380 likes | 553 Views
The 1-hour Guide to Stuxnet. Carey Nachenberg Vice President, Symantec Fellow. Symantec Corporation. The 1-hour Guide to Stuxnet. 1. This is Natanz, Iran. The 1-hour Guide to Stuxnet. And these are Natanz’s Centrifuges. The 1-hour Guide to Stuxnet.
E N D
The 1-hour Guide to Stuxnet Carey Nachenberg Vice President, Symantec Fellow Symantec Corporation The 1-hour Guide to Stuxnet 1
This is Natanz, Iran The 1-hour Guide to Stuxnet
And these are Natanz’s Centrifuges The 1-hour Guide to Stuxnet
Industrial control systems are typically controlled by a standard PC running industrial control software like STEP7 from Siemens. And this is how they’re controlled WindowsPC Programmable Logic Controller CommunicationsProcessors (Routers) Frequency Converters are responsible for converting AC frequencies to either higher-or lower frequencies to operate motors. STEP7 The PLC is a specialized piece of hardware that orchestrates control of multiple connected mechanical devices. Communications Processors route commands from the PLC to groups of mechanical devices. Centrifuges enrich Uranium so it can be used to power nuclear plants or weapons. . . . . . . FrequencyConverters . . . . . . Centrifuges The 1-hour Guide to Stuxnet
And this is how they’re isolated WindowsPC Programmable Logic Controller CommunicationsProcessors (Routers) STEP7 Research Network . . . . . . FrequencyConverters . . . . . . Centrifuges The 1-hour Guide to Stuxnet
And this is (probably) an Israeli Mossad Programmer Who wants to introduce onto this computer right here The 1-hour Guide to Stuxnet
Get onto an “air-gapped”network to disrupt these: So how exactly does this: It’s got to spread on its own… Until it discovers the proper computers… Where it can disrupt the centrifuges… All while evading detection. The 1-hour Guide to Stuxnet
It’s got to spread on its own… Stuxnet uses seven distinct mechanisms to spread to new computers. Sixof these attacks targeted flaws (back doors) that wereunknownto the security industry and software vendors! It copies itself toopen file-shares. But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network? ? It attacks a holein Windows’ print spooler. Usually we’re surprisedwhen we see a threattargeting one flaw... Stuxnet uses thumb drives to bridge the gap! It attacks a holein Windows RPC. It password-cracks SIEMENS DB software. 2.0 2.0 2.0 2.0 2.0 2.0 2.0 It infects SIEMENSPLC data files. Peers update other peers directly. USB drives! The 1-hour Guide to Stuxnet
Spreading – A Sidebar (the tasks themselvesare stored as globally readable/writable XML files) Windows has a built-in task scheduler system. Windows Tasks Task #1: Job: Delete temp filesRun as: Root user Run at: 10pm Each user can add new tasks to be run at a certain time and with a certain permission level.(Regular users can’t add “root” level jobs) Task #2: Job: Clean registryRun as: Jim (non-root) Run at: 6pm Task #3: Job: Print receiptsRun as: Ted (non-root) Run at: 2am To prevent tampering, windows computes a CRC32 hash for each task record and stores this in a protected area of the computer. Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 The 1-hour Guide to Stuxnet
Spreading – A Sidebar When it arrives on a machine, Stuxnet starts running with non-administrator privileges. Windows Tasks But to do its mischief, Stuxnet needs to run with “root” privileges. Task #1: Job: Delete temp filesRun as: Root user Run at: 10pm So first, Stuxnet creates a new task, using the permissions of the current user. Task #2: Job: Clean registryRun as: Jim (non-root) Run at: 6pm Task #3: Job: Print receiptsRun as: Ted (non-root) Run at: 2am And of course, once Windows verifies that the job is legitimate (the user hasn’t tried to create a root-level job), it calculates the job’s hash and adds it to the security store. Task #4: Job: Run stuxnet.dllRun as: Ted (non-root) Run at: 2pm Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 Task4 hash: DE9DBA76 The 1-hour Guide to Stuxnet
Spreading – A Sidebar Next Stuxnet modifies the XML job file it just added, changing its permission to “root”! (Remember, the XML files are writable) But wait! The updated job file hash no longer matches the protected hash stored by Windows! If Windows were to process the updated job file, it would detect this and reject it! Windows Tasks Task #1: Job: Delete temp filesRun as: Root user Run at: 10pm Ah, but Stuxnet is more clever than that. Stuxnet knows how to forge a CRC - it computes a set of values which, if appended to the file, will result in its CRC matching the original! And then it appends these bytes to the file! ZERO-DAY! Task #2: Job: Clean registryRun as: Jim (non-root) Run at: 6pm Task #3: Job: Print receiptsRun as: Ted (non-root) Run at: 2am Task #4: Job: Run stuxnet.dllRun as: Ted (non-root) Run at: 2pm And Windows will happily run the updated job, giving Stuxnet root-level privileges! Ted (non-root) Root user XQ Task1 hash: 9B7CC653 New hash: DE9DBA76 New hash: 66C35150 Task2 hash: 11090343 Task3 hash: 40910276 Task4 hash: DE9DBA76 The 1-hour Guide to Stuxnet
Until it discovers the proper computers… It’s got to spread on its own… Stuxnet is extremely picky and only activatesits payload when it’s found an exact match. The targeted computer must be runningSTEP7 software from Siemens. STEP7 The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens. The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens. Each Network Module must be connected to ~31 FararoPayaor Vacon NX frequency converters. … The 1-hour Guide to Stuxnet
Until it discovers the proper computers… Stuxnet is extremely picky and only activatesitspayloadwhen it’s found an exact match. What a coincidence! The creators of Stuxnet must have guessed all of these details. STEP7 Now if you do the math…. Stuxnet verifies that the discovered Programmable Logic Controller… Is controlling at least 155 total frequency converters… And recently we learned that Iran’sUranium enrichment “cascade” just happensto use exactly 160 centrifuges. … The 1-hour Guide to Stuxnet
