Stuxnet getting to the target
Download
1 / 25

- PowerPoint PPT Presentation


  • 188 Views
  • Uploaded on

Stuxnet – Getting to the target. Liam O Murchu. Feb 2011. Operations Manager, Symantec Security Response. Agenda. Stuxnet Capabilities. 1. Network Distribution Tactics. 2. Intel & Targets. 3. Sophistication & Success. 4. Solutions & Lessons Learned. 5. Stuxnet Features.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - yaakov


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Stuxnet getting to the target

Stuxnet – Getting to the target

Liam O Murchu

Feb 2011

Operations Manager, Symantec Security Response


Agenda
Agenda

Stuxnet Capabilities

1

Network Distribution Tactics

2

Intel & Targets

3

Sophistication & Success

4

Solutions & Lessons Learned

5

Stuxnet – Getting to the target


Stuxnet features
Stuxnet Features

  • Discovery disclosed in July, 2010

  • Attacks industrial control systems likely an Iranian uranium enrichment facility

  • Modifies and hides code on Siemens PLCs connected to frequency converters

  • Contains 7 methods to propagate, 4 zero day exploits, 1 known exploit, 3 rootkits, 2 unauthorized certificates, 2 Siemens security issues, 1 target.

  • 3 versions, June 2009, March 2010, April 2010

Stuxnet - Sabotaging Industrial Control Systems


Stuxnet is targeted
Stuxnet is targeted

Iranian Target

Stuxnet – Getting to the target


PLCs

Programmable Logic Controller

  • Monitors Input and Output lines

    • Sensors on input

    • switches/equipment on outputs

    • Many different vendors

  • Stuxnet seeks specific Models

    • s7-300 s7-400

  • Stuxnet is Targeted

  • Targeting a Specific type of PLC

  • Searches for a Specific Configuration

Stuxnet & PLCs


Programming a plc
Programming a PLC

Step7, STL and MC7

  • Simatic or Step 7 software

    • Used to write code in STL or other languages

  • STL code is compiled to MC7 byte code

  • MC7 byte code is transferred to the PLC

  • Control PC can now be disconnected

Stuxnet Infecting PLCs


Attack preparation
Attack Preparation

Stuxnet Creator

Control

PC

Uranium Enrichment

Facility

PLC

Stuxnet – Getting to the target


Attack considerations
Attack Considerations

Internet Etc

Corporate LAN

Air Gap

Stuxnet – Getting to the target


How stuxnet attacks corporations
How Stuxnet Attacks Corporations

Stuxnet uses 7 different methods to propagate!

  • USB drives – Zero Day

  • Print Spooler Vuln – Zero Day

  • Ms08-067 Vuln

  • Network Shares

  • P2P sharing

  • Wincc Hard coded Password

  • Step7 projects

Control PC

Stuxnet – Getting to the target


Self replication step 7 project files
Self-ReplicationStep 7 Project Files

types:

DB 14 14 00 00 00 00 00 00 00 00 00

+00 WORD count

+02 BYTE[] records

+00 WORD count

+02 BYTE[] records

MyProject.s7p

ApiLog

S7HK40AX

S7HK41AX

hOmSave7

xutils

links

listen

types

s7p00001.dbf (Stuxnet datafile)

s7hkimdb.dll

s7hkimdb.dll

xr000000.mdx (encrypted Stuxnet)

s7000001.mdx (Stuxnet config data file)

