After the NYTimes recent article on Stuxnet computer worm more buzz is being generated around computer viruses affecting the real world…cyberwars and politics.
and with some quotes like this :
“Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.”
some people feel that they woke up in the middle of “Die Hard” or “hackers” movie.
I did some search on stuxnet and on the history of computer worms/viruses attacks and incidents in the real world – here are some of the results of that search:
History of “famous” computer viruses causing harm in the real world : (those are the notable ones i found)
- Siberian Pipeline Explosion (1982):Trojan inserted into SCADA software that caused explosion
- 1992 Chevron – Former employee disabled emergency alter system in 22 states
- Roosevelt Dam (1994): Hacker breaks into floodgate SCADA systems
- March 1997: teenager breaks into NYNEX and cuts off Worcester Airport in Massachusetts for 6 hours affecting both air and ground communications
- June 1999: Bellingham, Washington Gasoline Pipeline Failure
- Sewage Dump (2000): Insider attack on sewage systems in Australia; Dumps 1 million gallons of raw sewage
- GAZPROM (2000):Hackers gain control of Russian natural gas pipeline
- Slammer (2003): Knocks nuclear monitoring system offline; Cripples airlines
- August 2003: USA Northeast Power Blackout
- August 2003: CSX Train Signaling System and the Sobig Virus
- August 2005: Automobile plants and the Zotob Worm
- California Canal System (2007):Insider hacks SCADA
- March 2008: Hatch Nuclear Power Plant shutdown
- June 2009 : insider/employee attack on US hospital SCADA systems.
I used the word “famous” cuz of 2 other sources : BCIT and Joseph Weiss
BCIT (British Columbia Institute of Technology), funded by a petroleum company, is one of a few groups which tracked industrial cyber security incidents until the project went dormant in 2006 after Eric Byres left.
Their database, the Industrial Security Incident Database (ISID), tracks information regarding security related attacks on process control and industrial networked systems.
The BCIT reports that between 1994 and June 2006, 97 incidents have been investigated and logged in the database
Prior to 2001, the majority of attacks reported in the database were from insiders of the company. After 2001, the majority of the incidents reported were due to external sources. This swing has been attributed to the increase in use of more common operating systems and applications,open architectures, larger interconnected networks and automated “worm” attacks.
It is interesting to note that the majority of these attacks occurred months or years after the virus/worm was publicized in the media and patches were available and proven for control systems. This is indicative of a lapse in security policy rather than technology
Joseph Weiss managing partner of control systems security consultancy Applied Control Solutions, said that in the US, networks powering industrial control systems have been breached more than 125 times in the past decade involving systems in nuclear power plants, hydroelectric plants, water utilities, the oil industry and agribusiness.
The Aurora Experiment :
Another interesting thing i ran into is an experiment called Aurora by the US Departement of homeland Security conducted in march 2007 at the Department of Energy’s Idaho lab. In that experiment they emulate a hacker remotely accessing a 1M $ power generator and they blew it up
Here is the video
The stuxnet worm
” Stuxnet is a computer worm targeted at industrial equipment that was first discovered in July 2010 by VirusBlokAda, a security firm based in Belarus.
While it is not the first time that hackers have targeted industrial systems, it is the first discovered worm that spies on and reprograms industrial systems and the first to include a programmable logic controller (PLC) rootkit. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the PLCs and hide its changes.
The worm’s probable target is said to have been high value infrastructures in Iran using Siemens control systems. According to news reports the infestation by this worm might have damaged Iran’s nuclear facilities in Natanz and eventually delayed the start up of Iran’s Bushehr Nuclear Power Plant. Although Siemens initially had stated that the worm had not caused any damage, on November 29, Iran confirmed that its nuclear program had indeed been damaged by Stuxnet.
