Stuxnet – Getting to the targetStuxnet – Getting to the targetLiam O MurchuOperations Manager, Symantec Security Response

1

Feb 2011

Agenda

Stuxnet – Getting to the target 2

Stuxnet Capabilities1

Network Distribution Tactics 2

Intel & Targets 3

Sophistication & Success 4

Solutions & Lessons Learned 5

Stuxnet Features• Discovery disclosed in July, 2010• Attacks industrial control systems likely an Iranian uranium

enrichment facility

• Modifies and hides code on Siemens PLCs connected to frequency converters

• Contains 7 methods to propagate, 4 zero day exploits, 1 known exploit, 3 rootkits, 2 unauthorized certificates, 2 Siemens security issues, 1 target.

• 3 versions, June 2009, March 2010, April 2010

Stuxnet - Sabotaging Industrial Control Systems 3

Stuxnet is targeted

Stuxnet – Getting to the target 4

Iranian Target

PLCs

• Monitors Input and Output lines– Sensors on input

– switches/equipment on outputs

– Many different vendors

• Stuxnet seeks specific Models – s7-300 s7-400

Stuxnet & PLCs 5

Programmable Logic Controller

Stuxnet is Targeted Targeting a Specific type of PLC Searches for a Specific Configuration

Programming a PLC

• Simatic or Step 7 software– Used to write code in STL or other languages

• STL code is compiled to MC7 byte code• MC7 byte code is transferred to the PLC• Control PC can now be disconnected

Stuxnet Infecting PLCs 6

Step7, STL and MC7

Attack Preparation

Stuxnet – Getting to the target 7

Uranium EnrichmentFacility

Stuxnet Creator

PLCControl

PC

Attack Considerations

Stuxnet – Getting to the target 8

Air Gap

Corporate LAN

Internet Etc

How Stuxnet Attacks Corporations

Stuxnet uses 7 different methods to propagate!

1. USB drives – Zero Day

2. Print Spooler Vuln – Zero Day

3. Ms08-067 Vuln

4. Network Shares

5. P2P sharing

6. Wincc Hard coded Password

7. Step7 projects

9Stuxnet – Getting to the target

Control PC

Self-ReplicationStep 7 Project Files

Stuxnet - Sabotaging Industrial Control Systems 10

MyProject.s7pApiLog

typeshOmSave7

S7HK40AX

S7HK41AX

…

xutilslinks

listen

…

+00 WORD count+02 BYTE[] records

types:

DB 14 14 00 00 00 00 00 00 00 00 00

+00 WORD count+02 BYTE[] records

• %Step7%\S7BIN• %SYSTEM32%

• %SYSTEM%• %WINDIR%

• project's hOmSave7/* subdirectories

s7hkimdb.dlls7hkimdb.dll

s7hkimdb.dll

xr000000.mdx (encrypted Stuxnet)

s7p00001.dbf (Stuxnet datafile)

s7000001.mdx (Stuxnet config data file)

Stuxnet Windows Rootkit

Stuxnet - Sabotaging Industrial Control Systems 11

Attack Execution

Stuxnet – Getting to the target 12

Air Gap

Corporate LAN

Internet Etc 1. Initial Delivery

3. ReportingUpdates2. Network Exploits

4. Bridge AirGap 5. Deliver Payload

Delivering the threat• Stuxnet targeted specific companies in Iran• Only 10 initial targets• Resulting in over 14k infections• Research was needed to identify valuable targets• Companies connected to Uranium enrichment • Hope to infect someone who would visit a Uranium enrichment

facility• Someone who worked on Uranium enrichment projects• Actual delivery method is unknown

Stuxnet – Getting to the target 13

Limited Spread• Attackers wanted limited spread• No Internet capable exploits used• USB exploit only infects 3 machines• USB exploit has deadline of 21 days• All exploits have a deadline

• Large configuration file• ~430 different settings• Why did it spread so far?

Stuxnet – Getting to the target 14

Why did it spread so far?• Zero .lnk vulnerability wildly successful• Step7 project infection very successful• Misunderstanding of how contractors interact• Misunderstanding of how connected companies are• Intended?• Needed to be more aggressive to succeed?

Stuxnet – Getting to the target 15

Was Stuxnet Successful• We don’t know.

• 1 year in the wild undiscovered• Over 100k infections• Majority in Iran• Natanz shut down• Industrial Companies Infected• Reports of infections at Natanz and Busheir• IAEA report states 1000 centrifuges offline in Nov 2009

Stuxnet – Getting to the target 16

Was Stuxnet Successful• We don’t know.

• Discovered 3 months after USB zero day added• No report of centrifuges out of action since March• Gained high media attention• Analysis performed• Iranian authorities aware

Stuxnet – Getting to the target 17

Sophistication• First threat to target hardware• Targets Uranium Enrichment• Large amount of code• Very configurable• 4 zero days• Long Reconnaissance phase• Needed Hardware for testing• Targets 95/98,Win2k,Winxp,Vista,Win7…• 3 Rootkits• PLC programming knowledge

Stuxnet – Getting to the target 18

Sophistication• It was discovered• No advanced encryption• C&C infrastructure easily taken down• Infection information stored• Blue screens?? (unconfirmed)• P2P not protected• Escaped outside of Iran

Stuxnet – Getting to the target 19

New Version• Not simple to create new version• Cannot just drop in new zero days• Target specific information required• PLC programming knowledge • Exploit knowledge

• Real danger is the idea• Now people know it can be done• People can start their own projects knowing it is possible

Stuxnet – Getting to the target 20

Solutions & lessons learned• Insider threat is significant – Employees are major risk• IP is extremely valuable, protect it at all costs• Monitor systems and networks• Watch for red flags• Implemented real air gaps• Or accept this is not possible and protect computers inside the

air gap more vigorously• White listing, behavior blocking and reputation based solutions

can mitigate threat.• Device blocking – USBs, contractor laptops, etc..• Vigilance is key

Stuxnet – Getting to the target 21

Response• Need dedicated resources in place in advance that can switch

focus to a new threat quickly• Need engineers who are familiar with the latest developments

in the threat landscape• Need to respond quickly – critical infrastructure may be at risk• Private public partnership will be important• Growing market• We will see more of these types of threats in the future, need to

prepare for that.

Stuxnet – Getting to the target 22

Summary• Stuxnet is the first publicly known malware to intend real-world

damage• Required resources at the level of a nation-state• While as a whole extremely sophisticated, the technique to

inject code into PLCs is not• Enterprises should assume attackers know how these systems

work• Has changed our job at Symantec• We expect to see more of these threats

Stuxnet – Getting to the target 23

White Paper Available

• Stuxnet Technical Details Available here:

• http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Stuxnet – Getting to the target 24

W32.Stuxnet Dossier

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!

Stuxnet – Getting to the target 25

Liam O Murchu - liam_omurchu@symantec.com