And again about Stuxnet
Description
On July 9, 2010, the specialists of the Belarusian antivirus company VirusBlokad discovered malicious software in Iran, which was named Stuxnet. Antivirus companies have no consensus on when exactly Stuxnet appeared, according to some data, the distribution took place already in January 2009. Distinctive features:
Impact on Siemens SIMATIC system
Information security specialist from Germany, Ralph Lengner, in September 2010 published an analysis of Stuxnet's actions regarding SIMATIC on its own website.
')
SIMATIC WinCC (Windows Control Center) - software for creating a human-machine interface, an integral part of the SIMATIC automation system family. It runs under the operating systems of the Microsoft Windows NT family and uses the Microsoft SQL Server 2000 database (starting with version 6.0). WinCC communicates with the STEP 7 package.
SIMATIC STEP 7 - software for the development of automation systems based on programmable logic controllers (PLC) SIMATIC S7-300 / S7-400 / M7 / C7 and WinAC.
If Stuxnet determines that it is running on an engineering station, then it replaces the part of STEP7, which is responsible for flashing the code in the PLC. At the moment when the engineer connects to the controller, if Stuxnet recognizes the appropriate hardware configuration, it modifies the code transmitted to the PLC. The researchers found out that intruders were interested in 6ES7-417 and 6ES7-315-2 controllers, as well as industrial networks of the Profibus-DP standard. Modified STEP7, when trying to read the modified blocks of the PLC program, displays them in their original form (the component rootkit to hide the fact of modification).
Stuxnet authenticates the target system by checking the data block DB 890. This happens periodically every five seconds in the WinCC environment.
If the condition is met, Stuxnet modifies the OB 35 module during transmission from the Simatic Manager to the PLC. The OB 35 module is called to the PLC every 100 ms by a timer, in it the Stuxnet interceptor checks the return code of the FC 1874 function. If the return code from FC 1874 is DEADF007, the original contents of the OB 35 are not executed.
The Stuxnet code in the PLC allows you to:
Stuxnet also tries to connect to the WinCC database using the default password.
Siemens confirms that the purpose of the virus is a specific technological configuration. The company reported a total of 15 cases of infection at work, mainly in Germany. In no case did Stuxnet infiltrate the PLC, since the parameters did not match. At the same time, this did not affect the operation of the equipment, and in all cases Stuxnet was able to be neutralized.
findings
These facts allow us to draw the following conclusions:
All these indirect signs may indicate involvement in the development of the law enforcement agencies or special services of any states by the Stuxnet. The main function of HPE — distribution and autonomous work in a closed system with subsequent sabotage of the production process control system — is not characteristic of “traditional” cybercriminals, who usually pursue the goal of “monetizing” profits (the ultimate goal is money) and, as a rule, use malware as developed lone programmers. It is for these reasons that Stuxnet is called cyber-weapon.
Versions
Experts believe that Stuxnet could be developed for use against Bushehr nuclear power plants (Iran). In the capacity of probable developers Israel and the USA can act. The basis of the version formed the following facts:
Another version of the target of the attack is uranium enrichment production in the city of Natanz (Iran). The following facts indirectly confirm this version:
Afterword
In June 2012, a book was published in the United States entitled Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power , according to which Stuxnet was developed in the United States with Israeli specialists and precisely to neutralize Iran’s nuclear program. The author - The New York Times journalist David Sanger - claims that Stuxnet was developed during the presidency of George W. Bush. The project was called "Olympic Games". At first it was a spyware distribution program, thanks to which it was possible to get an idea about the equipment of Iran’s uranium enrichment center in Natanz. After that, a functional was developed that worked on the software that manages the uranium cleaning centrifuges.
Last year, David Sanger and two of his colleagues published an article in the New York Times stating that Stuxnet was indeed the work of American and Israeli intelligence services and that he was tested in the secret Israeli center Dimona in the Negev desert. Officially, Israel refuses to acknowledge the existence of its own nuclear program, but the authors of the article refer to some knowledgeable experts in the intelligence and military fields, who confirm that there are centrifuges in Dimona that are almost identical to those in Natanz. The ability of Stuxnet to disable them was tested, including on them.
According to The Wall Street Journal, the FBI is investigating a leak of information, as a result of which it became aware of the involvement of the country's government in cyber attacks on Iranian nuclear facilities.
Many experts are skeptical of this information. They consider it another “stuffing” of information on the eve of US presidential elections.
Detailed sources of information about Stuxnet:
Symantec research report W32.Stuxnet Dossier , version 1.4, February 2011, (pdf);
Eset "Stuxnet Under the Microscope" analytical report, revision 1.31, (pdf);
Material from the Nautsilus Scientific Center “ Stuxnet Code Analysis” , (pdf), which is an abridged version of the Symantec report translation into Russian.
