Of course, now we know who was behind #Stuxnet -- #Israel and the #CIA -- thanks!

Why the #StuxnetWorm is like nothing seen before

By Paul Marks
27 September 2010

"Stuxnet is the first worm of its type capable of attacking #CriticalInfrastructure like #PowerStations and #ElectricityGrids: those in the know have been expecting it for years. On 26 September, #Iran’s state news agency reported that computers at its #Bushehr #NuclearPowerPlant had been infected.

Why the fuss over Stuxnet?

"#ComputerViruses, worms and #trojans have until now mainly infected PCs or the servers that keep e-businesses running. They may delete key system files or documents, or perhaps prevent website access, but they do not threaten life and limb.

"The Stuxnet worm is different. It is the first piece of #malware so far able to break into the types of computer that control machinery at the heart of industry, allowing an attacker to assume control of critical systems like #pumps, #motors, #alarms and #valves in an industrial plant.

"In the worst case scenarios, safety systems could be switched off at a nuclear power plant; fresh water #contaminated with effluent at a #SewageTreatmentPlant, or the valves in an #OilPipeline opened, contaminating the land or sea.

“'Giving an attacker control of industrial systems like a #dam, a sewage plant or a power station is extremely unusual and makes this a serious threat with huge real world implications,' says Patrick Fitzgerald, senior threat intelligence officer with Symantec. 'It has changed everything.'

Why is a different type of worm needed to attack an industrial plant?

"Industrial machinery is not controlled directly by the kind of computers we all use. Instead, the equipment used in an industrial process is controlled by a separate, dedicated system called a programmable logic controller (#PLC) which runs supervisory control and data acquisition software (#SCADA).

"Running the SCADA software, the PLC controls the process at hand within strict safety limits, switching motors on and off, say, and emptying vessels, and feeding back data which may safely modify the process without the need for human intervention – the whole point of industrial automation.

So how does a worm get into the system?

"It is not easy because they do not run regular PC, Mac or Linux software. Instead, the firms who sell PLCs each have their own programming language – and that has made it tricky for hackers to break it.

"However there is a way in via the Windows PC that oversees the PLC’s operations. Stuxnet exploited four vulnerabilities in Microsoft Windows to give a remote hacker the ability to inject malicious code into a market-leading PLC made by German electronics conglomerate Siemens.

"That’s possible because PLCs are not well-defended devices. They operate for many years in situ and electronic access to them is granted via well-known passwords that are rarely changed. Even when Stuxnet was identified, Siemens opposed password changes on the grounds that it could cause chaos as older systems tried to communicate using old passwords.

Where did the initial Stuxnet infection come from?

"It appears to have first arrived in Iran on a simple #USBMemoryStick, says Fitzgerald. His team in Dublin, Ireland has been analysing Stuxnet since it was first identified by a security team in Belarus in June.

"The first of the four Windows vulnerabilities allowed executable code on a USB stick to spread to a PC. The USB may have been given to an Iranian plant operative – or simply left somewhere for an inquisitive person to insert into their terminal.

"Says Fitzgerald: 'It then spreads from machine to machine on the network, exploiting a second vulnerability to do so, and reports back to the attacker on the internet when it finds a PC that’s running Siemens SCADA software. The attacker can then download a diagram of the industrial system set-up the SCADA controls.'

"The next two Windows vulnerabilities lets the worm escalate its privilege levels to allow the attacker to inject Siemens PLC format computer code – written in a language called STL – into the PLC. It’s that code which is capable of performing the skulduggery: perhaps turning off alarms, or resetting safe temperature levels.

How do we know where Stuxnet is active?

"Symantec monitored communications with the two internet domains that the worm swaps data with. By geotagging the IP addresses of Stuxnet-infected computers in communication with the attacker, Fitzgerald’s team found that 58.8 per cent of infections were in Iran, 18.2 per cent in #Indonesia, 8.3 per cent in #India, 2.6 per cent in #Azerbaijan and 1.6 per cent in the US.

Who is behind the worm?

"No one knows. It is however very professionally written, requiring what Fitzgerald calls 'a broad spectrum of skills' to exploit four new vulnerabilities and develop their own SCADA/PLC set-up to test it on.

"This has some commentators suggesting that a #NationState with plenty of technical resources may have been behind Stuxnet. But computer crime is a billion dollar business so such an effort is not beyond extortionists.

"Stuxnet comprises a 600-kilobyte file and it has not yet been fully analysed."

Read more:
https://www.newscientist.com/article/dn19504-why-the-stuxnet-worm-is-like-nothing-seen-before/