Stuxnet: Fact vs. theory

CNET News ^ | Elinor Mills

[Pride_of_the_Bluegrass]

The Stuxnet worm has taken the computer security world by storm, inspiring talk of a top secret, government-sponsored cyberwar, and of a software program laden with obscure biblical references that call to mind not computer code, but "The Da Vinci Code."

Stuxnet, which first made headlines in July, (CNET FAQ here) is believed to be the first known malware that targets the controls at industrial facilities such as power plants. At the time of its discovery, the assumption was that espionage lay behind the effort, but subsequent analysis by Symantec uncovered the ability of the malware to control plant operations outright, as CNET first reported back in mid-August.

What's the real story on Stuxnet? A German security researcher specializing in industrial-control systems suggested in mid-September that Stuxnet may have been created to sabotage a nuclear power plant in Iran. The hype and speculation have only grown from there

[Pride_of_the_Bluegrass]

http://www.us-cert.gov/control_systems/ics-cert/

Control Systems Security Program (CSSP)
Industrial Control Systems Cyber Emergency Response Team
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides a control system security focus in collaboration with US-CERT to:

•Respond to and analyze control systems related incidents
•Conduct vulnerability and malware analysis
•Provide onsite support for incident response and forensic analysis
•Provide situational awareness in the form of actionable intelligence
•Coordinate the responsible disclosure of vulnerabilities/mitigations
•Share and coordinate vulnerability information and threat analysis through information products and alerts
The ICS-CERT serves as a key component of the Strategy for Securing Control Systems, which outlines a long-term, common vision where effective risk management of control systems security can be realized through successful coordination efforts.

[Pride_of_the_Bluegrass]

http://www.us-cert.gov/control_systems/pdf/ICSA-10-272-01.pdf

ICS-CERT has been actively investigating and reporting on the Stuxnet vulnerability. To date, ICS-CERT has released ICSA-10-201-01-Malware Targeting Siemens Control Softwarea (including Updates B & C) and ICSA-10-238-01-Stuxnet Mitigationsb
Stuxnet uses four zero-day exploits (two of which have been patched (including Update B).
b) and takes advantage of a vulnerability also exploited by Conficker, which has been documented in Microsoft Security Bulletin MS-08-067.c The known methods of propagation include infected USB devices, network shares, STEP 7 Project files, WinCC database files, and the print spooler vulnerability addressed by MS-10-061.d
The malware also interacts with Siemens SIMATIC WinCC or SIMATIC STEP 7 software. Exact software versions and configurations that may be affected are still being analyzed jointly by ICS-CERT and Siemens. We have listed the following indicators for use in detecting this malware. The malware can be updated through a command and control infrastructure as well as peer-to-peer communication using the Remote Procedure Call (RPC) protocol.

[TEXOKIE]

bttt

[Pride_of_the_Bluegrass]

http://www.youtube.com/watch?v=z5rRZdiu1UE&ob=av2n

I have to add this as well, it’s a bad habit but I have a messed up sense of humor

[gusopol3]

Did she discuss the Russian engineers being detained or fleeing Iran ?

[mad_as_he$$]

Nice round up of the facts. Thanks for posting. Sucks if you run Siemens PLC’s.

[Bryanw92]

>>Sucks if you run Siemens PLC’s.

I’m an AE for a utility company and I program WinCC and Step7 control systems and keep getting phone calls about Stuxnet. Read the white papers on this and it becomes fairly obvious that this is a targeted attack on several muslim nations. This is the most well-written virus ever seen and 60% of the infected systems have been in Iran. Most of the other infected systems are in muslim countries as well. The people that examine these things are amazed at its complexity and bug-free code, which just screams “NSA” or that new USAF cyber-command at me.

I can’t afford to panic and shut down my control systems, or spend the $500M replacing Siemens with Allen-Bradley (we have a very large SCADA system), so I’ll just watch this thing develop—but at this point it looks like someone is just trying to convince someone else (who has bombs loaded on planes ready to go to Iran) that there is no threat because we can take them out any time we want without a single bomb.

[Chode]

dejavu all over again...

In January 1982, President Ronald Reagan approved a CIA plan to sabotage the economy of the Soviet Union through covert transfers of technology that contained hidden malfunctions, including software that later triggered a huge explosion in a Siberian natural gas pipeline, according to a new memoir by a Reagan White House official.

