Stuxnet – Modus Operandi Liam O Murchu Operations Manager, Symantec Security Response 1 March 2011
Stuxnet – Modus Operandi Liam O Murchu Operations Manager, Symantec Security Response
1
March 2011
Agenda
Stuxnet – Getting to the target 2
Time Line 1
Versions - what changed 2
Targets - Initial and Final 3
Success 4
Techniques – moving from initial to final target 5
Stuxnet Features
• Discovery disclosed in July, 2010
• Attacks industrial control systems likely an Iranian uranium enrichment facility
• Modifies and hides code on Siemens PLCs connected to frequency converters
• Contains 7 methods to propagate, 4 zero day exploits, 1 known exploit, 3 rootkits, 2 unauthorized certificates, 2 Siemens security issues.
• 3 versions, June 2009, March 2010, April 2010
Stuxnet - Sabotaging Industrial Control Systems 3
Stuxnet’s Targets
Stuxnet – Getting to the target 4
Iranian Uranium Enrichment facilities
58.31
17.83
9.96
3.40 1.40 1.16 0.89 0.71 0.61 0.57
5.15
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
Un
iqu
e IP
s C
on
tact
C&
C S
erv
er
(%)
Geographic Distribution of Infections
Frequency Converters
Fararo Paya
Iranian built
5
S7-315 CPU CP-342-5 – 6 modules
. . .
. . .
. . .
Totaling up to 186 motors
Stuxnet’s Targets Intended Final Target
. . . . . .
31 Vacon or Fararo Paya frequency converters per module
Stuxnet - Sabotaging Industrial Control Systems
Data Analysis
• Samples:
– Information about each infected
computer is stored in each sample
– Time stamps of the files tell us when
the Stuxnet project occurred.
• Command and control
servers statistics
Stuxnet Modus Operandi 6
2%
47%
51%
Stuxnet Version Distribution
June 22 2009
March 01 2010
April 13 2010
1%
86%
3% 4%
6%
Stuxnet OS Distribution Win2k
WinXp
WinXp 64bit
Vista
Win 7
05
1015202530
Stuxnet Days before Infection
Stuxnet Timeline
Stuxnet - Sabotaging Industrial Control Systems 7
2008 | Jun | 2009 | Jan | Jun | 2010 | Mar| Apr | Jun
June 2008 Programming of
Stuxnet has begun.
June 22 2009 First Version of Stuxnet is compiled. It is ready to be
released. June 22 2009 First infection of Stuxnet occur in Iran less than 24 hours after the code was
compiled.
Jan 2010 Some components for a new version of Stuxnet
are completed.
Infections occurring at a moderate rate.
April 2010 Another new version of
Stuxnet released. Jan 2009 Some components have
been completed.
March 2010 First infection from this version occur.
Spreads very quickly.
March 2010 New version complete.
USB zero day code added.
May 2010 Infections from new
version start.
June/July 2010 Stuxnet Discovered.
Versions
• June 2009
– only moderate infection numbers
• March 2010
– Spreads very quickly
– Removed old OS’s
– Added USB zero day
• April 2010
– Extended time to live
– Extended spread time for USB
Stuxnet Modus Operandi 8
Initial Targets
• 5 organizations with a presence in Iran targeted
• All involved in Industrial processing
• None are Natanz
• No direct access to Uranium enrichment facility
• Infect someone close to Uranium enrichment process
• Piggy back into the facility when that person visits/interacts with someone at the facility
• One organization targeted by all 3 versions
Stuxnet Modus Operandi 9
Stuxnet Methodology
• No direct access to target
• Infect organizations that interact with target
• Study how these organizations interact
• Get insider knowledge of facilities layout
– Plc type, Hardware in use, etc
• Create aggressive spreading worm to target :
– The relationships of trust
– The actual physical layout
Stuxnet Modus Operandi 10
Success
• 1 year undiscovered – first released in June 2009
• 4 zero days – first time any threat has done this
• Reliable code – professionally written code
• PLC codes appears to work
• Signed drivers – stolen certificates
• > 100,000 infected machine before discovery mostly in Iran
• IAEA report 1000 centrifuges with drawn from service
– Unknown if Stuxnet caused this..??
Stuxnet Modus Operandi 11
Stuxnet Failures
• Discovered 3 months after USB zero day added
• No report of centrifuges out of action since March
• Gained high media attention
• Analysis performed
• Iranian authorities aware
• Traces left in code
Stuxnet – Getting to the target 12
How Stuxnet Attacks
Stuxnet uses 7 different methods to propagate!
1. USB drives – Zero Day
2. Print Spooler Vuln – Zero Day
3. Ms08-067 Vuln
4. Network Shares
5. P2P sharing
6. Wincc Hard coded Password
7. Step7 projects
13 Stuxnet – Getting to the target
Control PC
Attack Execution
Stuxnet – Getting to the target 14
Air Gap
Corporate LAN
Internet Etc 1. Initial Delivery
3. Reporting
Updates 2. Network Exploits
4. Bridge
AirGap 5. Deliver Payload
Self-Replication Step 7 Project Files
Stuxnet - Sabotaging Industrial Control Systems 15
MyProject.s7p
ApiLog
types
hOmSave7
S7HK40AX
S7HK41AX
…
xutils
links
listen
…
+00 WORD count
+02 BYTE[] records
types:
DB 14 14 00 00 00 00 00
00 00 00 00
+00 WORD count
+02 BYTE[] records
• %Step7%\S7BIN
• %SYSTEM32%
• %SYSTEM%
• %WINDIR%
• project's hOmSave7/* subdirectories
s7hkimdb.dll s7hkimdb.dll
s7hkimdb.dll
xr000000.mdx (encrypted Stuxnet)
s7p00001.dbf (Stuxnet datafile)
s7000001.mdx (Stuxnet config data file)
New Version
• Not simple to create new version
• Cannot just drop in new zero days
• Target specific information required
• PLC programming knowledge
• Exploit knowledge
• Real danger is the idea
• Now people know it can be done
• People can start their own projects knowing it is possible
Stuxnet – Getting to the target 16
Solutions & lessons learned
• Insider/Contractor threat is significant
• IP is extremely valuable, protect it at all costs
• Monitor systems and networks
• Watch for red flags
• Accept that network separation is not possible and protect computers inside the traditional air gap more vigorously
• White listing, behavior blocking and reputation based solutions can mitigate threat.
• Device blocking – USBs, contractor laptops, etc..
• Vigilance is key
Stuxnet – Getting to the target 17
Response
• Need dedicated resources in place in advance that can switch focus to a new threat quickly
• Need engineers who are familiar with the latest developments in the threat landscape
• Need to respond quickly – critical infrastructure may be at risk
• Private public partnership will be important
• Growing market
• We will see more of these types of threats in the future, need to prepare for that.
Stuxnet – Getting to the target 18
Summary
• Stuxnet is the first publicly known malware to intend real-world damage
• Required resources at the level of a government
• While as a whole extremely sophisticated, the technique to inject code into PLCs is not
• Enterprises should assume attackers know how these systems work
• Has changed our job at Symantec
• We expect to see more of these threats
Stuxnet – Getting to the target 19
White Paper Available
• Stuxnet Technical Details Available here:
• http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet – Getting to the target 20
W32.Stuxnet Dossier
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
Stuxnet – Getting to the target 21
Liam O Murchu - [email protected]