twitter facebook rss

Stuxnet: more historical than hysterical, I hope

Posted by on June 7, 2016.

I don’t make a habit of using this blog to advertise another, but the article I’m going to talk about is just too long to rewrite for this blog. And in fact, I’m not generally a fan of articles that revisit antique malware that ceased to matter years or even decades ago. However, it appears that – six years on from when it first came to everyone’s attention – Stuxnet still commands attention. And I’m not even talking about the current wave of ‘Stuxnet revisited’ posts centred on FireEye’s analysis of malware that seems to owe something conceptually to Stuxnet’s targeting of Siemens systems but is intended ‘to manipulate a specific industrial process running within a simulated Siemens control system environment.’ Or the less-publicized issue of an unpatchable vulnerability in a web-based SCADA system used primarily in the US energy sector. (Affected sites can upgrade the component in question, fortunately, but they can’t patch it.)

However, I have been asked a few times recently about Stuxnet, about which I wrote a great deal at one time. I suppose it was particularly important because it was one of the events moved the site-specific hardware-targeting malicious code from the realms of myth or semi-myth (the Iraqi printer virus, the Siberian oil pipeline explosion) to some verifiable fact. However, when I started to answer some of those questions, I realized that there is still a great deal of speculation being accepted as fact. So I went back to the speaker’s notes for a presentation I made at Infosec Europe a few years ago, essentially based on ESET’s Stuxnet report (though a lot shorter!), for what I hope is a more balanced and less speculative view. I’m not going to commit to a precise attribution (how very AV!), but there was certainly an agenda that differed drastically from the profit-driven criminal operations that capture most of our attention.

The Stuxnet report was just one of several papers and articles on which I worked directly with (among others) Alex Matrosov and Eugene Rodionov, then both with ESET’s team in Moscow. However, it was certainly the longest – apart from the 85 pages of the report itself,  there were acres of preparatory and follow-up articles. But then, it was unusual in several respects.

  • It made use of an astonishing array of 0-day or little-known exploits, taking advantage of issues in Windows (MS10-046, MS10-073, MS10-061, MS10-092, MS08-067. 0-days are commonplace, of course, but it’s unusual to use so many at once. That was actually one of the clues suggesting that it wasn’t the usual criminal gang approach: more like a collaboration between specialists. (Ironically enough, my own initial involvement was partly due to my being pulled into a hastily-assembled Tiger Team including SCADA sites, state agencies and other security vendors.)
  • It was, in programming terms, extremely sophisticated, despite its comparatively promiscuous dissemination, increasing its chances of early detection. Though a less sophisticated version had managed to stay under the radar for a good while before that. Perhaps the 0.5 version had been so successful that staying under the radar was no longer a major concern. Or maybe the intention was to send a public message (whether it was accurate or mere misdirection) about the capabilities of the agencies and states rumoured to have been responsible.
  • It was signed with stolen certificates. That’s not a ubiquitous practice, but Stuxnet certainly helped make the approach more common.
  • A very hardware-specific payload in an unusual control language: some of the code looked likely to have originated with a regular developer with knowledge of SCADA systems and Siemens control systems.

Another unusual feature is that quite a wide spread of security research teams (hat tip to VirusBlokAda, Symantec, Kaspersky, Microsoft etc.)unearthed pieces of the puzzle, though not in a formally aligned way like the Conficker Working Group. Still, it’s a measure of the size of the problem. For instance, while some research focused very usefully on the PLC code (requiring access to specialized hardware), ESET focused on the 0-day attacks, from which we learned quite a lot. But it appears that so did the bad guys.

Stuxnet’s legacy is harder to define than its initial impact and the general impressions it aroused. Of course, it ‘lives on’ in terms of other malicious code that bears a family resemblance, or at least borrowed techniques and even vulnerabilities. Not to mention those films and TV programmes where it’s mentioned in the context of some imaginary supermalware. (However, the threat from direct re-use of Stuxnet SCADA-specific code was hugely exaggerated.)

What it did do was to bring to light the importance of potential problems with SCADA and ICS that aren’t directly relevant to Stuxnet and its own targeting, and raised awareness of the potential vulnerability of Critical National Infrastructure (CNI) sites. To quote from myself (a bad habit, I know…):

The next such attack may be focused on a very different sector and use entirely different exploits. but it’s unlikely that there will never be another attack of this type, even if … it really was the first.

Footnote (or Foot-in-Mouth Note)…. When I was first asked about this a few weeks ago, I did some googling for a reference and came upon a comment regarding the Stuxnet report as being associated with ‘the not-very-authentic David Harley’. Sadly, the comment seems to have been removed, so I don’t know if it means that someone has noticed that I’m actually a bot, as well as a sock puppet for ESET Russia. Or perhaps it was just the usual ‘no-one with letters after his name can be a real security researcher’ drivel. Perhaps now that I’ve dropped my subscriptions to (ISC)2 and BCS and can no longer use any letters after my name except BA, I’m now more authentic. 🙂

David Harley

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , , , , ,