Bodi 1 Kathleen R. Bodi Computer Forensics CS 346 05/25/2014 Stuxnet “If the radiance of a thousand suns were to burst at once into the sky, that would be like the splendor of the Mighty One… I am become Death (Shiva), the shatterer of Worlds.” - Bhagavad-Gita, cited by J. Robert Oppenheimer on the Trinity Project1 STUXNET SUMMARY: In June 2010, a new computer virus appeared quietly on the world stage. By the time this CBS 60 Minutes video2 aired on March 4, 2012, the Trojan known as Stuxnet had been carefully analyzed by global independent and leading industrial security experts. Correspondent Steve Kroft opens this report by informing the American public that, “The Nation’s top military, intelligence, and law enforcement officials have been warning Congress and the country about a coming cyber-attack against critical infrastructure in the United States.” He then explains that our energy and financial industries could be targeted, which would have a devastating impact on our daily lives, and that cyber-warfare has already begun with the chain of events set into motion by the introduction of the Stuxnet virus. After such foreshadowing, viewers might well be wondering how a computer virus most of us have never encountered could possibly equate to cyber-warfare against the United States. Stuxnet was actually the first targeted attack by at least one sophisticated actor against a nation-state using malware 1 2 http://en.wikipedia.org/wiki/Robert_Oppenheimer#Trinity http://www.cbsnews.com/videos/stuxnet-computer-worm-opens-new-era-of-warfare/ Bodi 2 to damage their critical infrastructure. The target in this attack has been identified by researchers Fallierre and O Murchu and Chien (2011) to be a nuclear facility in Natanz, Iran. Like many others around the world, this manufacturing plant is maintained by a computer-controlled system known as an ICS. An ICS is an industrial control system that uses supervisory control and data acquisition (SCADA)3 technology. SCADA technology combines automated-monitoring processes with human interfaces to supervise programmable logic controllers4. In turn, these programmable logic controllers manage the speed of motorized devices such as a large constellation of centrifuges. According to Albright and Shire (2009) at the Institute for Science and International Security, the centrifuges at the Natanz Fuel Enrichment Plant were believed to be used, or were being readied for use, for the increased production of low-enriched uranium. Stuxnet primarily infected computer systems by self-extraction. This occurred when infected thumb drives were loaded into USB ports on computers belonging to both wide-area and peer-to-peer networks. The virus spread across networks when it identified other computers as having two files used only by the Siemens S7-300 industrial control system. It also forwarded information about computers it had infected to two websites. The data it sent to the websites included the date of infection, the type of operating system on the computer, its place on the network including level of privileges, IP addresses infected, country of location, and whether or not it possessed the two files in question. The only data received back from the website instructed the virus to initiate a checklist sequence. If the sequence correctly executed, a payload would be activated that would overwrite data on the host computer. The overwritten data would then produce two separate actions. It would change the speed that the 3 http://www.automation.siemens.com/mcms/human-machine-interface/en/visualizationsoftware/scada/Pages/Default.aspx 4 http://www.automation.siemens.com/mcms/industrial-automation-systems-simatic/en/plc-controlsystem/Pages/Default.aspx Bodi 3 centrifuges operated at thereby sabotaging them. At the same time, it would instruct the humaninterface controls to continue to display normal settings so that no control alarms would be raised. PANDORA’S BOX: It is difficult to know with certainty whether the creators of Stuxnet anticipated the virus being discovered. It seems unlikely to me that they had not calculated a substantial risk of detection at some point after the attack was launched. Further research by McDonald and O Murchu and Doherty and Chien (2013) reveals Stuxnet was crafted with the following attributes: The employment of two valid digital security certificates. A stealth rootkit injection technique designed to avoid detection by anti-virus scanning. A complicated checklist style guidance system. A set of encrypted files to help shield its primary payload capable of updating itself. A Zero-day exploit to allow it to escalate privileges whenever necessary. Two-way communication capability with web servers in Malaysia and Denmark. Five methods for spreading across networks including P2P, network shares, Zero-day exploits and SQL injection on WinCC machines. Primary means of infection via USB ports. Several waves of attack that contain code modifications5. The integration of assembly code and data blocks into the malware. 