As I mentioned in a previous blog, Wired Magazine reported it would take a Nation State to pull off a takedown of the electric grid. Actually, Mother Nature, back hoes, and potentially a worm have had major impacts in the past, but the recent use of the LNK file vulnerability shows it doesn’t take the brightest to penetrate at least some SCADA plants.

Pierre-Marc Bureau just blogged of ESET researchers finding another of the Stuxnet worm drivers that were signed with the digital certificate of a company that has an office in the same science park as Realtek. This is pointing more and more to an entity with significantly less sophistication than a Nation State.

Let’s start with the actual LNK exploit. I would imagine there is at least one intelligence person somewhere in the world with the singular goal of finding an executing whoever used the vulnerability as they did. It isn’t an affinity for SCADA systems that has them pissed off, it is the waste of an NSA grade exploit. This was a very, very potent weapon. In the hands of a skilled professional an exploit of this grade would do something like install remote access software on a target PC and then eliminate all traces of its existence. Think spy novel… Malicious files with the LNK vulnerability are left on a USB drive for the target to put in their PC. Immediately an undetected bot is installed with a rootkit and the lnk files are wiped from the drive. Why? Because you don’t want anyone to know that you can infect their computer just by having them look at the contents of the USB drive. By coupling this exploit with self-replication, a worm, the exploit is all over the world and certain to be discovered. Whoever is behind win32Stuxnet did not even realize what they actually had and of what value it really was. Well, there is another explanation. By making the malware spread all over the place they could obscure a specific target. Perhaps the attacker was going after one specific target and everything else was collateral damage. Possible, but still, you don’t waste an exploit this valuable in that manner.

The next thing that points to less sophistication is using stolen digital certificates from companies with offices in the same office complex. This increasingly points to a physical theft. This dramatically reduces the pool of suspects. Who has physical access to sensitive computers at both companies? An employee working two jobs? A Janitor? A security guard? One can’t rule out dual insider attacks, but even then there is probably a common contact.

ESET added generic detection for the LNK vulnerability and for the rootkit itself. The results of this may lead to more clues as to who was behind the attacks. If we do find out I am going to bet there is no link to a Nation State. If there is a link then I bet the programmer doesn’t live to tell about it. Why? Not to hide the link, but as punishment for wasting such a valuable exploit.

Randy Abrams
Director of Technical Education
ESET LLC