s7hkimdb.dll

  • %Step7%\S7BIN

  • %SYSTEM32%

  • %SYSTEM%

  • %WINDIR%

  • project's hOmSave7/* subdirectories

Stuxnet - Sabotaging Industrial Control Systems


Stuxnet windows rootkit
Stuxnet Windows Rootkit

Stuxnet - Sabotaging Industrial Control Systems


Attack execution
Attack Execution

Internet Etc

1. Initial Delivery

Corporate LAN

3. Reporting

Updates

2. Network Exploits

Air Gap

4. Bridge

AirGap

5. Deliver Payload

Stuxnet – Getting to the target


Delivering the threat
Delivering the threat

  • Stuxnet targeted specific companies in Iran

  • Only 10 initial targets

  • Resulting in over 14k infections

  • Research was needed to identify valuable targets

  • Companies connected to Uranium enrichment

  • Hope to infect someone who would visit a Uranium enrichment facility

  • Someone who worked on Uranium enrichment projects

  • Actual delivery method is unknown

Stuxnet – Getting to the target


Limited spread
Limited Spread

  • Attackers wanted limited spread

  • No Internet capable exploits used

  • USB exploit only infects 3 machines

  • USB exploit has deadline of 21 days

  • All exploits have a deadline

  • Large configuration file

  • ~430 different settings

  • Why did it spread so far?

Stuxnet – Getting to the target


Why did it spread so far
Why did it spread so far?

  • Zero .lnk vulnerability wildly successful

  • Step7 project infection very successful

  • Misunderstanding of how contractors interact

  • Misunderstanding of how connected companies are

  • Intended?

  • Needed to be more aggressive to succeed?

Stuxnet – Getting to the target


Was stuxnet successful
Was Stuxnet Successful

  • We don’t know.

  • 1 year in the wild undiscovered

  • Over 100k infections

  • Majority in Iran

  • Natanz shut down

  • Industrial Companies Infected

  • Reports of infections at Natanz and Busheir

  • IAEA report states 1000 centrifuges offline in Nov 2009

Stuxnet – Getting to the target


Was stuxnet successful1
Was Stuxnet Successful

  • We don’t know.

  • Discovered 3 months after USB zero day added

  • No report of centrifuges out of action since March

  • Gained high media attention

  • Analysis performed

  • Iranian authorities aware

Stuxnet – Getting to the target


Sophistication
Sophistication

  • First threat to target hardware

  • Targets Uranium Enrichment

  • Large amount of code

  • Very configurable

  • 4 zero days

  • Long Reconnaissance phase

  • Needed Hardware for testing

  • Targets 95/98,Win2k,Winxp,Vista,Win7…

  • 3 Rootkits

  • PLC programming knowledge

Stuxnet – Getting to the target


Sophistication1
Sophistication

  • It was discovered

  • No advanced encryption

  • C&C infrastructure easily taken down

  • Infection information stored

  • Blue screens?? (unconfirmed)

  • P2P not protected

  • Escaped outside of Iran

Stuxnet – Getting to the target


New version
New Version

  • Not simple to create new version

  • Cannot just drop in new zero days

  • Target specific information required

  • PLC programming knowledge

  • Exploit knowledge

  • Real danger is the idea

  • Now people know it can be done

  • People can start their own projects knowing it is possible

Stuxnet – Getting to the target


Solutions lessons learned
Solutions & lessons learned

  • Insider threat is significant – Employees are major risk

  • IP is extremely valuable, protect it at all costs

  • Monitor systems and networks

  • Watch for red flags

  • Implemented real air gaps

  • Or accept this is not possible and protect computers inside the air gap more vigorously

  • White listing, behavior blocking and reputation based solutions can mitigate threat.

  • Device blocking – USBs, contractor laptops, etc..

  • Vigilance is key

Stuxnet – Getting to the target


Response
Response

  • Need dedicated resources in place in advance that can switch focus to a new threat quickly

  • Need engineers who are familiar with the latest developments in the threat landscape

  • Need to respond quickly – critical infrastructure may be at risk

  • Private public partnership will be important

  • Growing market

  • We will see more of these types of threats in the future, need to prepare for that.

Stuxnet – Getting to the target


Summary
Summary

  • Stuxnet is the first publicly known malware to intend real-world damage

  • Required resources at the level of a nation-state

  • While as a whole extremely sophisticated, the technique to inject code into PLCs is not

  • Enterprises should assume attackers know how these systems work

  • Has changed our job at Symantec

  • We expect to see more of these threats

Stuxnet – Getting to the target


White paper available
White Paper Available

W32.Stuxnet Dossier

  • Stuxnet Technical Details Available here:

  • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Stuxnet – Getting to the target


Liam o murchu liam omurchu@symantec com

Liam O Murchu - liam_omurchu@symantec.com

Stuxnet – Getting to the target