Detailed Technical Exploration Attack Entry Point: It is widely believed that Stuxnet entered the nuclear facility via an infected USB Flash drive by exploiting the vulnerability that allows for auto execution of programs on a media via the autorun.inf file. Stuxnet also used the LNK vulnerability to execute loaders needed to target different versions of Windows. The infected flash drives are believed to have introduced into the devices by an external contractor or an undercover spy working for the attackers. So at the entry point, we see the malware dropper in action on Windows OS, i.e, Ground Zero. Propagation Mechanisms: Stuxnet spreads on the network, very stealthily, using seven different mechanisms: a) Using USB flash drives, infecting three computers in this manner before self-destructing and therefore removing all traces from the above said drives. b) Via the network shared folders for the local network in the Windows PC’s. c) Through the MS10-016 print spooler, where it copies itself on remote computers and then executes itself in the system directory with privilege escalation. d) By sending a path over SMB, that is used for sharing files and other resources among computers, and then executes itself over these remote computers. e) By actively looking for computers running Siemens WinCC and then connecting using the default hardcoded credentials, attacking the database to upload and copy itself on the device. f) By infecting SIMATIC Step7 Projects opened on the computer, infecting DLL’s and .exe files to enable execution. Using these mechanisms Stuxnet gets onto the air gapped machines, that are not connected to the internet as a protection mechanism, and then propagates throughout the network looking for its target devices. Target Discovery and Attack: Now once Stuxnet has reached its target, it performs a series of Fingerprinting checks, confirming that it is going to attack only the correctly specified target. It checks the type and the configuration of equipment (PLC’s). It confirms that the frequency convertors, variable speed motors are the ones that can only be used to regulate the spinning centrifuges for nuclear enrichment (i.e., their spinning speed is between 800 to 1200 Hertz). Only then does it compromise the driver DLL’s (SCADA), Renaming the current DLL’s and putting rogue DLL’s in their place, giving them the original name and then running them in parallel to the real code, recording their activities (operating speed and other information) and then activating in a timely fashion, side by side giving expected (pre-recorded) readings to the monitoring devices (Just like a prerecorded security feed video loop played out in literally all Heist movies in Hollywood, another example of fiction being the perfect inspiration for real life innovations, even undesirable ones) and therefore performing a perfectly executed man in the middle attack. Evading Detection: The Stuxnet virus was able to slip through undetected on the Windows OS by using stolen Digital Certificates from two very reputable companies, making it impossible for any anti-viruses running on the devices to detect it and then when Stuxnet reached its target devices it showed doctored data to the controllers, giving them false feedback and fake reading of the operating speed of the centrifuges, fooling them into believing that everything is working exactly as it should be, consecutively wreaking havoc on the centrifuges, slowly and steadily making them literally fall apart. Stuxnet was even capable of disabling the customary big red button (that can also be usually seen in the movies), so that there was no stopping it mid operation, even after potential detection. P2P Update Mechanism: Another extraordinary ability that Stuxnet possesses is its ability to access the internet and update itself to the latest version using a built in peer to peer network, within the LAN, by starting a Remote Procedure call and listening for response. It sends information to the connected websites in Denmark and Malaysia, using HTTP, that were registered using, of course, stolen credit cards. Monitoring these communications was a crucial part of ascertaining that the target was indeed Iran, as 70% of the infection was concentrated in that region. Damaging operations performed (Impact): After traversing through the Windows OS, the malicious payload finally got dropped onto the Siemens PLC’s by using the default credentials. It reprograms the PLC’s operations and behavior making them spin at an increased speed of 1410 Hz and then at a lowered speeds of a few hundred Hz, sleeping and reactivating at fixed, predetermined intervals of time, literally making them fall apart and self-destruct. In short, by making changes in the logic of the Software it was able to do damage to the hardware, in a very significant, covert and unstoppable manner. The damage as previously stated was close to 1000 centrifuges broken down in one year, delay of two years to the overall program and a collateral damage of several highly skilled and baffled nuclear scientists and engineers being fired due to mysterious and unexplained complications. The Downfall: As we can see now, Stuxnet was perfectly designed to run silently in the background for many years, evading detection, so what went wrong? So, the Windows computers in Iran started rebooting arbitrarily and had random Blue Screens of Death (BSOD), which was initially thought to be due to some Windows misconfiguration or conflicting installed applications, but on further research Stuxnet was finally discovered by numerous collaborating research scientists all over the world. Since then Stuxnet has been reverse engineered and pulled apart by numerous security experts and curious souls worldwide. Its source code is freely available on the internet and has acted as an inspiration for the development of numerous other viruses like Duqu and Flame. Lessons Learnt: Despite all the sophisticated code that prevented Stuxnet from being detected, helped