5 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_m issing_link.pdf Bodi 4 The discovery of such a robust virus necessarily prompts concerns from security analysts, forensic experts, hackers, industry leaders, and intelligence communities all around the globe. Now that the knowledge of how to leverage such capabilities into a single cyber-weapon has been widely disseminated, we must assume that all parties now have or can easily acquire a similar weapon. According to the National Cybersecurity and Communications Integration Center’s most recent ICS-CERT Report (2014), an unnamed public utility in the United States was breached when a sophisticated actor gained access without authorization to its control system network. ISC-CERT investigated the incident and found that the control systems were accessible via internet hosts, were remote access enabled, and were inadequately protected with a standard password technique that could be brute-force attacked. Further analysis of network logs revealed that this system had been breached prior to this incident. While a great deal of attention has been focused on widely publicized financial and retail sector security breaches, much less attention has been directed toward industrial control systems. SCADA systems are used extensively in manufacturing plants, power generation facilities, oil and gas pipelines, and electrical power plants6. Because of reduced federal, state and local government funding, many public utilities including nuclear power plants are relying on aging “legacy” control systems. Stuxnet has revealed how vulnerable high-value infrastructure targets are to sabotage by determined attackers. Since these public utilities are also susceptible to threats from natural disasters, predicted by the Intergovernmental Panel on Climate Change (2014) to increase in frequency and severity going forward, strengthening our security protections for industrial control systems should be deemed a very high priority. 6 http://en.wikipedia.org/wiki/SCADA Bodi 5 COUNTER MEASURES: The ICS-CERT recommendations for securing industrial control systems included in this latest report emphasizes an immediate need to strengthen security for ICSs. They strongly recommend implementation of defense-in-depth strategies. These strategies were initially authorized by the Department of Homeland Security as recommended practice for improving ICS Cybersecurity in October 2009.7 The successful adoption of these strategies for industrial control system environments requires a thorough evaluation of existing architecture and vulnerabilities as well as an understanding of problemzones. According to their report, “Security problems arise because of: Increasing dependency of automation and industrial control systems. Insecure connectivity to external networks. Usages of technologies with known vulnerabilities, creating previously unseen cyber risk in the control domain. Lack of a qualified cybersecurity business case for industrial control system environments. Some control system technologies have limited security and are often only enabled if the administrator is aware of the capability (if the security does not impede the process). Many popular control system communications protocols are absent of basic security functionality (i.e., authentication, authorization). Considerable amount of open source information that is available regarding industrial control systems, their operations, and security vulnerabilities.” 7 http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf Bodi 6 Another significant challenge arises because of the inversion of security objectives between those of modern information networks and those required by industrial control system environments. A typical IT hierarchy assigns highest importance to Confidentiality, then high importance to Integrity and a lower importance to Availability. However, the ICS typically requires a very high importance to Availability, a medium importance to Integrity and low importance to Confidentiality. Furthermore, Homeland Security recommends the most critical weaknesses that need to be remedied when identified are: “Backdoors and ‘holes’ (either intentional or not) in the network perimeter. Devices with little or no security features (modems, legacy control devices, etc.) Vulnerabilities in common protocols. Attacks on field devices. Database attacks. Communications hijacking and Man-in-the-Middle (MitM) attacks. Improper or nonexistent patching of software and firmware. Improper coding techniques. Improper cybersecurity procedures for internal and external personnel. Lack of control systems specific mitigation technologies.” Bodi 7 Further ISC-CERT updated recommendations for defensive measures include: Minimizing network exposure for all ICS devices. Control system networks and devices should be situated behind firewalls and away from enterprise networks. When remote access is required, extra security measures including the employment of Virtual Private Networks, taking into account their known vulnerabilities. Removal, disabling or renaming of default system accounts. Account lockout policies as a counter-measure to brute-force attacks. Strong password policies. These should be routinely enforced. Monitor routinely for escalation of privileges, especially the creation of Administrator accounts by third parties. Apply all patches in ICS environments. Not addressed in either of these