Aug 25 2011

Dillon Beresford and The Strange Case of the Stuxnet Worm

Cyber Security

Cyber security has come front and center recently with the threat of the Guy Fawkes cyber attack on Facebook and the U.S. Department of Homeland Security’s warning about the use of Chinese-made software. Malicious hackers are everywhere these days, it seems.

Dillon Beresford, a “good guy” hacker who works for security firm NSS Labs, demonstrated at the Black Hat Briefings conference in Las Vegas this month how he had successfully exploited flaws in commonly-used industrial computer systems made by Siemens that are used in thousands of industrial plants.

The Siemens Industrial Control Systems (ICS) is the same product targeted by Stuxnet, the sophisticated computer worm discovered last year to have crippled Iran’s nuclear program. It reprogrammed the computer-controlled centrifuges used to enrich uranium so that they spun out of control and destroyed themselves.

Beresford’s talk was given in lieu of one he had planned to give at TakedownCon in June. He cancelled that talk voluntarily after Siemens and ICS CERT (cyber emergency response team) raised concerns about the impact of a public disclosure of the security holes.  Here is the latest ICS CERT advisory.

The Washington Times quotes Vikram Phatak, chief technology officer of NSS Labs: Beresford’s work shows that “you don’t need Stuxnet to do real damage” to industrial plants. The demonstration showed vulnerabilities in the software and hardware used to run everything from nuclear power plants to manufacturing assembly lines to water treatment plants and prisons.

What is Stuxnet?
The cyber attack on the Iranian centrifuges allowed the Stuxnet worm to spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows. When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, Stuxnet awoke and dropped a large, partially encrypted file onto the computer.

It was subsequently discovered that the worm itself appeared to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. The second seemed right out of a spy thriller: Stuxnet secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

The attacks were not fully successful: some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. The New York Times reported that it’s not clear the attacks are over yet: some experts believe the Stuxnet code contains the seeds for yet more versions and assaults.

Iran’s Nuclear Capabilities
Iran’s ability to produce bomb-ready enriched uranium became a major concern during the Bush administration. “Bomb, bomb, bomb, bomb Iran,” said Senator John McCain, parodying The Beach Boys’ tune Barbara Ann.

President Obama spent 2009 trying to engage Iran diplomatically. Tehran initially accepted but then rejected an offer for an interim solution under which it would ship some uranium out of the country for enrichment. In June 2010, after months of lobbying by the Obama administration and Europe, the United Nations Security council voted to impose a new round of sanctions on Iran, which was the fourth such move.

The Cyber Attack on Iran’s Nuclear Centrifuges
Wired Magazine’s Threat Level reported that as early as January 2010, investigators with the International Atomic Energy Agency completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something wasn’t right in the cascade rooms where thousands of centrifuges were enriching uranium.

Workers had been replacing the units at an incredible rate: perhaps as many as 1,000 and 2,000 centrifuges were swapped out over a few months. This was, of course, due to Stuxnet.

Stuxnet, it turns out, was actually released June 2009. But it would be nearly a year before the inspectors would learn of this. It took dozens of computer security researchers around the world months of analysis and deconstruction to determine that a worm, a “zero-day” exploit, had occurred.

The zero day in the Iranian incident was dubbed “Stuxnet” by Microsoft from a combination of file names (.stub and MrxNet.sys) found in the code.

An Israeli Connection?
Israel’s never-acknowledged nuclear arms program is supposedly centered in The Dimona complex in the Negev desert. The New York Times reported that behind Dimona’s barbed wire, Israel spun nuclear centrifuges virtually identical to Iran’s at Natanz. Did they test the effectiveness of the Stuxnet computer worm before it infected the Iranian computers?

In January 2011, the retiring chief of Israel’s Mossad intelligence agency, Meir Dagan, and Secretary of State Hillary Rodham Clinton separately announced that they believed Iran’s uranium enrichment efforts had been set back by several years. Mrs. Clinton cited American-led sanctions, which have hurt Iran’s ability to buy components and do business around the world.

Officially, American nor Israeli officials won’t even acknowledge the existence of the Stuxnet worm.

But Israeli officials were reported as “grinning widely” when asked about its effects. President Obama’s chief WMD strategist, Gary Samore, sidestepped a Stuxnet question at a conference about Iran. He added, “with a smile,” “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”

Enter Dillon Beresford
Dillon Beresford is not just an everyday hacker. He has an extensive IT security background in exploit development, penetration testing, reverse code engineering, intrusion prevention systems, and intrusion detection systems.

After working with Siemens to identify the security breaches that allowed the Stuxnet incident to occur, he canceled a planned demonstration of the vulnerabilities (as mentioned earlier) at the TakeDownCon security conference in Texas in early June 2011, after Siemens and the Department of Homeland Security expressed concern about disclosing information before Siemens could patch the vulnerabilities.

The vulnerabilities affect the programmable logic controllers, or PLCs, in several Siemens SCADA (supervisory control and data acquisition) systems. Siemens PLC products are used in companies throughout the United States and the world.

It was a vulnerability in a PLC belonging to Siemens’ Step7 control system that was the target of the Stuxnet worm.

Beresford researched SCADA systems independently at home. He purchased SCADA products online with funding from NSS Labs, intending to examine systems belonging to multiple vendors. Beresford began with Siemens and found multiple vulnerabilities in the products very quickly.

Cyber Warfare?
The increasing attention to SCADA systems coming on the heels of Stuxnet and other cyber security incidents is bringing pressure to both the the U.S. Department of Homeland Security (DHS) and firms like Siemens to take a hard look at the security of PLCs and other industrial control equipment.

Underscoring the importance of cyber security, ZDNet reports that DHS just issued a warning about using Chinese-made software, especially when it comes to the chemical, defense, and energy firms. Much of the concern comes from recent hacking attacks against companies like Lockheed Martin and Sony. It appears to have been traced back to a specific Beijing software company called Sunway ForceControl.

A huge Internet attack this month targeted 72 organizations, including the U.N., and analysts say it apparently originated in China.

The Daily Beast quotes Richard Clarke, the former top U.S. government official who famously held roles in counterterrorism and cybersecurity in the Clinton and Bush administrations: “What’s going on is very large-scale Chinese industrial espionage. They’re stealing our intellectual property. They’re getting our research and development for pennies on the dollar.”

What’s at stake goes beyond the ability to breach industrial control systems — even as scary as that is — into the realm of state secrets… and global military and economic dominance.