Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tracking and implications of stuxnet v21

1,204 views

Published on

Tracking and Implications of Stuxnet, provides a detailled view of the ICS attack on the Iran nuclear fuel enrichment plant.

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

Tracking and implications of stuxnet v21

  1. 1. Tracking & Implications of STUXNET Jorge Sebastiao University of Nicosia, Nicosia, Cyprus Nov. 2nd, 2011
  2. 2. Agenda  New World Order  Target Attack  Stuxnet  Components  Payload  Final Goal  Potential counter defense mechanisms  Future Implications to critical infrastructure  Q&A
  3. 3. New World
  4. 4. Natanz Peace and ProsperityNuclear FuelReprocessing Plant
  5. 5. News
  6. 6. Targeted attacks Stats Worldwide industry sector since 200818172 targeted attacks during 2010 Targeted Attacks - Infosec
  7. 7. Target AttacksPhase Mass Attack Targeted AttackIncursion Generic social engineering Handcrafted & personalized delivery By-chance infection methodDiscovery Typically no discovery Examination of the infected resource Assumes pre-defined content Monitoring of the user Predictable location Determine accessible resources, & network enumerationCapture Pre-defined specific data Manual analysis & Matches a pre-defined pattern Inspection of the data (IE credit card number)Exfiltration Information sent to a dump Information sent back to the site with little protection attacker Not stored in location for Dump site is long term storage extended time period
  8. 8. What? 1. Windows Computer worm discovered in July 2010 2. 100k+ lines of code (complex) 3. 5 different exploits (4 MS vulnerabilities) 1. LNK File Bug – Initial auto exploitation via removable drive 2. Task Scheduler – Privilege Escalation VISTA+ 3. Keyboard Layout – Privilege Escalation XP 4. Spooler / MOF Files – Spreading/Lateral Movement 5. SMB Vuln (MS08-067) – Spreading/Lateral Movement 4. Rootkit (hiding binaries)
  9. 9. Paradigm Shift Consequences for the way we think…
  10. 10. Timeline
  11. 11. Focus on Siemens PLC • Targets SCADA networks • Siemens Simatic WinCC • Rootkit to hide itself • Classic Windows rootkit • PLC (Programmable Logic Controllers) code changes also hidden • Spreads via USB sticks & network shares • Creates botnet • Industrial espionage ready: steal code, documents, project designs • Injects & hide code in PLCs - modifies production processes
  12. 12. Overview • Target • Type Nuclear Plant • Victim Iran • Motivation Destroy Centrifuges • Compromise • Social Enginering – Memory Stick • Vector Scada Systems • Vulnerability Windows/Siemens • Response • Disclosure Jun 2010 • Iran Replaces 1000 Centrifuges • Win/Siemens Patches
  13. 13. Attack Flow New York Times
  14. 14. Propagation
  15. 15. Network Propagation• Peer-to-peer communication & updates• Infecting WinCC machines via hardcoded database server password• Network shares• MS10-061 Print Spooler Zero-Day Vulnerability• MS08-067 Windows Server Service Vulnerability
  16. 16. Propagation USB LNK Vulnerability (CVE-2010-2568) AutoRun.Inf
  17. 17. Propagation Kill switch
  18. 18. Testing - Metasploit
  19. 19. Anti-Forensics• Uses encryption / encoding to obfuscate / data streams• Polymorphic• Zero day attacks• Root kits to evade detection• In-memory execution without creating files• Remote Programmable• Disabling itself• Hiding Results/Effects 19
  20. 20. Siemens - SIMATIC PLCs 20
  21. 21. From Root Kit to PLC
  22. 22. Hides Feedback
  23. 23. Resonance - Damage Frequency In PLC: • forces motors to spin: • at 2 Hz • at 1064 Hz • Damages connected motors
  24. 24. Command & Control
  25. 25. Distribution
  26. 26. Infection Statistics 29 September 2010, From Symantec Infected Hosts
  27. 27. Top Countries
  28. 28. Siemens Infections Distribution of Infected Systems with Siemens Software 80.00 67.60 70.00 60.00 50.00 40.00 30.00 20.00 12.15 8.10 4.98 10.00 2.18 2.18 1.56 1.25 0.00 U A S N A R N D I A I O H W R E T S N A T I O N D A E S I O U H A R K E T S N G A B R E T I 28
  29. 29. Result: Attack Critical Infrastructure
  30. 30. Target? Natanz enrichment Bushehri Nuclear Plant60%+ Infections in IranNo commercial gainSelf destruct dateSiemens PLCTarget Nuclear Program• Enrichment• Plant
  31. 31. Siemens Response Source: WSJ, NY Times, eWeek
  32. 32. SCADA Impact
  33. 33. Does your CriticalInfrastructureFlunkSecurity Check?
  34. 34. 18 Critical Infrastructure Sectors Homeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the 18 CIKR sectors
  35. 35. Cross-Sector Interdependencies Control systems security not sector specific Connectivity crosses geographic boundaries Sectors not operationally isolated
  36. 36. STRATEGY
  37. 37. Holistic Approach to Security
  38. 38. Questions jorge.sebastiao@gmail.com

×