Until it discovers the proper computers… Now Stuxnet gets down to business… What you (probably) didn’t realize is that the PLC uses a totally different microchip & computer language than Windows PCs. Stuxnet is the first known threat to target an industrialcontrol microchip! Stuxnet starts by downloading malicious logic onto the PLC hardware. The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… And makes sure the motors are running between 807Hz and 1210Hz. (This is coincidentally the frequency range required to run centrifuges.) (After all, whoever wrote Stuxnet wouldn’t want it to take out a roller coaster or something.) Next, Stuxnet measures the operating speed of the frequency converters during their normal operation for 13 days! The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… Once it’s sure, the malicious PLC logic begins its mischief! Stuxnet raises the spin rate to 1410Hzfor 15 mins. Then sleeps for 27 days. Then slows the spin rate to 2Hz for 50 mins. Then sleeps for 27 days. Stuxnet repeats this process over and over. 1500Hz 0Hz The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… Why push the motors up to 1410Hz? Well, ~1380Hz is a resonance frequency. It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes! Why reduce the motors to 2Hz? At such a low rotation rate, the vertical enrichment tubeswill begin wobbling like a top (also causing damage). 1500Hz 0Hz The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… What about Iranian failsafe systems? (Surely by now you’re thinking that alarmbells should have been blaring at theenrichment plant, right?) Maybe Stuxnet pulled a mission impossible?!? The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… And in fact, that’s exactly what Stuxnet did! Stuxnetrecords telemetry readings while the centrifuges are operating normally. Well, in fact, these facilities typically do have fail-safe controls. They trigger a shutdown if the frequency goes out of the acceptable range. And when it launches its attack, it sends this recorded data to fool the fail-safe systems! But worry not…Stuxnet takes care of this too. And Stuxnetdisablesthe emergency kill switchon the PLC as well… Just in case someone tries to be a hero. 1500Hz 0Hz The 1-hour Guide to Stuxnet
All while evading detection… Now Stuxnet gets down to business… Stuxnet uses five distinct mechanisms to conceal itself. #5 Stuxnet hides its own files on infected thumb drives using 2 “rootkits.” The 1-hour Guide to Stuxnet
All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #4 Stuxnet inhibits different behaviors in the presence of different security products to avoid detection. Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D The 1-hour Guide to Stuxnet
All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #3 Stuxnet completely deletes itself from USB keys after it has spread to exactly three new machines. The 1-hour Guide to Stuxnet
All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #2 Stuxnet’s authors “digitally signed” it with stolen digital certificates to make it look like it was created by well-known companies. The two certificates were stolen from RealTek and Jmicron… Realtek …as it turns out, both companies are located less than 1km apart in the same Taiwanese business park. The 1-hour Guide to Stuxnet
All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #1 Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)! Instructions to the Centrifuges During normal operation: Spin at 1410hz In case of emergency: IGNORE OPERATOR COMMANDS During normal operation: Spin at 1064hz In case of emergency: Spin down to 0hz SIEMENS PLC (To centrifuges) The 1-hour Guide to Stuxnet
Stuxnet Epidemiology The 1-hour Guide to Stuxnet
Did It Succeed? Fact: Stuxnet contacts two command-and-control servers every time it runs to report its status and check for commands. Well, based on some clever Symantec engineering, we’ve got some interesting data. Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers. Fact: As Stuxnet spreads between computers, it keeps an internal log of every computer it’s visited. www.mypremierfutbol.com www.todaysfutbol.com The 1-hour Guide to Stuxnet
Stuxnet Bookkeeping 27.42.97.152 27.42.97.152 151.21.32.21 151.21.32.19 151.21.32.19 151.21.32.21 93.154.11.42 93.154.12.78 93.154.12.78 93.154.11.42 151.21.32.19 Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics! 151.21.32.19 151.21.32.19 151.21.32.19 151.21.32.19 151.21.32.21 151.21.32.21 151.21.32.21 151.21.32.21 93.154.11.42 The 1-hour Guide to Stuxnet
Here’s What We Found The 1-hour Guide to Stuxnet
Here’s What We Found (These graphs show how the discovered samples spread) The 1-hour Guide to Stuxnet
Here’s What We Found Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet
Here’s What We Found Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet
Did It Succeed? Indications are that it did! Symantec telemetry indicates that rather than directly trying to infiltrate Natanz… The attackers infected five industrial companies with potential subcontracting relationships with the plant. These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks. The Institute for Science and International Security writes: “It is increasingly accepted that, in late 2009 or early 2010, Stuxnetdestroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site.” The 1-hour Guide to Stuxnet
Whodunit? According to Wikipedia, On May 9th, 1979 “HabibElghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” 19790509 June 22, 2009 4:31:47pm GMT June 22, 2009 6:31:47pm Local GMT + 2 The 1-hour Guide to Stuxnet
To Conclude Stuxnet has signaled a fundamental shift in the malware space. Stuxnet proves cyber-warfare against physical infrastructure is feasible. Unfortunately, the same techniques can be used to attack other physical and virtual systems. The 1-hour Guide to Stuxnet