Hackers infiltrated the systems of a nuclear power plant in Iran. Who can stand behind it?
In the summer of this year, Symantec analysts recorded about 14,000 unique IP addresses infected with this worm in 72 hours. Then the mass public did not attach much importance to this. But even then scientists were interested in the fact that 60 percent of the infected systems were located not somewhere, but in Iran.
They began to actively discuss the threat when the Iranian authorities confirmed that Stuxnet had penetrated the systems of the nuclear power plant in Bushehr. This incident is an almost classic example of a successful computer attack and a model of how these attacks will be used in the future.
Successful attack allowed attackers to steal confidential documents describing the architecture and data on the use of the SCADA system (automated workflow management system).
To begin with, we do not know who is behind this attack, and the history shows that it is only in rare cases that the organizers of the attacks can be identified. However, if someone suggested this type of attack a month ago, although we would agree that such an attack is theoretically possible, most experts would have thrown off the promise of conducting it as a concept that is more suitable for a movie script. Moreover, such attacks are rarely made public.
We know that there are not amateurs behind this attack, but their ultimate motivation is incomprehensible.
The main facts in this case are as follows:
"Lone wolf"
Consider the possibility of organizing this attack by the prototype of a hacker sitting in his mother's basement. His motive may be a thirst for glory. By stealing intellectual property, a lone wolf may seek to demonstrate his skills at hacking systems or work for a monetary reward. Although such a scenario is possible, the attacker stole two digital certificates, used a “zero-day vulnerability”, and possesses incredibly deep knowledge of the SCADA system. In order to accumulate such resources for an attack, it is necessary that the hacker is very patient and well motivated. To organize such an attack over the weekend is impossible. The possibility of organizing an attack by a lone wolf is unlikely.
')
"Dissatisfied employee"
The deep knowledge of the SCADA system gave grounds for some observers to assert that the attack could have been carried out by an insider, for example, by a disgruntled employee of a company that uses this software. However, the likelihood that the average disgruntled employee was able to identify the "zero-day vulnerability", as well as steal two digital certificates, is small.
"Actions of commercial competitors"
Another version of the organization of the attack are the actions of a competitor who, at any price, tries to gain advantages over companies that have become the object of hacker attacks. Competitors can use production system architecture documentation to recreate secret production processes or even authorize the failure of competitor systems. Historically, such attacks were organized by hired hackers. However, such attacks are usually quite narrowly targeted. In this case, the threat blindly extends to all computers that use Windows, regardless of whether these computers belong to the target company or not, whether SCADA is installed on the computer or not. If this attack is an example of commercial espionage, attackers could expect to approach the target systems and through successive infection of USB-carriers, hoping to infect the target SCADA system in the final. The fact that the virus will infect many other computers around the world over time has probably been considered by attackers as collateral damage, and they hoped to reach the goal of the attack before the virus could be seen by companies that are developing anti-virus software.
"State espionage"
Recently, there have been cases when governments have been accused of sanctioning hacker attacks outside their state borders. The government may try to steal state or military secrets. If this attack was organized by the government, its motivation may be similar to the motives of commercial competitors, and the goal may be to obtain military secrets. The complexity and quality of the tools that were used in this attack gives grounds to some observers to assert that only the state has sufficient resources to carry out such an attack. However, the fact of using a second digital certificate seems somewhat strange. It seems logical to assume that after a successful attack, the state would go into cover and did not use the second digital certificate in vain. Instead, by signing a very similar binary file, the attackers made it possible for systems security companies to instantly determine the code of the second stolen certificate, which made it impossible to reuse it when hacking systems.
"Nationalist, political, religious and other similar motives"
Often, attacks attributed to states are in fact carried out by citizens who are guided by nationalistic, political, religious or other motives. Hackers, united by a single goal, can direct their efforts to the country, organization or company, which they consider to be their enemies. Such groups of hackers often have enough excerpts and knowledge to form such a toolkit for the attack. Moreover, in pursuit of a long-term attack, attackers can improve the attack tools they use after the previous toolkit has been rendered harmless or discovered. To do this, with the help of new stolen digital certificates, files stored on disks are re-signed, binary files are modified to prevent their identification by means of security, control and monitoring centers are transferred to other hosting servers after the previous ones are disabled.
"Terrorism"
One of the darkest motivations for this attack could be terrorism. If an attacker succeeds in establishing control over a power plant or other key objects, they can provoke chaos, the closure of a given object or damage by disrupting standard processes at a given object. This scenario seems more similar to the plot of the film, and although for most attacks we immediately discard terrorism as a possible motivation, taking into account the amount and quality of the tools used to conduct an attack, in this case, we can consider terrorism as one of the possible motivations.
findings
Most security professionals, when watching action-style films in which a skilled hacker extorts ransom from organizations or even countries, for harming them, simply discard such an opportunity as fantasy. However, the Stuxnet case is very similar to the latest Hollywood blockbuster. This is the first dedicated case when the possibility of establishing control over production processes and transferring control over them to intruders was shown. This case also demonstrates that in our interconnected world, IT security is more important than ever, and that even those scenarios that were previously considered incredible should now be taken into account.
Although we do not yet know the identity of the attackers, they still left one piece of evidence. One of the virus drivers contains a string with the name of the project: “b: \ myrtus \ src \ objfre_w2k_x86 \ i386 \ guava.pdb”. Guavas are a tree of the myrtle family. Why precisely guava or myrtle? Let this question be the starting point for further research.
They began to actively discuss the threat when the Iranian authorities confirmed that Stuxnet had penetrated the systems of the nuclear power plant in Bushehr. This incident is an almost classic example of a successful computer attack and a model of how these attacks will be used in the future.
Successful attack allowed attackers to steal confidential documents describing the architecture and data on the use of the SCADA system (automated workflow management system).
