McAfee provides detection for the Stuxnet worm with DAT version 6046. We not only detect, but also remove components associated with this threat. In addition, our McAfee Application Control (formerly Solidcore) product will prevent infection, execution and payload associated with this threat without the need for signature updates.

Second, the vulnerability, McAfee has detection for the Windows vulnerability with our July 16th, 2010, Vulnerability Manager checks. Vulnerability Manager can be used to find systems that are vulnerable to this threat.

And third, the vehicle. USB drives is one of the primary infection mechanisms and such device are pervasive in the control systems world. This attack vector would allow the exploit to circumvent perimeter security measures. The use of tools such as McAfee Device Control would allow customers to lock down computers to only accept approved USB devices with embedded antimalware technology. This would reduce the overall exposure.

What does this mean for the energy industry? Energy and utility companies should be frightened by the sophistication of this attack and fearful of coordinated advanced persistent threats. At McAfee, the Stuxnet attack underscores the importance of what we are doing to secure our digital world.

Furthermore, Stuxnet underscores our recent initiatives to work closely with the DOE, Department of Homeland Security, public and private sector organizations to help bridge the gaps between IT security and control systems security.

A special thanks to Mark Zanotti- CTO from Lofty Perch for his contributions to my thought process on this blog as well as an executive from a major U.S. utility for their insight.



Link:
McAfee Security Insights Blog Blog Archive Stuxnet-A View From an Energy Perspective
 

Markus

SENIOR MEMBER
May 27, 2010
4,426
-1
3,262
It seems that Stuxnet infects only Siemens control systems. If this a true and its a big limitation.

Honeywell, Emerson and others are popular control systems manufacturers too, what about them?
 

Markus

SENIOR MEMBER
May 27, 2010
4,426
-1
3,262
I did some research on this on the net.

Prima facie, it very much looks like an attack to disable Iran's nuke plant. This is really interesting news.

Some interesting news that many experts have put forth is the laxity with which the Iranian officials handled the initial work at the nuke plant. Unlicensed Siemens software (Win CC) was used. Also, the system integrator, a Russian company has a website which is currently compromised.

It seems that Stuxnet has already made its move.
 

Chogy

PROFESSIONAL
Jun 17, 2010
2,228
0
3,906
Fascinating and a bit creepy.

Industrial controls are very different from the average guy's PC, but there is often a basic PC integrated into these systems to monitor.

An industrial process can be thought of as a series of controls that are serially networked via RS485 or similar. For example, you might have a temperature controller than maintains a furnace at 600 Celsius, and this controller is networked with the rest of the system, so the "control room" can verify that yes, the temperature controller is doing its job. Then this worm hits, and if it knows exactly the type of industrial process it is dealing with, it can take over, and tell the furnace to jack right on up to 1200 C. Boom.
 

Safriz

BANNED
Aug 30, 2010
20,856
-1
11,315
Country
Pakistan
Location
United Kingdom
Thats why windows is a securty threat itself....Iranians should have used Linyx,Solaris or some other non microsoft operating system...way safer than windows.
 

Markus

SENIOR MEMBER
May 27, 2010
4,426
-1
3,262
Fascinating and a bit creepy.

Industrial controls are very different from the average guy's PC, but there is often a basic PC integrated into these systems to monitor.

An industrial process can be thought of as a series of controls that are serially networked via RS485 or similar. For example, you might have a temperature controller than maintains a furnace at 600 Celsius, and this controller is networked with the rest of the system, so the "control room" can verify that yes, the temperature controller is doing its job. Then this worm hits, and if it knows exactly the type of industrial process it is dealing with, it can take over, and tell the furnace to jack right on up to 1200 C. Boom.

Exactly....and thats why its so dangerous.

The article above and several more on the internet mention that StuxNet can replace ladder programming in the PLC and many of us know what that means.

Just imagine a boiler or a heater or a reactor's control parameters getting manipulated, its gonna be fireworks. :lol:

This malware takes industrial espionage to an altogether new generation. It should be called "industrial assassination"
 

Markus

SENIOR MEMBER
May 27, 2010
4,426
-1
3,262
Thats why windows is a securty threat itself....Iranians should have used Linyx,Solaris or some other non microsoft operating system...way safer than windows.

Not possible.

The SCADA software Win CC (incase of Siemens) runs only on windows, and to make things worse, the Iranians were using unlicensed copies of Windows OS.

Stuxnet exploited all the known and even the then unknown vulnerabilities in WIndows OS to make this brilliant attack.
 

Vassnti

SENIOR MEMBER
May 29, 2009
3,168
1
2,399
Country
New Zealand
Location
Australia
Not possible.

The SCADA software Win CC (incase of Siemens) runs only on windows, and to make things worse, the Iranians were using unlicensed copies of Windows OS.

Stuxnet exploited all the known and even the then unknown vulnerabilities in WIndows OS to make this brilliant attack.

I hope your kidding, who with half a brain would run a nuclear power station on pirated software?
 

Users Who Are Viewing This Thread (Total: 1, Members: 0, Guests: 1)


Top Bottom