The hot news http://blog.eset.com/2010/07/17/windows-shellshocked-or-why-win32stuxnet-sux is of a zero-day vulnerability that has been used to attack SCADA systems. This comes hot on the heels of an article on the Wired web site titled “Hacking the Electric Grid – You and What Army” http://www.wired.com/dangerroom/2010/07/hacking-the-electric-grid-you-and-what-army/. So clearly Wired had already predicted the origins, at least vaguely, of Win32/Stuxnet.
I really don’t know where this worm came from or what the real motivation was, but there are several interesting aspects to this story. Let’s start with the fact that this attack exploited a very, very valuable zero-day vulnerability. This vulnerability that allows a .LNK file to be executed by simply plugging in a USB drive and viewing the directory was not publicly known and probably could have been sold for hundreds of thousands of dollars, if not a million dollars or more to a government, major corporation, or criminal group. This is an extremely valuable attack mechanism. If the rogue antivirus folks had gotten a hold of this vulnerability first they would have probably had a massive increase in revenue. But, this was far too valuable a vulnerability to expose as rapidly as a full frontal assault on the average PC would result in. Do expect to see this vulnerability exploited by the rogue AV folks though, lots of people will fail to patch when a patch is available. If the Zeus banking Trojan gang had gotten a hold of this exploit first it would likely have netted the gang hundreds of millions of dollars before people figured out what was going on. It would have easily been worth a million dollars to that gang to be the first to have this zero-day. Again, there is little doubt that now the vulnerability is known, Zeus will be exploiting it.
The next interesting fact is that the malware was digitally signed with a certificate belonging to Realtek. Realtek is a corporation headquartered in Taiwan. Taiwan has long alleged that mainland China has been hacking their systems. This tends to make an argument for the origins of the attack coming from China, but an insider in Realtek could also have been paid by any number of organizations to deliver the digital certificate and private keys. There really isn’t enough information to incriminate or point fingers at China, but the angle should not go unobserved.
Another interesting angle is that this is a worm, it spreads. For a truly targeted attack it would have been coded to make specific checks to see that it only ran where it was supposed to and did not spread. Spreading increases the odds of detection. If the attack was aimed at only US systems, then the attacker would not want the code appearing all over the world. This fact might indicate a number of potential attackers. A terrorist organization can recruit people with the intelligence to find such a vulnerability. The ability to attack power grids throughout the world would be very appealing to terrorist groups. Terrorist groups are not the only ones who might want widespread access to SCADA systems though. A company that competes to sell SCADA software or hardware might find it of great value to gain detailed information about the environments of potential customers and know what the shortcomings of their competitors products are. This could well be worth investing a bunch of money of a zero-day as valuable as the .LNK vulnerability. Still, a targeted attack cannot be completely ruled out as the attacker can ignore the data from systems they are not interested in.
Let’s take a look at the distribution of the worm. How did a worm such as this get such widespread distribution? This is where I’ll put odds that the worm was first introduced at an international SCADA conference. Recently at AusCERT IBM distributed infected USB drives. At another security conference one of my USB drives became infected from the PC that the presenters used to present their papers.
This worm almost certainly required knowledge of one or more people familiar with SCADA systems. The Wired article stated that “To start, these systems are rarely connected directly to the public Internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.” In reality, gaining access doesn’t mean physical access or network access at the outset is required, it can be as easy as handing out USB devices at an industry conference. Targeting one or more SCADA conferences keeps the initial spread of the worm inside of the desired target audience, which helps delay the discovery of the use of the exploit. If the desire is to glean information from several countries, then it is far more cost effective to bring the malware to a conference where targeted professionals from all over the world are present. A company targeting such people has plausible deniability of knowledge if the malware is found on USB drives with their marketing materials.
It may never come to light where the worm originated from, where the stolen data was ultimately destined for, or what the motivation of the attacker was, but clearly, there are a number of potential players who had the means and motivation to pull this off.
One final observation… The worm infects computers that are not running SCADA software. The presence of the worm in many countries does not alone indicate that the SCADA systems in those countries were compromised, it means they may have been attacked. If a power plant employee took an infected USB stick home, but never brings external devices to work, then the worm doesn’t get in. Policy, software, hardware, and other layers of defense may have prevented the worm from actually penetrating the power grids in many countries that we see reporting infections. Infection rates from the various companies may very well be unrelated to the compromise rate of SCADA systems in those countries.
All in all, if I had to bet, I would side with Wired. It was Colonel Mustard, in the lobby, with an iPhone 4.
Director of Technical Education
Author ESET Research, We Live Security