Which Army Attacked the Power Grids?

The hot news http://blog.eset.com/2010/07/17/windows-shellshocked-or-why-win32stuxnet-sux is of a zero-day vulnerability that has been used to attack SCADA systems. This comes hot on the heels of an article on the Wired web site titled “Hacking the Electric Grid – You and What Army” http://www.wired.com/dangerroom/2010/07/hacking-the-electric-grid-you-and-what-army/. So clearly Wired had already predicted the origins, at least vaguely, of Win32/Stuxnet.

I really don’t know where this worm came from or what the real motivation was, but there are several interesting aspects to this story. Let’s start with the fact that this attack exploited a very, very valuable zero-day vulnerability. This vulnerability that allows a .LNK file to be executed by simply plugging in a USB drive and viewing the directory was not publicly known and probably could have been sold for hundreds of thousands of dollars, if not a million dollars or more to a government, major corporation, or criminal group. This is an extremely valuable attack mechanism. If the rogue antivirus folks had gotten a hold of this vulnerability first they would have probably had a massive increase in revenue. But, this was far too valuable a vulnerability to expose as rapidly as a full frontal assault on the average PC would result in. Do expect to see this vulnerability exploited by the rogue AV folks though, lots of people will fail to patch when a patch is available. If the Zeus banking Trojan gang had gotten a hold of this exploit first it would likely have netted the gang hundreds of millions of dollars before people figured out what was going on. It would have easily been worth a million dollars to that gang to be the first to have this zero-day. Again, there is little doubt that now the vulnerability is known, Zeus will be exploiting it.

The next interesting fact is that the malware was digitally signed with a certificate belonging to Realtek. Realtek is a corporation headquartered in Taiwan. Taiwan has long alleged that mainland China has been hacking their systems. This tends to make an argument for the origins of the attack coming from China, but an insider in Realtek could also have been paid by any number of organizations to deliver the digital certificate and private keys. There really isn’t enough information to incriminate or point fingers at China, but the angle should not go unobserved.

Another interesting angle is that this is a worm, it spreads. For a truly targeted attack it would have been coded to make specific checks to see that it only ran where it was supposed to and did not spread. Spreading increases the odds of detection. If the attack was aimed at only US systems, then the attacker would not want the code appearing all over the world. This fact might indicate a number of potential attackers. A terrorist organization can recruit people with the intelligence to find such a vulnerability. The ability to attack power grids throughout the world would be very appealing to terrorist groups. Terrorist groups are not the only ones who might want widespread access to SCADA systems though. A company that competes to sell SCADA software or hardware might find it of great value to gain detailed information about the environments of potential customers and know what the shortcomings of their competitors products are. This could well be worth investing a bunch of money of a zero-day as valuable as the .LNK vulnerability. Still, a targeted attack cannot be completely ruled out as the attacker can ignore the data from systems they are not interested in.

Let’s take a look at the distribution of the worm. How did a worm such as this get such widespread distribution? This is where I’ll put odds that the worm was first introduced at an international SCADA conference. Recently at AusCERT IBM distributed infected USB drives. At another security conference one of my USB drives became infected from the PC that the presenters used to present their papers.

This worm almost certainly required knowledge of one or more people familiar with SCADA systems. The Wired article stated that “To start, these systems are rarely connected directly to the public Internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.” In reality, gaining access doesn’t mean physical access or network access at the outset is required, it can be as easy as handing out USB devices at an industry conference. Targeting one or more SCADA conferences keeps the initial spread of the worm inside of the desired target audience, which helps delay the discovery of the use of the exploit. If the desire is to glean information from several countries, then it is far more cost effective to bring the malware to a conference where targeted professionals from all over the world are present. A company targeting such people has plausible deniability of knowledge if the malware is found on USB drives with their marketing materials.

It may never come to light where the worm originated from, where the stolen data was ultimately destined for, or what the motivation of the attacker was, but clearly, there are a number of potential players who had the means and motivation to pull this off.

One final observation… The worm infects computers that are not running SCADA software. The presence of the worm in many countries does not alone indicate that the SCADA systems in those countries were compromised, it means they may have been attacked. If a power plant employee took an infected USB stick home, but never brings external devices to work, then the worm doesn’t get in. Policy, software, hardware, and other layers of defense may have prevented the worm from actually penetrating the power grids in many countries that we see reporting infections. Infection rates from the various companies may very well be unrelated to the compromise rate of SCADA systems in those countries.

All in all, if I had to bet, I would side with Wired. It was Colonel Mustard, in the lobby, with an iPhone 4.

Randy Abrams
Director of Technical Education

Author , ESET

  • kurt wismer

    i can't help but notice a stark contrast in tactics between the apparent targeting of SCADA systems with high value home-grown exploits for 0day vulnerabilities and the deployment of the attack as a self-replicator (worm). those really don't fit together very well.

  • Randy Abrams

    Yes, very astute observation. Someone wasted an NSA grade exploit by coupling it with uncontrolled self-replication. Not the sharpest tool in the shed, but maybe they got what they were after and didn't realize they were using a gold shovel to dig up copper.

  • jay

    NSA grade exploitation is really along the lines of crypto breakage and advanced physical backbone transport layer deconstruction and transient environment analysis. This is merely intermediate level collegiate exploitation, or second world intelligence agency hackery, though admirable due to the breadth of influences, from multiple cert stealing all the way to the SCADA tools. I would fully expect to see the exploit sitting firmly in many SCADA farms at this time due to careless bridging and end-user misuse of resources anyway.

  • Randy Abrams

    By NSA level, I meant used very clandestinely. These people probably didn't know what they were sitting on. I wouldn't be surprised if they could have made more money selling the exploit than the way they used it.

  • Carmine in New Jersey

    Seems all has worked out for the best…..amazing how the knowledge of Stuxnet has changed since last comment here on July 19th 2010……..Stuxnet should say….ICE-CERT WAS HERE………..Have a nice day!

Follow us

Copyright © 2018 ESET, All Rights Reserved.