To begin with, we do not know who is behind this attack, and the history shows that it is only in rare cases that the organizers of the attacks can be identified. However, if someone suggested this type of attack a month ago, although we would agree that such an attack is theoretically possible, most experts would have thrown off the promise of conducting it as a concept that is more suitable for a movie script. Moreover, such attacks are rarely made public.
We know that there are not amateurs behind this attack, but their ultimate motivation is incomprehensible.
The main facts in this case are as follows:
- Forwards identified and used the so-called. “Zero day vulnerability” that exists in all versions of Microsoft Windows. A total of four such vulnerabilities were used.
- They developed and used a "rootkit" (a special program) in order to hide their presence in the system.
- The attack was aimed at specialized software that is used to control industrial equipment and processes; at the same time, deep knowledge of the internal mechanisms of this software was used.
- Hackers signed their files using valid digital certificates issued by a third party that did not participate in the attack. The validity of a single digital certificate ended in June, but a version with a new digital signature appeared already in July; It was signed using another company's digital certificate. Both of these companies are Taiwanese. Perhaps the hackers stole personal keys, or they somehow managed to sign their files. Other hacked digital signatures may also be available to attackers.
- Hackers did not use characteristic tools to conduct a targeted attack. Instead, the virus spreads via USB drives and can infect any computer using the Windows operating system.
"Lone wolf"
Consider the possibility of organizing this attack by the prototype of a hacker sitting in his mother's basement. His motive may be a thirst for glory. By stealing intellectual property, a lone wolf may seek to demonstrate his skills at hacking systems or work for a monetary reward. Although such a scenario is possible, the attacker stole two digital certificates, used a “zero-day vulnerability”, and possesses incredibly deep knowledge of the SCADA system. In order to accumulate such resources for an attack, it is necessary that the hacker is very patient and well motivated. To organize such an attack over the weekend is impossible. The possibility of organizing an attack by a lone wolf is unlikely.
')
"Dissatisfied employee"
The deep knowledge of the SCADA system gave grounds for some observers to assert that the attack could have been carried out by an insider, for example, by a disgruntled employee of a company that uses this software. However, the likelihood that the average disgruntled employee was able to identify the "zero-day vulnerability", as well as steal two digital certificates, is small.
"Actions of commercial competitors"
Another version of the organization of the attack are the actions of a competitor who, at any price, tries to gain advantages over companies that have become the object of hacker attacks. Competitors can use production system architecture documentation to recreate secret production processes or even authorize the failure of competitor systems. Historically, such attacks were organized by hired hackers. However, such attacks are usually quite narrowly targeted. In this case, the threat blindly extends to all computers that use Windows, regardless of whether these computers belong to the target company or not, whether SCADA is installed on the computer or not. If this attack is an example of commercial espionage, attackers could expect to approach the target systems and through successive infection of USB-carriers, hoping to infect the target SCADA system in the final. The fact that the virus will infect many other computers around the world over time has probably been considered by attackers as collateral damage, and they hoped to reach the goal of the attack before the virus could be seen by companies that are developing anti-virus software.
"State espionage"
Recently, there have been cases when governments have been accused of sanctioning hacker attacks outside their state borders. The government may try to steal state or military secrets. If this attack was organized by the government, its motivation may be similar to the motives of commercial competitors, and the goal may be to obtain military secrets. The complexity and quality of the tools that were used in this attack gives grounds to some observers to assert that only the state has sufficient resources to carry out such an attack. However, the fact of using a second digital certificate seems somewhat strange. It seems logical to assume that after a successful attack, the state would go into cover and did not use the second digital certificate in vain. Instead, by signing a very similar binary file, the attackers made it possible for systems security companies to instantly determine the code of the second stolen certificate, which made it impossible to reuse it when hacking systems.
"Nationalist, political, religious and other similar motives"
Often, attacks attributed to states are in fact carried out by citizens who are guided by nationalistic, political, religious or other motives. Hackers, united by a single goal, can direct their efforts to the country, organization or company, which they consider to be their enemies. Such groups of hackers often have enough excerpts and knowledge to form such a toolkit for the attack. Moreover, in pursuit of a long-term attack, attackers can improve the attack tools they use after the previous toolkit has been rendered harmless or discovered. To do this, with the help of new stolen digital certificates, files stored on disks are re-signed, binary files are modified to prevent their identification by means of security, control and monitoring centers are transferred to other hosting servers after the previous ones are disabled.
"Terrorism"
One of the darkest motivations for this attack could be terrorism. If an attacker succeeds in establishing control over a power plant or other key objects, they can provoke chaos, the closure of a given object or damage by disrupting standard processes at a given object. This scenario seems more similar to the plot of the film, and although for most attacks we immediately discard terrorism as a possible motivation, taking into account the amount and quality of the tools used to conduct an attack, in this case, we can consider terrorism as one of the possible motivations.
findings
Most security professionals, when watching action-style films in which a skilled hacker extorts ransom from organizations or even countries, for harming them, simply discard such an opportunity as fantasy. However, the Stuxnet case is very similar to the latest Hollywood blockbuster. This is the first dedicated case when the possibility of establishing control over production processes and transferring control over them to intruders was shown. This case also demonstrates that in our interconnected world, IT security is more important than ever, and that even those scenarios that were previously considered incredible should now be taken into account.
Although we do not yet know the identity of the attackers, they still left one piece of evidence. One of the virus drivers contains a string with the name of the project: “b: \ myrtus \ src \ objfre_w2k_x86 \ i386 \ guava.pdb”. Guavas are a tree of the myrtle family. Why precisely guava or myrtle? Let this question be the starting point for further research.
Source: https://habr.com/ru/post/111650/
All Articles