it spread over the network and even gave it the enhanced capabilities of destroying centrifuges in the nuclear reactor, Stuxnet used a very basic entry point, a small, inconspicuous USB Flash Drive. The whole attack could have been prevented if they had disabled the USB ports through the BIOS Setup or edited the Windows Registry or even as simple as disconnected the USB ports from the motherboard. All these steps require little to no resources, can be done in a very short span of time and could have prevented the whole attack from ever occurring. So the basic flaw, I see here is incomplete and improper threat modelling of the whole system. They were not able to correctly figure out the vulnerabilities that they needed to protect the system against. Even after the widespread exposure of the Stuxnet attack, two years later, Flame used the same vulnerability to propagate itself over the network. So, we need to learn important lessons from our mistakes and try to think like an attacker and defend by trying to attack the system ourselves and obviously learn and follow secure coding practices. This will take us a long way in protecting against the majority of cyber-attacks. Another important factor that we need to consider is that the software manufactures must swiftly and diligently send software patches for bugs and vulnerabilities that have been discovered and reported in order to prevent those vulnerabilities from being repeated exploited by the attackers, which attackers were successfully able to do in Stuxnet (integrating them with the four zero day exploits to create a fast spreading, sophisticated piece of malicious software) and in many other viruses and worms that steal private user data and information. In this scenario, the system administrators also need to assure that the system is regularly updated, to receive patches as soon as they are released, in order to assure their safety. The default practice of Siemens hardcoding its single access account and password on all the devices also played a huge role in the successful attack by Stuxnet, as it allowed the virus to gain access to the back end database and get privileged access on the running system. This might have been avoided by simply modifying the default credentials. Stuxnet also showed us the potential vulnerabilities in industrial machines that are mostly privately owned and exposed the security holes in our critical infrastructure. It showed us that most of the Industrial control systems are connected to the internet and that this comes with its own fair shares of risks that needs to be carefully considered. Stuxnet also revealed how PLC’s, inconspicuously small grey boxes that are stand alone, run autonomously and have absolutely no IT security can also be hacked. So we need to focus on the security of every machine and component of the system, no matter how small it might be. • Analysis and Conclusion The Nuclear power plant facility in Natanz, Iran is build deep in the desert, its seventy feet below the ground, is surrounded by thick concrete walls, guarded by anti-aircraft guns and additionally has air gapped Computers to provide protection against the Internet. We can clearly see that Iran left no stone unturned to ensure the secrecy and safety of their operations. Everything sounds perfect in theory, it’s all isolated and flawlessly protected. No unauthorized personnel can enter or leave unnoticed, but still a thumb sized flash drive, that has on it hidden, a file smaller than the size of a regular photograph uploaded by a person on Facebook and was able to wreak havoc in the entire nuclear facility. Attacks like these are occurring at an increased frequency these days. After Stuxnet, it’s as if a Pandora’s box has been opened, bridging the gap between the physical and cyber realm. Stuxnet has acted as a huge game changer in the realm of warfare as it has provided Countries and Terrorist Organizations with the means of doing significant damage to their adversaries without the fear of detection and consequent retaliation, with a fraction of the cost that was originally required in the traditional warfare and all that with the added benefit of zero casualties. Cyber weapons have negligible replication cost compared to the traditional weapons and can be sent anywhere in the world in a matter of seconds. So, we can see that with such immense returns, the likelihood of similar attacks happening in the future is very high. In fact, a malware named Flame has already been found on Windows OS. It is closely related to Stuxnet, its 40 times bigger and has been used for cyber espionage in the middle east, spreading using USB’s and over the local networks. Flame also has an additional functionality of being able to cease operation and wipe all trace of its presence, once the self-destruct command is sent. So we can clearly see that after Stuxnet, it’s open season for cyber weapons and they keep on getting better and more advanced. This has totally transformed the landscape of warfare. Cyber weapons are now highly in demand, and are also cheaply and readily available. They can be outsourced to third parties like any other programing and development job, making it super convenient and inexpensive. All of this has reduced the cost of warfare from billions to a couple of million dollars. No country wants to be left behind, some want to be able to protect themselves and counter attack their enemy and some others that just want to attack and create trouble. In response to Stuxnet, Iran expanded its own Cyberwarfare army under the Iranian Revolutionary Guard to combat cyber-attacks and maybe even to develop attacks of their own, after all nobody wants to be left behind. So, we can see that Cyber Warfare is on the rise and it is showing no signs of slowing down. So the best that we can do is educate ourselves and be prepared for the worst, because it might happen sooner than we expect and might be in a form that we have never ever seen before!
September 21, 2019 0 Comments