It Wasn’t an Army

As I mentioned in a previous blog, Wired Magazine reported it would take a Nation State to pull off a takedown of the electric grid. Actually, Mother Nature, back hoes, and potentially a worm have had major impacts in the past, but the recent use of the LNK file vulnerability shows it doesn’t take the brightest to penetrate at least some SCADA plants.

Pierre-Marc Bureau just blogged of ESET researchers finding another of the Stuxnet worm drivers that were signed with the digital certificate of a company that has an office in the same science park as Realtek. This is pointing more and more to an entity with significantly less sophistication than a Nation State.

Let’s start with the actual LNK exploit. I would imagine there is at least one intelligence person somewhere in the world with the singular goal of finding an executing whoever used the vulnerability as they did. It isn’t an affinity for SCADA systems that has them pissed off, it is the waste of an NSA grade exploit. This was a very, very potent weapon. In the hands of a skilled professional an exploit of this grade would do something like install remote access software on a target PC and then eliminate all traces of its existence. Think spy novel… Malicious files with the LNK vulnerability are left on a USB drive for the target to put in their PC. Immediately an undetected bot is installed with a rootkit and the lnk files are wiped from the drive. Why? Because you don’t want anyone to know that you can infect their computer just by having them look at the contents of the USB drive. By coupling this exploit with self-replication, a worm, the exploit is all over the world and certain to be discovered. Whoever is behind win32Stuxnet did not even realize what they actually had and of what value it really was. Well, there is another explanation. By making the malware spread all over the place they could obscure a specific target. Perhaps the attacker was going after one specific target and everything else was collateral damage. Possible, but still, you don’t waste an exploit this valuable in that manner.

The next thing that points to less sophistication is using stolen digital certificates from companies with offices in the same office complex. This increasingly points to a physical theft. This dramatically reduces the pool of suspects. Who has physical access to sensitive computers at both companies? An employee working two jobs? A Janitor? A security guard? One can’t rule out dual insider attacks, but even then there is probably a common contact.

ESET added generic detection for the LNK vulnerability and for the rootkit itself. The results of this may lead to more clues as to who was behind the attacks. If we do find out I am going to bet there is no link to a Nation State. If there is a link then I bet the programmer doesn’t live to tell about it. Why? Not to hide the link, but as punishment for wasting such a valuable exploit.

Randy Abrams
Director of Technical Education

Author , ESET

  • Charles Jeter

    Randy, I love the reference to at least one intelligence person out there with the task to find and execute. :) I'm more in favor of the 'rendition' through the new FBI head Gordon Freeman err… Gordon Snowe.

  • MKZ

    Hi Randy,
    This exploit appears to be related to one found back in 2005. Where there is "smoke" there is typically fire. Someone could have discovered this vulnerability five years ago when the original LNK vulnerabilities were found.
    Microsoft Security Bulletin MS05-049
    Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725)


  • Johan

    Haha, I love the Half-Life series :) Though, Mr Snowe could probably change the last name if he want, to Mr Freeman that would be great. Haha

  • Randy Abrams

    While MS-05-049 deals with 2 link file vulnerabilities, both required the user to do something to the link file. This one is related to the icon handler for link files. Yes, it is quite possible that somebody has known of this vulnerability for a long time.

  • Charles Jeter

    @ Johan: :) Yep, I'm a fan of the crowbar as well.

  • Rusty Road

    Isn’t that the PoC exploit was publicly released by Ivanlef0u?

    Since then, it was all up for grabs for whoever wants to spread their version of trojans, which i would think they have had already for some time but could not find the perfect weapon to propagate it.

    In the thriller you described, the target is then Ivanlef0u?

    Not necessarily right?

  • Randy Abrams

    I believe that Ivanlef0u released code after Stuxnext and the .Lnk vulnerability had been discovered. It is hardly a POC if we all know it works already. This is sample code, not POC.

  • Frodo Baggins

    I'm perplexed that everyone seems to think that because the USB exploit was discovered in the code, that it was the manner by which it arrived. There is no rational obstruction to the possibility that the StuxNet worm was introduced simultaneously  as an "upgrade" into previously compromised machines based upon their geographic locale.
    StuxNet is not inconceivably a cleaved portion of a much larger pool of compromised machines that have been re-tasked.
    The programmer responsible for compiling the production rootkit is so far removed from where the fingers are being pointed, that they will die of either laughter, or old age before anyone comes knocking.
    Except for the risk that StuxNet poses as a proof of concept, its maiden flight was a windfall for the world at large. The future risk lies in its value as a template for modification as well as inspiration.

Follow us

Copyright © 2016 ESET, All Rights Reserved.