Wednesday, February 16, 2011

Ghostnet, Stuxnet, What next ??

I recently attended the 18th NDSS conference in San Diego from Feb 6-9, 2011,  which was keynoted by Liam O' Murchu, a Stuxnet expert from Symantec. Though the technical details about Stuxnet have been available since long, I found the talk exciting for the larger lessons that were shared from the whole episode. Below is a mix of notes from the talk and my ramblings. Warning: experts on this topic may find it boring !

By Symantec's own admission, Stuxnet is probably the most complex piece of targetted threat seen to date. It contains seven methods to propagate:

  1. Using USB drives, which contained a rootkit exploiting a vulnerability in windows explorer's handling of .LNK files. 
  2. By exploiting a print spooler vuln
  3. By exploiting MS08-067, which allowed remote code execution on a vulnerable MS Windows 2000, XP or 2003 server by sending a specially crafted RPC request. 
  4. Spreading via Network shares. 
  5. Using P2P sharing for updating itself and for communication between different infected machines on a network. 
  6. By exploiting hard-coded passwords in WinCC (a Siemens software for SCADA process visualization). 
  7. Spreading via Step 7 projects (the IDE used for programming PLCs).

In essence, Stuxnet used 4 zero-day exploits, 1 known exploit, 3 rootkits, and 2 compromised certificates (from JMicron and Realtek semiconductors) to sign the rootkits. 


Stuxnet is not a 'yet-another-worm' that randomly goes about accumulating vulnerable machines for spam/DDoS gains or brownies for its perpetrators. Its highly-targeted nature - targeting specific uranium enrichment facilities in Iran - suggests a focused military-style operation involving (a) extensive and careful intelligence gathering and planning, (b) a structured software design and development cycle and (c) an extensive test cycle involving various hardware and software. In addition, Stuxnet's highly configurable architecture (~430 different settings) gives its controllers incredible control and precision over its lethality and spread. Apart from its technical sophistication, Stuxnet convincingly demonstrates the oft-quoted "threat from targeted attacks " and acts as the quintessential bellwether of times ahead. While its predecessors, like the Chinese cyber-espionage network Ghostnet, brought to light the new face of remote-controlled espionage in the 21st century, Stuxnet ups the ante many notches by demonstrating the lethal potential of targeted cyber-power.

Stuxnet is the first known malware to target control systems hardware (PLC). PLC (Programmable Logic Controllers) are critical elements in industrial automation and are traditionally programmed from a Windows control PC which is air-gaped - disconnected from any network - for security. In my opinion, Stuxnet big achievement was in bridging the air-gap.

Key to Stuxnet's success lay in the detailed understanding of its target gathered during the intelligence gathering phase. Stuxnet had clear understanding of (a) the PLCs being used (Siemens s7-300, s7-400), (b) the detailed configuration within PLCs controlling the uranium enrichment, and (c) the software development environment (Step 7 from Siemens) and the methodology used for developing and deploying code.

It is believed that Stuxnet was delivered initially  via USB to a small number of industrial process control companies connected to the uranium enrichment plant. Contractors from such companies write the actual PLC programs (as Step 7 projects) on workstations connected to the corporate LAN. Stuxnet thus spread using zero-day network exploits to as many LAN workstations possible. Workstations containing Step 7 were then infected by hiding a dll (containing the PLC rootkit) into a Step 7 project such that the dll got loaded as soon as the project was opened.  Stuxnet then relied on the Step 7 project zip file being transferred across the air-gap to a Windows control PC via removable media like USB. Once on the control PC, Stuxnet modified the PLC as necessary, making sure to hide its modifications.

There  were 100k infections reported worldwide with more than 60% coming from Iran. It is believed that infections outside Iran were not intentional and probably spread due to infected Step 7 projects shared between contractors in various countries. Additionally, the zero-day .LNK vulnerability proved widely successful. It is believed that Stuxnet managed to finally infect the Natanz and Busheir plants in Iran and there was a reported shutdown of Natanz. An IAEA report states 1000 centrifuges in Natanz were offline in Nov 2009 which is close to the type of PLC configuration that Stuxnet was targeting. 

Stuxnet increases the bar for security professionals and system architects by derailing the commonly held belief of air-gaping critical systems for providing extraordinary security. My personal opinion is that Stuxnet,  in some way, only reinforces what Albert Einstein famously quipped, "Every day, man is making bigger and better fool-proof things, and every day, nature is making bigger and better fools. So far, I think nature is winning".  The lesson for security professionals is thus simple: Air-gaps don't exist! There will be a human (read fool) bridging the gap.

With the world racing towards making things 'smart', from smart washing-machines to smart power grids, one really wonders whether all this 'smartness' will end up making us look dumber than ever. The landscape seems to be shifting faster than we can grasp it.


The last decade witnessed has already witnessed the rise in politically motivated cyber attacks like the Titan Rain (2003 - 2005),  DDoS attacks on Estonia (May 2007),  DDoS attacks on Georgia (August 2008),  Chinese cyber-espionage network Ghostnet (May 2009), Operation Aurora (Dec 2009-Jan 2010), Stuxnet (July 2010), Operation Payback (Dec 2010). The question is: What next?