How to plan an industrial cyber-sabotage operation: A look at Stuxnet
If you've been following the Stuxnet worm, you may have seen Ralph Langler's excellent analysis of the attack, published last week.
Stuxnet is probably the most interesting piece of malware I've ever covered, and the more we learn about it, the more it seems to have been ripped from the pages of a spy novel. A targeted attack that used four zero-day attacks, compromised digital certificates, inside knowledge of a specific industrial computer installation, it was launched by someone or some group that apparently didn't really care if its target ever found out about the attack.
I've been trying to get Ralph to give me an interview for several days now, but he's not ready to talk quite yet. In the interim, however, he did email me this blow-by-blow description of how he thinks Stuxnet was executed. To me, what he says seems completely credible. It's a very interesting description of an incredibly sophisticated operation.
Did it work? Who was really behind it? We may never know the answer to those questions.
Here's Ralph's write-up. The word Myrtus appears in one of the worm's drivers:
The best way to approach Stuxnet is to think of it as part of an operation – operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.
Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates
Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise (important)
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers
Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence
What this shows is that the 0day exploits were only of temporary use during the infiltration stage. Quite a luxury for such sophisticated exploits! After the weapon was in place, the main attack is executed on the controllers. At that point, where the rogue ladder logic is executed, it’s all solid, reliable engineering – attack engineering.
Stuxnet is probably the most interesting piece of malware I've ever covered, and the more we learn about it, the more it seems to have been ripped from the pages of a spy novel. A targeted attack that used four zero-day attacks, compromised digital certificates, inside knowledge of a specific industrial computer installation, it was launched by someone or some group that apparently didn't really care if its target ever found out about the attack.
I've been trying to get Ralph to give me an interview for several days now, but he's not ready to talk quite yet. In the interim, however, he did email me this blow-by-blow description of how he thinks Stuxnet was executed. To me, what he says seems completely credible. It's a very interesting description of an incredibly sophisticated operation.
Did it work? Who was really behind it? We may never know the answer to those questions.
Here's Ralph's write-up. The word Myrtus appears in one of the worm's drivers:
The best way to approach Stuxnet is to think of it as part of an operation – operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.
Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates
Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise (important)
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers
Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence
What this shows is that the 0day exploits were only of temporary use during the infiltration stage. Quite a luxury for such sophisticated exploits! After the weapon was in place, the main attack is executed on the controllers. At that point, where the rogue ladder logic is executed, it’s all solid, reliable engineering – attack engineering.
Previous Post: Terry Childs gets four year sentenceNext Post: Me and Iraq Resistance -- a conversation with a worm author
WEBCAST
Transition Confidently to the Cloud
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
WHITE PAPER
Magic Quadrant for Enterprise Information Archiving
Gartner evaluates vendors offering products and services that provide archiving for email, files and other content types.
Recent Comments
Webcasts
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Security Analytics Video
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- B2B Integration on Cloud: Real World Solutions and Technology Advances
White Papers
