Monday, October 18, 2010

Stuxnet Update V: Surviving Stuxnet and its Offspring

Though I wouldn't look for a movie version any time soon, like the Davinci Code for Smart Grid and other cyber sleuths, the story of the Stuxnet worm keeps getting more and more mysterious.

At the IEEE Smart Grid Surivivability workshop held at SEI in Arlington, VA last week, we had a front row seat for a great presentation by Symantec's Liam O'Murchu, one of three Stuxnet reverse engineers Symantec has had on the case for over three months straight.

Though I've been following Stuxnet on the SGSB (first post HERE) since shortly after it surfaced (well after it was born circa 2009), Liam provided some insights that surprised all of us I think, including:
  • To escape detection while targeting every Windows OS from 2000 to 7, the attack team purchased each and every version of all anti-virus products for each OS and then designed Stuxnet to ensure they wouldn't be noticed by any of them
  • Stuxnet is evolving its capabilities to infect systems and replicate within an organization, yet its payload remains unchanged. Meaning: the target remains the same ... and maybe the attackers aren't yet satisfied they've accomplished their mission
  • On the human-interest side, he noted that the reverse engineering paths he and his colleagues have been following are the same or similar to those blazed by the the team who crafted the attack.Though lots of evidence points that way, Symantec (unlike Ralph Langner and others) is not ready to say that Iran's nuclear operations are the only or primary target of Stuxnet. There are still several parts of Stuxnet they've yet to crack and their research continues
  • In addition to phenomenal anti-virus evasion techniques, Stuxnet includes lots of other stealth approaches and myriad attack strategies for getting passed OS defenses, through firewalls, increasing its privileges, and much, much more
In short, no matter how solid an org's security policies, no matter the level of adherence to defense in depth principles and security best practices, no matter how much security technology was deployed and how up-to-date it was kept, it is very likely that Stuxnet would have found a way in. We're very lucky that the apparent target doesn't seem to include systems important to the US or our allies. This is clearly focused on very, very specific control elements like certain make/model pumps and actuators. If it doesn't find exactly what it wants, it does nothing else. It's polite. That's good news.  So we got our wake-up call.

But the bad news is that for aspiring bad guys, Stuxnet is a master class, a surprising visit from "attacks of the future" to present day 2010 on how to do more damage than you ever thought possible. We'll see Stuxnet again, and if it's pointed at us (US utilities, other industrial operators) next time the payload may be quite different.

Written by Liam and team, Symantec's 51-page Stuxnet Dossier remains the definitive document on Stuxnet.  We'll be hearing more from them as they (and others) make new discoveries, but there's already plenty of info available now on how to begin hardening your org against the future spawn of Stuxnet, even if those defenses might be less than complete.

Photo credit: Digipam on Flickr

No comments: