| rdfs:comment | - It seems that attackers have designed this digital worm with a great care so that it wouldn't hit those computers and networks that do not meet specific configurations. According to some security experts, it is also set to apply some self protection tips, like easing itself on June 24 2012 and similar. The way how targets get infected with Stuxnet is really unprecedented - this virus has already used four zero-day vulnerabilities. In addition, this half a megabyte in size virus can also infect system through the removable drives, such as USB drive or similar.
- More specifically, the worm targeted the Programmable Logic Controller (PLC, essentially a computer on a circuit board, which has all the necessary hardware and software spread out as microchips across the board. It is supposed to gather sensor data and automate industrial-type tasks such as regulating flow rate to maintain pressure and temperature controls) by way of the project files used by SCADA systems (supervisory control and data acquisition, its job is to oversee the these PLC(s), which could be easily distributed across a plant and/or multiple sites, through the received PLC sensor data).
- In September 2010, media reports emerged about a new form of cyber attack, the Stuxnet worm that appeared to target Iran, although the actual target, if any, is unknown. Through the use of thumb drives in computers that were not connected to the Internet, the malicious program infected computer systems that were used to control the functioning of a nuclear power plant. Once inside the system, Stuxnet had the ability to degrade or destroy the software on which it operated.
|
| abstract | - In September 2010, media reports emerged about a new form of cyber attack, the Stuxnet worm that appeared to target Iran, although the actual target, if any, is unknown. Through the use of thumb drives in computers that were not connected to the Internet, the malicious program infected computer systems that were used to control the functioning of a nuclear power plant. Once inside the system, Stuxnet had the ability to degrade or destroy the software on which it operated. Although early reports focused on the impact on facilities in Iran, researchers discovered that the program had spread throughout multiple countries worldwide.
- It seems that attackers have designed this digital worm with a great care so that it wouldn't hit those computers and networks that do not meet specific configurations. According to some security experts, it is also set to apply some self protection tips, like easing itself on June 24 2012 and similar. The way how targets get infected with Stuxnet is really unprecedented - this virus has already used four zero-day vulnerabilities. In addition, this half a megabyte in size virus can also infect system through the removable drives, such as USB drive or similar. In the end of last year, security experts noticed a new threat (duqu) that seems to be created from the same code base as Stuxnet. However, having almost identical code base, this virus seems to be released for completely different reason than its predecessor – it seems to be designed for information theft.
- More specifically, the worm targeted the Programmable Logic Controller (PLC, essentially a computer on a circuit board, which has all the necessary hardware and software spread out as microchips across the board. It is supposed to gather sensor data and automate industrial-type tasks such as regulating flow rate to maintain pressure and temperature controls) by way of the project files used by SCADA systems (supervisory control and data acquisition, its job is to oversee the these PLC(s), which could be easily distributed across a plant and/or multiple sites, through the received PLC sensor data). By changing the project files employed by SCADA software, you can reprogram the PLC(s) to do as you please. With respect to case of Iran, this "bad code" had the ability to look for a specific PLC model (the model check is required due to the variations of machine level instructions across different PLC devices). Once the target device has been identified and infected, Stuxnet gains the control to intercept all data flowing into or out of the PLC, including the ability to tamper with that data (It is called a man-in-the-middle attack, where industrial process control sensor signals are faked so an infected system does not shut down due to detected abnormal behavior). Stuxnet attacked the SCADA systems by utilizing zero-day exploits (hackers take advantage of undocumented vulnerabilities) to install a rootkit (programs that conceal malicious code’s access to files, folders and registry keys, or manifest entries which enumerate a computer's hardware, software as well as authorized users ) to the underlying Windows OS which in turn logs in to the SCADA's database and steals design and control files. The "virus" would only be active when it encountered configurations that met certain criteria:
* 1) SCADA system manufactured by Siemens Industry Automation Division
* 2) Attached Slave Variable-frequency drive PLC (equipment used to control the speed of machinery by varying motor input frequency and voltage)
* 3) Variable-frequency drive must be manufactured by either one of two specific vendors, Vacon of Finland or Fararo Paya of Iran
* 4) Frequency of the attached motors must spin between 807 Hz and 1210 Hz, which is typically associated certain types of pumps or gas centrifuges, especially those used at Nuclear Fuel Enrichment Plants. When all those conditions were met, the "virus" will install a rootkit, to cover its tracks, by masking the changes in rotational speed from monitoring systems. It periodically modifies the set rotor speed according to some predetermined formula. This haphazard variation induced excessive vibrations or distortions that would destroy the centrifuge (gas centrifuge is used to separate isotopes of an element, in this case Uranium, so that the desired U-235 can be harvested; if the aluminum tubes which held the isotopes, same atomic element but different number of neutrons, was spun uncontrollably, the stresses would cause unwanted expansion of the tubes which would often lead to misalignment of precisely-fitted components). The reason behind this attack was that Uranium-235, is one of those materials, employed in dual-use technologies, that is, it has civil and military applications. The concern was Iran could have easily used U-235 to build a weapon, instead of providing cheap energy. Whoever designed the "virus" knew Iran acquired Siemens equipment in secret, in direct contravention of European export controls. It is theorized that the "virus" was spread by USB drives intentionally strewn in public Internet cafes near the enrichment facilities where it would eventually land. The only reason it became public knowledge, was due to a comedy of errors: an accidental spreading beyond its intended target, a "virus" update failure, & the piggybacking of the"virus" onto an engineer's personal notebook which was connected to an infected centrifuge, who then took it to his residence in order to connect to the Public Internet. It was also reported that around mid-July of 2010, before any widespread awareness on the matter,one of the two leading mailing-lists which covered industrial-security, was disabled due to a distributed-denial -of -service attack on the server which hosted the list. This event and the assassination of three Iranian nuclear scientists several months later, implies an orchestrated effort to remove any remote chance that a viable weapon's program could exist in the rogue-nation. With respect to Stuxnet there were a few other salient features which were found:
* 1) SCADA system manufactured by Siemens Industry Automation Division
* 2) Attached Slave Variable-frequency drive PLC (equipment used to control the speed of machinery by varying motor input frequency and voltage)
* 3) Variable-frequency drive must be manufactured by either one of two specific vendors, Vacon of Finland or Fararo Paya of Iran
* 4) Frequency of the attached motors must spin between 807 Hz and 1210 Hz, which is typically associated certain types of pumps or gas centrifuges, especially those used at Nuclear Fuel Enrichment Plants.
|