Thomas C. Reed, a former Air Force secretary who was serving in the National Security Council at the time, describes the episode in "At the Abyss: An Insider's History of the Cold War," to be published next month by Ballantine Books. Reed writes that the pipeline explosion was just one example of "cold-eyed economic warfare" against the Soviet Union that the CIA carried out under Director William J. Casey during the final years of the Cold War.

At the time, the United States was attempting to block Western Europe from importing Soviet natural gas. There were also signs that the Soviets were trying to steal a wide variety of Western technology.

Then, a KGB insider revealed the specific shopping list and the CIA slipped the flawed software to the Soviets in a way they would not

'Programmed to go haywire' "In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds," Reed writes.

"The result was the most monumental nonnuclear explosion and fire ever seen from space," he recalls, adding that U.S. satellites picked up the explosion. Reed said in an interview that the blast occurred in the summer of 1982.

"While there were no physical casualties from the pipeline explosion, there was significant damage to the Soviet economy," he writes. "Its ultimate bankruptcy, not a bloody battle or nuclear exchange, is what brought the Cold War to an end. In time the Soviets came to understand that they had been stealing bogus technology, but now what were they to do? By implication, every cell of the Soviet leviathan might be infected. They had no way of knowing which equipment was sound, which was bogus. All was suspect, which was the intended endgame for the entire operation."

Reed said he obtained CIA approval to publish details about the operation. The CIA learned of the full extent of the KGB's pursuit of Western technology in an intelligence operation known as the Farewell Story continues below ↓

read the rest here...http://www.industrialdefender.com/general_downloads/incidents/1982.06_trans_siberian_gas_pipeline_explosion.pdf

[mad_as_he$$]

I am got lucky in one way. Most of my very large SCADA system is GE. Only one Siemens unit in the place and it is not on the factory enet. One of my previous employers has literally hundreds of Siemens PLC’s in all families and configurations. They are in complete freakout mode. Funny thing is we parted ways because of my ongoing and vocal concerns about security practices. I agree this was not a bunch of hackers in a basement. This thing was well written and contains extensive knowledge of Siemens systems - something the average Windows virus writer would not have. I have been working with PLC’s for 15 years and have never been around a discussion about any unit at the microcode level in the detail that Stux has.

[Chode]

excellent report

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

[Bryanw92]

I agree. This is not the work of a Windows hacker or a PLC guy. This was a collaborative effort with a lot of resources behind it. My upper management is in freak-out mode too, so I just told them yesterday (during their latest panic attack) that I recommend switching our 2100 PLCs out for Allen-Bradley. That actually calmed them down because then they started looking at it in its proper perspective. My SCADA system covers three counties and we always have to balance security vs operability. I’ve been working with PLCs since 1988 and have seen them evolve from simple replacements for relays to the wonderful things they are today. Stuxnet is just another Y2K scare.

[Pride_of_the_Bluegrass]

I already posted that story

http://www.freerepublic.com/focus/f-news/2601020/posts

[aegiscg47]

Has anyone seen even any speculation about what the virus actually did to Iran?

[bigred44]

I read “One Second After”, a story about what would happen if an enemy country set off a nuclear warhead in the atmosphere many miles above the US. It would cause an EMP (Electromagnetic Pulse), shutting down all the electronics in much of the US, crippling the country.

It could be more targeted though, perhaps in the sky over Iran, turning that country into a powerless Third World community in an instant. No direct deaths from the EMP, just mayhem and a lot of refugees to nearby countries.

Do you think the Pentagon or Israel may be looking into this?

[mad_as_he$$]

Well put.

[Pride_of_the_Bluegrass]

I would think we would rather do another “Operation Ajax” and just take over before we would destroy the entire countries infrastructure

[bigred44]

That sounds great. But do we have the Intelligence and the time to do this before Iran gets its first usable nuclear weapon? An Operation Ajax takes years, and a wide internal network of Iranians to pull off.

I’ve got to believe that the CIA and Pentagon are working on different scenarios (military and other) that will snuff this out.

[gitmo]

Why not update your registries with 19790509? You could do that with a simple powershell script.

[TEXOKIE]

WOW