On July 9, 2010, the specialists of the Belarusian antivirus company VirusBlokad discovered malicious software in Iran, which was named Stuxnet. Antivirus companies have no consensus on when exactly Stuxnet appeared, according to some data, the distribution took place already in January 2009. Distinctive features:
- Stuxnet contains several modules written using several development environments and programming languages;
- To bypass the anti-virus protection mechanisms, some of the modules (drivers) of the malware had a digital signature made using the certificates of the Realtek and JMicron companies (allegedly stolen);
- several methods of distribution - via USB-Flash drives and over the network. In the 2009 version, the widely used method of launching via autorun.inf (which is usually disabled for security reasons) was used, in the 2010 version it was replaced with a more efficient one - using the label processing vulnerability MS10-046 (zero-day at that time ). Vulnerabilities MS08-067 (previously used in 2009 by Kido Kido, which led to massive infections) and MS10-061 (zero-day at that time) were used to propagate through the network;
- to ensure the work, privileges were raised to the level of the system administrator using two local vulnerabilities (zero-day at that time) MS10-073 (Windows 2000 and XP) and MS10-092 (Windows Vista, including version x64), thus, provides for the normal launch of malware for restricted accounts;
- Stuxnet organizes its own peer-to-peer (P2P) network to synchronize and update its copies;
- there is a functionality that allows sending information found on a computer to remote management servers;
- Unusual "useful" load - a disruption in the normal operation of the SIMATIC automation system, manufactured by Siemens, which is commonly used in various industrial process control systems.
Impact on Siemens SIMATIC system
Information security specialist from Germany, Ralph Lengner, in September 2010 published an analysis of Stuxnet's actions regarding SIMATIC on its own website.
')
SIMATIC WinCC (Windows Control Center) - software for creating a human-machine interface, an integral part of the SIMATIC automation system family. It runs under the operating systems of the Microsoft Windows NT family and uses the Microsoft SQL Server 2000 database (starting with version 6.0). WinCC communicates with the STEP 7 package.
SIMATIC STEP 7 - software for the development of automation systems based on programmable logic controllers (PLC) SIMATIC S7-300 / S7-400 / M7 / C7 and WinAC.
If Stuxnet determines that it is running on an engineering station, then it replaces the part of STEP7, which is responsible for flashing the code in the PLC. At the moment when the engineer connects to the controller, if Stuxnet recognizes the appropriate hardware configuration, it modifies the code transmitted to the PLC. The researchers found out that intruders were interested in 6ES7-417 and 6ES7-315-2 controllers, as well as industrial networks of the Profibus-DP standard. Modified STEP7, when trying to read the modified blocks of the PLC program, displays them in their original form (the component rootkit to hide the fact of modification).
Stuxnet authenticates the target system by checking the data block DB 890. This happens periodically every five seconds in the WinCC environment.
If the condition is met, Stuxnet modifies the OB 35 module during transmission from the Simatic Manager to the PLC. The OB 35 module is called to the PLC every 100 ms by a timer, in it the Stuxnet interceptor checks the return code of the FC 1874 function. If the return code from FC 1874 is DEADF007, the original contents of the OB 35 are not executed.
The Stuxnet code in the PLC allows you to:
- listen to the Profibus-DP network (over which the PLCs communicate) and generate their packets, and the data for these packets can be updated from the engineering station;
- read the PLC inputs and control its outputs, they are connected to sensors and actuators (MI), respectively, while for targeted action you need to know specifically which sensors / MI are connected to which inputs / outputs;
- synchronize your copies among infected PLCs via the Profibus-DP network (PLCs cannot be infected from each other, the executable code of the controllers cannot be copied “on the fly”, only the data is a limitation of the Siemens controllers).
Stuxnet also tries to connect to the WinCC database using the default password.
Siemens confirms that the purpose of the virus is a specific technological configuration. The company reported a total of 15 cases of infection at work, mainly in Germany. In no case did Stuxnet infiltrate the PLC, since the parameters did not match. At the same time, this did not affect the operation of the equipment, and in all cases Stuxnet was able to be neutralized.
findings
These facts allow us to draw the following conclusions:
- Stuxnet is a carefully designed HVO, which was developed by a group of specialists of various types;
- no facts of distribution via the Internet were detected, only via USB-Flash and through the network — these signs are characteristic for implementation in a closed system that does not have a direct connection to public networks;
- The functional disruption of the normal operation of the Siemens WinCC production process management system (computer sabotage tool) implies that the Stuxnet developers for testing had a hardware and software system identical to the one on which the attack was planned. In addition, they focused on a specific goal (using data from recruited personnel within the organization);
- development of this scale involves significant funding - the remuneration of a group of programmers, the organization of the theft of digital certificates, the purchase or development of 4 zero-day vulnerabilities, access to a Siemens WinCC deployed system.
