1 / 25

Stuxnet – Getting to the target

Stuxnet – Getting to the target. Liam O Murchu. Feb 2011. Operations Manager, Symantec Security Response. Agenda. Stuxnet Capabilities. 1. Network Distribution Tactics. 2. Intel & Targets. 3. Sophistication & Success. 4. Solutions & Lessons Learned. 5. Stuxnet Features.

yaakov
Download Presentation

Stuxnet – Getting to the target

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stuxnet – Getting to the target Liam O Murchu Feb 2011 Operations Manager, Symantec Security Response

  2. Agenda Stuxnet Capabilities 1 Network Distribution Tactics 2 Intel & Targets 3 Sophistication & Success 4 Solutions & Lessons Learned 5 Stuxnet – Getting to the target

  3. Stuxnet Features • Discovery disclosed in July, 2010 • Attacks industrial control systems likely an Iranian uranium enrichment facility • Modifies and hides code on Siemens PLCs connected to frequency converters • Contains 7 methods to propagate, 4 zero day exploits, 1 known exploit, 3 rootkits, 2 unauthorized certificates, 2 Siemens security issues, 1 target. • 3 versions, June 2009, March 2010, April 2010 Stuxnet - Sabotaging Industrial Control Systems

  4. Stuxnet is targeted Iranian Target Stuxnet – Getting to the target

  5. PLCs Programmable Logic Controller • Monitors Input and Output lines • Sensors on input • switches/equipment on outputs • Many different vendors • Stuxnet seeks specific Models • s7-300 s7-400 • Stuxnet is Targeted • Targeting a Specific type of PLC • Searches for a Specific Configuration Stuxnet & PLCs

  6. Programming a PLC Step7, STL and MC7 • Simatic or Step 7 software • Used to write code in STL or other languages • STL code is compiled to MC7 byte code • MC7 byte code is transferred to the PLC • Control PC can now be disconnected Stuxnet Infecting PLCs

  7. Attack Preparation Stuxnet Creator Control PC Uranium Enrichment Facility PLC Stuxnet – Getting to the target

  8. Attack Considerations Internet Etc Corporate LAN Air Gap Stuxnet – Getting to the target

  9. How Stuxnet Attacks Corporations Stuxnet uses 7 different methods to propagate! • USB drives – Zero Day • Print Spooler Vuln – Zero Day • Ms08-067 Vuln • Network Shares • P2P sharing • Wincc Hard coded Password • Step7 projects Control PC Stuxnet – Getting to the target

  10. Self-ReplicationStep 7 Project Files types: DB 14 14 00 00 00 00 00 00 00 00 00 +00 WORD count +02 BYTE[] records +00 WORD count +02 BYTE[] records MyProject.s7p … ApiLog S7HK40AX S7HK41AX hOmSave7 xutils links … listen types s7p00001.dbf (Stuxnet datafile) s7hkimdb.dll s7hkimdb.dll xr000000.mdx (encrypted Stuxnet) s7000001.mdx (Stuxnet config data file) s7hkimdb.dll • %Step7%\S7BIN • %SYSTEM32% • %SYSTEM% • %WINDIR% • project's hOmSave7/* subdirectories Stuxnet - Sabotaging Industrial Control Systems

  11. Stuxnet Windows Rootkit Stuxnet - Sabotaging Industrial Control Systems

  12. Attack Execution Internet Etc 1. Initial Delivery Corporate LAN 3. Reporting Updates 2. Network Exploits Air Gap 4. Bridge AirGap 5. Deliver Payload Stuxnet – Getting to the target

  13. Delivering the threat • Stuxnet targeted specific companies in Iran • Only 10 initial targets • Resulting in over 14k infections • Research was needed to identify valuable targets • Companies connected to Uranium enrichment • Hope to infect someone who would visit a Uranium enrichment facility • Someone who worked on Uranium enrichment projects • Actual delivery method is unknown Stuxnet – Getting to the target

  14. Limited Spread • Attackers wanted limited spread • No Internet capable exploits used • USB exploit only infects 3 machines • USB exploit has deadline of 21 days • All exploits have a deadline • Large configuration file • ~430 different settings • Why did it spread so far? Stuxnet – Getting to the target

  15. Why did it spread so far? • Zero .lnk vulnerability wildly successful • Step7 project infection very successful • Misunderstanding of how contractors interact • Misunderstanding of how connected companies are • Intended? • Needed to be more aggressive to succeed? Stuxnet – Getting to the target

  16. Was Stuxnet Successful • We don’t know. • 1 year in the wild undiscovered • Over 100k infections • Majority in Iran • Natanz shut down • Industrial Companies Infected • Reports of infections at Natanz and Busheir • IAEA report states 1000 centrifuges offline in Nov 2009 Stuxnet – Getting to the target

  17. Was Stuxnet Successful • We don’t know. • Discovered 3 months after USB zero day added • No report of centrifuges out of action since March • Gained high media attention • Analysis performed • Iranian authorities aware Stuxnet – Getting to the target

  18. Sophistication • First threat to target hardware • Targets Uranium Enrichment • Large amount of code • Very configurable • 4 zero days • Long Reconnaissance phase • Needed Hardware for testing • Targets 95/98,Win2k,Winxp,Vista,Win7… • 3 Rootkits • PLC programming knowledge Stuxnet – Getting to the target

  19. Sophistication • It was discovered • No advanced encryption • C&C infrastructure easily taken down • Infection information stored • Blue screens?? (unconfirmed) • P2P not protected • Escaped outside of Iran Stuxnet – Getting to the target

  20. New Version • Not simple to create new version • Cannot just drop in new zero days • Target specific information required • PLC programming knowledge • Exploit knowledge • Real danger is the idea • Now people know it can be done • People can start their own projects knowing it is possible Stuxnet – Getting to the target

  21. Solutions & lessons learned • Insider threat is significant – Employees are major risk • IP is extremely valuable, protect it at all costs • Monitor systems and networks • Watch for red flags • Implemented real air gaps • Or accept this is not possible and protect computers inside the air gap more vigorously • White listing, behavior blocking and reputation based solutions can mitigate threat. • Device blocking – USBs, contractor laptops, etc.. • Vigilance is key Stuxnet – Getting to the target

  22. Response • Need dedicated resources in place in advance that can switch focus to a new threat quickly • Need engineers who are familiar with the latest developments in the threat landscape • Need to respond quickly – critical infrastructure may be at risk • Private public partnership will be important • Growing market • We will see more of these types of threats in the future, need to prepare for that. Stuxnet – Getting to the target

  23. Summary • Stuxnet is the first publicly known malware to intend real-world damage • Required resources at the level of a nation-state • While as a whole extremely sophisticated, the technique to inject code into PLCs is not • Enterprises should assume attackers know how these systems work • Has changed our job at Symantec • We expect to see more of these threats Stuxnet – Getting to the target

  24. White Paper Available W32.Stuxnet Dossier • Stuxnet Technical Details Available here: • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf Stuxnet – Getting to the target

  25. Liam O Murchu - liam_omurchu@symantec.com Stuxnet – Getting to the target

More Related