The Stuxnet Mystery Continues

I have just come back from three very interesting presentations by Symantec, Microsoft and Kaspersky Labs at the Virus Bulletin 2010 conference. For two hours they discussed their latest findings on Stuxnet, the PLC/SCADA-targeting worm of the decade.

If you are hoping for a clear answer on who wrote this nasty piece of malware and why, you are not going to find it here. And from what I have seen so far, you might not ever find that answer. But I will try to lay out what is known and what is pure speculation.

First some facts that are pretty hard to dispute:

  • Stuxnet was designed to target a very specific industrial process that used Siemens S7-300 and S7-400 PLCs. Research from Symantec and Ralph Langner show that Stuxnet is looking for a very specific PLC configuration to attack.
  • It was designed to be a long term and stealthy threat – Microsoft reported it was likely first released in July 2009 and was active (and undetected) for about a year, during which time its designers made several modifications, some as late as July 2010.
  • It has multiple methods of infection, not just via USB keys as originally thought. For example, once the USB key method has gotten the worm a foot hold in one computer, it moves to other computers on the same network using a previously unknown flaw in the way computers share printers. If that doesn’t work, it has three other ways to spread, including infecting the actual Step7 PLC project files (I’ll write more about this in another blog).
  • Despite what Siemens has written, Stuxnet is not only a threat to “operating systems from XP and higher” - Symantec’s analysis shows it is capable of infecting machines running older systems such as Windows 2000.
  • It is very well written – it is 1.5 MBytes of complex logic and yet (according to Kaspersky) only one potential bug has been noted and they have not been able to actually see this bug take effect. This error rate is far better than industry standards for commercial software.
  • Iran is the country with the largest number of infected computers. The Symantec report indicates that 58% of the infected machines are in Iran*. Furthermore, they show that the percentage of infected computers with the Siemens software installed is far higher in Iran.

Now looking at the Kaspersky data, one might assume that India has more infected computers; however, at the conference the Kaspersky speaker stated that this skew is almost certainly due to the fact that they have very few customers in Iran. Thus they also believe that Iran is the main country of infection.

Now for some speculation… considering that Stuxnet uses a physical propagation method (i.e. USB keys) and not the Internet, you can interpret the large number of Iranian infections (over 60,000, according to Symnatec) as you see fit. For me, it says that Iran was the country targeted by the worm’s developers.

This still leaves a lot of open questions, the first of which is “Who wrote this worm?”

I don’t think anyone who has studied the code thinks it was an individual. Symantec is very clear about this:

“Analyzing the different types of samples Symantec has observed to date has shed some light on how long this threat has been under development and/or in use. The development of the threat dates back to at least June of 2009. The threat has been under continued development as the authors added additional components, encryption, and exploits. The amount of components and code used is very large. In addition to this the authors’ ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows that the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is not a teenage hacker coding in his bedroom type operation.

I will discuss what this means to the ICS world in a future blog.

For now, the key message is there is no silver bullet to protect a system against the current Stuxnet or the next Stuxnet-like attack. Fully patched systems at Kaspersky Labs were infected, anti -virus systems were deliberately subverted to run the malware and shared print servers were used as infection paths. No single solution will block an attack like Stuxnet.

The only answer is a true Defence in Depth strategy. I’ll also discuss how companies might do this in a future blog. In the meantime, I would love to hear your ideas.

*Symantec reports that on August 22 they observed that Iran was no longer reporting new infections. They go on to state ”This was most likely due to Iran blocking outward connections to the command and control servers, rather than a drop-off in infections.”

Comments

4

Eric, I am the editor of Control Engineering Europe and we've met several times. Wanted to ask this question: since Stuxnet is apparently targeted at very specific S7-300 and S7-400 systems, does this mean that it's little or no threat to the thousands of other computers it has infected? If we're not connected to, or are running these PLCs, do we have anything to worry about? Thanks

Unfortunately, Stuxnet is a problem for the systems it infected, but were not at its target site.

There are two reasons for this. First, Stuxnet makes changes to systems it infects, even if it doesn’t want to attack that system. For example, at one large site it didn’t hurt the PLCs, but it modified the offline programming files for all the PLCs, requiring a very expensive cleanup effort.

Second, having a worm running in a system is a very high risk move as it leaves open all sorts of secondary communications paths that you don’t know about and don’t want. Many “hackers” take advantage of these open paths to steal control of the computers infected by a rival worm. Since the internal details of Stuxnet have been so well analyzed and published, it is very likely that someone else will create a new worm that takes advantage of all the infected systems out there and then use them for another purpose, one that might not be as targeted as Stuxnet was.

Would a Tofino firewall device placed between the SCADA system(s) and PLC(s) have stopped the PLC code manipulation?

Good question - Actually any answer could be broken into two parts:
1) Would a Tofino firewall device placed between the SCADA system(s) and Siemens PLC(s) have stopped the PLC code manipulation by the actual Stuxnet worm?

2) Would a Tofino firewall device placed between SCADA systems and a "yet to be determined" PLC stop code manipulation by the next Stuxnet copy cat worm?

It turns out the answer to both is yes, with some conditions on how the network is designed and what procedures are in place. I am working on a detailed answer as part of my next blog and hope to post that in the next week.

Add new comment