reports, but strongly recommended by security experts is the ramping up of security training of both current and new employee additions. Encouraging and incentivizing IT staff to acquire additional security training/certification would be a long-term security measure well worth the investment in time, money and staffing. Bodi 8 POST SCRIPT: Computer forensic experts and security analysts were instrumental in identifying and dissecting Stuxnet. A number of great videos have been posted online. Chester Wisniewski, Senior security advisor for Sophos appears in, “Stuxnet/Windows shortcut zero-day explained [Anatomy of an Attack online].”8 9 He explains how the Windows short-cut links were exploited by the malware and shows us exactly how it appears to the user both in a hex-editor environment and in a Windows environment. Code-specific to a USB stick for infecting other devices. Cannot now be copied to another USB stick. 8 http://www.youtube.com/watch?v=eFLNG5zHaVA 9 http://www.youtube.com/watch?v=1UxN7WJFTVg Bodi 9 View in Windows in the first seconds after clicking “Open” files on removal device. View in Windows seconds later after virus self-extracts. Computer is now infected. Bodi 10 Symantec produced another very informative video, “Stuxnet: How It Infects PLCs”10 In it, we are given an overview of how the virus was brought into the target environment and how it spread across the network looking for computers running the Step 7 software processes. Additionally, Liam O Murchu Stuxnet introduction and network propagation. Two-Way communication between infected PLC computer and attacker’s webserver. 10 http://www.youtube.com/watch?v=cf0jlzVCyOI Bodi 11 Provides a wonderful live demonstration of actual performance of motorized devices under normal PLC conditions and Stuxnet-altered conditions. We also see how the human-interface control display is appears unaltered. PLC Screen before infection. PLC Screen after infection Bodi 12 On June 17, 2010, an anti-virus company in Belarus, VirusBlokAda was the first to detect and report the discovery of a new Trojan that used USB storage devices as a vector of transmission.11 This report was picked up on by Brian Krebs on July 10, 2010.12 A Krebs on Security blog update on July 16, 2010 adds that Frank Boldwin,13 an independent security expert had dissected samples of Stuxnet to discover that it was targeting Siemens WinCC SCADA systems. I learned a tremendous amount from reading Symantec’s, “W.32: Stuxnet Dossier” and “Stuxnet 0.5: The Missing Link.” For instance, the version of Stuxnet most widely analyzed did not seem to need to do reconnaissance. By 2010, the only reporting ability that the computer’s needed to do are as follows: (extracted from “W.32: Stuxnet Dossier”) The following is an example of the computer description block: 5.1 - 1/1/0 - 2 - 2010/09/22-15:15:47 127.0.0.1, [COMPUTER NAME] [DOMAIN NAME] [c:\a\1.zip:\proj.s7p] The following describes each field: 5.1 - Major OS Version and Minor OS Version 1/1/0 – Flags used by Stuxnet 2 – Flag specifying if the computer is part of a workgroup or domain 2010/09/22-15:15:47 – The time of infection. 127.0.0.1 – Up to IP addresses of the compromised computer (not in the June 2009 version). Third wave…. 11 http://www.anti-virus.by/en/tempo.shtml http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/ 13 http://www.reconstructer.org/ 12 Bodi 13 [COMPUTER NAME] – The computer name. [DOMAIN NAME] – The domain or workgroup name. [c:\a\1.zip:\proj.s7p] – The file name of infected project file. It also notifies attackers if either of the two targeted Siemens files (Step7 or WinCC) are found, see pg. 21 However, “Stuxnet 0.5: The Missing Link” reports that oldest known version of Stuxnet has been identified, dating back to an in-the-wild debut of approximately November, 2007 and was only spread via Step 7 project files. It also contained additional code that targeted closing valves in Natanz, Iran and could potentially have crippled Iran’s uranium enrichment system much more extensively than the later version targeting only the centrifuges. Bodi 14 Works Cited Albright, D., & Shire, J. (2009). ISIS Report: IAEA Report on Iran. Centrifuge and LEO increases; access to Arak reactor denied; no progress on outstanding issues. Retrieved from http://www.isisnucleariran.org/assets/pdf/Iran_IAEA_Report_Analysis_5June2009.pdf Falliere, N., & O Murchu, L., & Chien, E. (2011). Symantec Security Response. W32.Stuxnet Dossier. (Version 1.4) Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitep apers/w32_stuxnet_dossier.pdf Intergovernmental Panel on Climate Change (2014). Climate Change 2014: Impacts, Adaptation, and Vulnerability. (IPCC WGII AR5, Chapter 26). Retrieved from http://ipccwg2.gov/AR5/images/uploads/WGIIAR5-Chap26_FGDall.pdf McDonald, G., & O Muchu, L., & Doherty, S., Chien, E. (2013). Symantec Security Response. Stuxnet 0.5: The Missing Link. (Version 1.0). Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitep apers/stuxnet_0_5_the_missing_link.pdf U.S. Department of Homeland Security (2014). ISC-CERT Monitor: Incident Response Activity. (January–April, 2014). Retrieved from http://ics-cert.uscert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_%20Jan-April2014.pdf