Russian digital security company Kaspersky Labs released a statement that described Stuxnet as “a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.” Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60% of the infected computers worldwide were in Iran, suggesting its industrial plants were the target. Kaspersky Labs concluded that the attacks could only have been conducted “with nation-state support”, making Iran the first target of real cyberwarfare.” more
Key Elements of the StuxnetAttackTargeted Sabotage
•Uses a Windows rootkitto hide Windows binaries
–Signed by one of 2 stolen certificates from ‘JMicron’ and ‘Realtek’
•Injects code into Programmable Logic Controllers (PLC) systems
–Allows threat to alter and control SCADA systems
•Uses root kit techniques to hide injected PLC code
–Patches Siemens Step 7 software, which is used to view PLC code
•Communicates with C&C servers using HTTP
•Uses P2P networks to update itself
–Gives control of infected hosts even if C&C servers are taken down
Spreads by copying itself to USB drives
– LNK vulnerability
• Spreads via network shares
• Spreads using 2 known and 4 0-day
– MS08-067 (vulnerability used by Conficker)
– Default password in Siemens WinCC
– LNK: allows automatic spreading via USB keys
– Printer Spooler: allows network spreading to
– Undisclosed 1: local privilege escalation
– Undisclosed 2: local privilege escalation
Pointing Fingers :
In early 2008 the German company Siemens cooperated with one of the United States’ premier national laboratories, in Idaho, to identify the vulnerabilities of computer controllers that the company sells to operate industrial machinery around the world — and that American intelligence agencies have identified as key equipment in Iran’s enrichment facilities.
Siemens says that program was part of routine efforts to secure its products against cyberattacks. Nonetheless, it gave the Idaho National Laboratory — which is part of the Energy Department, responsible for America’s nuclear arms — the chance to identify well-hidden holes in the Siemens systems that were exploited the next year by Stuxnet.
What the hell is SCADA – that word that keeps popping up ?
Supervisory Control and Data Acquisition (SCADA) systems are computer-based control systems which are used to monitor and control physical processes. They are usually composed of a set of networked devices such as controllers, sensors, actuators, and communication devices.
In other words, SCADA is :
- the power in your home
- the water in your home
- the water that goes out of your home
- the traffic lights on the way to the office
- the commuter train controls
- the air conditioning system in your office building
- the phone system to your home
Security problems with SCADA
- SCADA = no authentication : what is the identity of an automated system ? How would policies such as “change your password monthly” be applied to automated systems that are supposed to run un-attended for years ?
- How to manage rights for each person ? which of the thousands possibilities can they monitor/control ?
- SCADA = No patching – old : install a system – replace it in 5 years, now: install a system, patch it every month
- SCADA = industry in denial on how much they are connected to the internet, the usual belief is that they are not connected at all while in reality there are many uncontrolled interconnects via links or simple things like roaming notebooks
- Insider attacks
- a big prize – the prize for a successful attack is too big if successful and might tempt “groups” or even “nations” to invest millions and time.
- Open standards and architectures – The move to open standards such as Ethernet, TCP/IP, and web technologies has resulted in commonly released worms/viruses also affecting the computer systems of critical infrastructure and manufacturing industries. Hence it may be easier for an adversary to obtain the necessary knowledge, via the source code, to attack a system. It is important to note that this point is controversial; many computer scientists argue that open design is the most secure solution
Making sense of the above
Geeks will rule the world ! CyberDoom is nearby ! Only pre-historic caves are safe, buy a cave before prices start sky-rocketing !
Lebanon has the most sophisticated “defense” system – they can cut the power, cut the water – we are using generators and already buy water and we dump our sewage in the sea so there are no dangers of “sewage leaks” , we don’t have nuclear plants and barely have an industry in the first place ! hah ! On the other hand Israel completely relies on such systems :devil: , now are you thinking what I am thinking ?
Well – after such a long and serious article, i thought some sarcasm would be cheerful ;p – as for making sense of the above, I presented the facts and I leave it to you to blog/comment about it. I will possibly aggregate your opinions/tweets/feedback in a second post then add mine as well.
I am off trying to figure out how hack into the power plants in lebanon and make electricity run 24/7 (joking, eh ! ) – in the meantime – I am still waiting for your feedback and opinions on the whole cyber attacks/ cyber terrorism / cyber risks stuff !Read More