The most common vector for the development of targeted attacks is the exploitation of vulnerabilities present within the client environment. Stuxnet has followed the standard guidelines and was designed to target specific vulnerabilities. Stuxnet checks to see if WinCC is running. If it is, it tries to log in, to install a clandestine “back door” to the internet. Stuxnet was designed to target the centrifuges used for enrichment process. The process of concentrating the U-235 is called enrichment, and centrifuges are a central part of the process. After monitoring motor frequency of the centrifuge, Stuxnet was designed to attack systems spinning between 807Hz and 1,210Hz. It is learnt that Stuxnet changes the speed of the centrifuge motor by intermittently speeding up the machines to 1,410Hz, then slowing them back down to 2Hz and finally, restoring them to a frequency of 1,064Hz, the normal operating speed. This inflicts severe stress on the machinery and causes higher crash rates.
International Atomic Energy Agency (IAEA) inspectors had detected that 984 centrifuges had been taken offline with respect to the a number corresponding to one section of the worm’s code, which targets 984 linked machines. This is a reality. The same is corroborated by other agencies as well.Whoever designed Stuxnet knew in great detail about the centrifuges right down to which companies supplied the speed control systems and how they worked.All that was needed was a good understanding of how specific centrifuge cascade were organized and operated, along with some basic information on the instrumentation.
Experts say that the malware was designed skillfully and stands out as a prime example of clandestine digital warfare. What is clear is that this virus was extraordinarily precise in attacking a specific target while inflicting virtually no damage on any other computer systems. Stuxnet was so beautifully designed to explore and establishing its way through thousands of computers over the internet, looking for programmable-logic controllers used for regulating the machinery in factories, power plants, and construction and engineering projects. These P.L.C.’s, are crafted to perform the task of opening and shuting down valves in water pipes, speedup and slowdown the spinning of uranium centrifuges, and may be change of traffic lights from red to green just as witnessed in the Movie Die Hard. Stuxnet was made to capitalize on a Microsoft zero day vulnerability. A zero day vulnerability is classified as a vulnerability that is yet to be detected, and the originator of the program is not aware of this vulnerability. Identification of such vulnerabilities calls for special skills. "Stuxnet was the first malware program to simultaneously exploit as many as four vulnerabilities," according to Alexander Gostev, Chief Security Expert at Kaspersky Lab.
There are rumors that the emergence of struxnet could be a tipping point or a field test to evaluate a new software platform designed as a part of cyberweapon systems. Kaspersky researchers Alexander Gostev and Igor Soumenkov came upon additional driver files while investigating Duqu. A detailed analysis of drivers Mrxcls.sys, Mrxnet.sys, Jmidebs.sys are presented by Secure List tracing the dates and the sizes.
So World has entered an era of advanced digital warfare. To understand a little more it is essential to understand what others say. For example Symantic says that Stuxnet ’s carries a dll file which contains the potential exports of about 109.. The modified dll forwards the exports to the real DLL for regular operations,. Symantic comments that the real trick was with the limited 16 exports which are controlled by the dll. These request are not forwarded but are intercepted with the help of custom dll. The routines intercepted are the read, write, and locate code blocks on the programmable logic controller (PLC). By intercepting these requests Stuxnet successfully modifies data sent to or returned from the PLC without the knowledge of the PLC operator. It is essential to understand that the worm delivery was the usual social engineering trick. The worm had exploited the used unpatched Windows vulnerabilities to hook into SCADA specific operated plants. Symantec has come with a comprehensive paper on Struxnet.This also tells us that Vulnerability analysis is an essential activity which need to be carried out religiously by the organizations.
Questions unanswered include the possibility of switching payloads on demand from the other zero-day threats. For example modified virus with differential payload can be used to control
- IP cameras, from retransmitting specific images to other locations,
- Freeze the camera on certain frames.
- Opening up digital locks within a bank
- Control interconnecting super fast trains
- A lot more
Who Knows? Time is the answer.
---- It is essential to Understand our Digital Systems.
A wake up call. Some more information from a technical process angle. The worm was introduced in 2009 through USBs of Russian contractors working in Iran.
ReplyDeleteThe worm was designed primarily to affect Siemens motors and more particularly targeting the variable frequency drives between 800-1200 Hz. This is the frequency at which most gas centrifuges and pumps work.
The complex architecture of the worm which is to target specific system and designed to disable specific processes could be done only by an organisation which has the capability, resources and access to 01. the design of Siemen systems, 02. to infiltrate the virus into the targeted system, 03. A driving desire to scuttle a process covertly and 04. The chutzpah to do it.
Iran has reported that 60% of its computer has been affected with a drop in its uranium centrifuging process in the early months of 2009. After the news of the attack Indian and Indonesian systems were also targeted.
My feeling is that the worm was captured reverse engineered and tested here by our neighbors.
Cert-in has put out a warning on its website after it was alerted by Symantec.
I do not think that our neighbors will have to strain much to disable our processes since we are quite capable of doing it ourself. With power being supplied for about 4 to 6 hours per day, water once a week and industries being crippled by lack of materials one will not know if the system is down due to a malware attack or any of the above reasons!!!