All these indirect signs may indicate involvement in the development of the law enforcement agencies or special services of any states by the Stuxnet. The main function of HPE — distribution and autonomous work in a closed system with subsequent sabotage of the production process control system — is not characteristic of “traditional” cybercriminals, who usually pursue the goal of “monetizing” profits (the ultimate goal is money) and, as a rule, use malware as developed lone programmers. It is for these reasons that Stuxnet is called cyber-weapon.
Versions
Experts believe that Stuxnet could be developed for use against Bushehr nuclear power plants (Iran). In the capacity of probable developers Israel and the USA can act. The basis of the version formed the following facts:
- Iran is one of the most affected regions of Stuxnet. Judging by the dynamics of data on infections, in about May-June 2010, Iran was the leader in the number of infections;
- The Bushehr Nuclear Power Plant (NPP) is one of the most important military targets in Iran;
- Nuclear power plants began to be built in the 1970s. In construction, the company participated Siemens. In 1979, Siemens ceased operations in this country (due to the revolution). Subsequently, Siemens returned to Iran and it was one of its largest markets. In January 2010, Siemens once again announced the termination of cooperation with Iran. However, in the summer she was found guilty of supplying parts to Bushehr. Whether Siemens uses process control software at nuclear power plants is not officially known. On one of the screenshots of a computer hosted on the Internet, allegedly made inside a nuclear power plant, you can see the WinCC control system from Siemens;
- participation in the construction of nuclear power plants of the Russian company Atomstroyexport, which has projects in India, as well as the traditional neglect of information security issues by Russian companies, which could lead to the spread of Stuxnet in India;
- Israel is one of the countries most interested in the disruption of the operation of the Bushehr nuclear power plant. Iran is suspected that, at this station, under the guise of nuclear fuel, stocks will be produced to produce their own nuclear weapons, which, most likely, can be used against Israel;
- Israel is among the countries with highly qualified specialists in the field of information technology, able to use them for both attacks and espionage.
Another version of the target of the attack is uranium enrichment production in the city of Natanz (Iran). The following facts indirectly confirm this version:
- According to experts, the uranium enrichment production at Natanz, a power hardened and hidden deep underground facility, is a much greater risk in terms of producing nuclear weapons than the Bushehr nuclear power plant;
- In July 2009, one of the sources associated with Iran’s nuclear program confidentially reported a serious nuclear accident that had occurred shortly before in Natanz. Later, according to Iranian media reports and the British BBC, Golamreza Agazade, the head of the Iranian Atomic Energy Organization (IAEO), resigned. At the same time, according to the official data provided by the IAEO to the controlling structures, the number of functioning centrifuges at Natanz dropped significantly (by a few thousand), which could be a consequence of Stuxnet exposure.
Afterword
In June 2012, a book was published in the United States entitled Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power , according to which Stuxnet was developed in the United States with Israeli specialists and precisely to neutralize Iran’s nuclear program. The author - The New York Times journalist David Sanger - claims that Stuxnet was developed during the presidency of George W. Bush. The project was called "Olympic Games". At first it was a spyware distribution program, thanks to which it was possible to get an idea about the equipment of Iran’s uranium enrichment center in Natanz. After that, a functional was developed that worked on the software that manages the uranium cleaning centrifuges.
Last year, David Sanger and two of his colleagues published an article in the New York Times stating that Stuxnet was indeed the work of American and Israeli intelligence services and that he was tested in the secret Israeli center Dimona in the Negev desert. Officially, Israel refuses to acknowledge the existence of its own nuclear program, but the authors of the article refer to some knowledgeable experts in the intelligence and military fields, who confirm that there are centrifuges in Dimona that are almost identical to those in Natanz. The ability of Stuxnet to disable them was tested, including on them.
According to The Wall Street Journal, the FBI is investigating a leak of information, as a result of which it became aware of the involvement of the country's government in cyber attacks on Iranian nuclear facilities.
Many experts are skeptical of this information. They consider it another “stuffing” of information on the eve of US presidential elections.
Detailed sources of information about Stuxnet:
Symantec research report W32.Stuxnet Dossier , version 1.4, February 2011, (pdf);
Eset "Stuxnet Under the Microscope" analytical report, revision 1.31, (pdf);
Material from the Nautsilus Scientific Center “ Stuxnet Code Analysis” , (pdf), which is an abridged version of the Symantec report translation into Russian.
Source: https://habr.com/ru/post/159053/
All Articles