Tag Archives: SCADA

Countdown to Zero Day—Did Stuxnet escape from Natanz?

Symantec’s analysis on the Stuxnet worm features in new Kim Zetter book.

Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.

countdowncover.png
Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”

In the chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.

“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees”

This is a different story from the one that David Sanger’s sources painted in his New York Times article and in his book “Confront and Conceal”. Sanger states:

“. . . an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed [Stuxnet] to escape Iran’s Natanz plant and sent it around the world on the Internet.”

So which is right? Did Stuxnet originate outside of Natanz and spread all over the world with the hopes of eventually entering Natanz? Or did Stuxnet start inside of Natanz and accidentally escape due to a programming error?

Tracing the spread of Stuxnet
We actually covered how Stuxnet originated in a blog post in February 2011. Let’s start with whether it is possible to track Stuxnet’s origin back to specific companies in Iran.

Normally, it would not be possible to state with 100 percent accuracy where an infection started. However, in the case of Stuxnet version 1.x, the attackers left a trail behind which allows analysts to trace the specific genealogy of each sample. This is possible because every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected. As Stuxnet spreads from computer to computer, the list grows and grows. By examining this list, we can trace back from one entry to the next, extracting computer information from each entry. These are the breadcrumbs we can follow to get back to the original compromised computers.

What do the breadcrumbs look like?
Each entry in the list looks like the data shown in the following image. Although this may not make sense at first, by analyzing the code within Stuxnet, we can find out what each number represents.

stuxnetentry.png
Figure 2. List entry of compromised computers

Among other information, the computer name, domain name, date, and IP address are stored in each entry. We can extract information from previous data, which is shown in the following image.

stuxnetentrydetails.png
Figure 3. Details stored in each entry

By looking at each entry in the list embedded in any sample, we can see how the threat moved from one computer to the next. The real computer names and domains have been anonymized.

Figure 4. List of compromised computers from one sample shows how Stuxnet spread

In the previous image, we can see Stuxnet’s path through the first six compromised computers. This information was extracted from one sample. When we look at the first six infections from a different sample, we get the following path.

stuxnetpatha.png
Figure 5. List of compromised computers from another sample shows different movement pattern

The two samples’ first four entries are the same but after that, the samples moved in two different directions. At the fifth step, one sample compromised a computer on the WORKGROUP domain while the other sample compromised a computer on the MSHOME network.

Using this data, we graphed the spread of Stuxnet infections. See pages eight to ten of our Stuxnet whitepaper for more details.

stuxnetpathb.png
Figure 6. Spread of Stuxnet infections

Many computers and domains used generic names that do not provide much insight into the targets. For example, WORKGROUP and MSHOME—two default workgroup names—appear very frequently in the breadcrumb logs. However, we were able to identify all of the places where Stuxnet infections originated, and they were all in Iran.

The verdict
So did Stuxnet spread into Natanz as Zetter says or escape out of Natanz as Sanger reported?

Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz. In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work.

This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz.

Unfortunately, these breadcrumbs are only available for Stuxnet version 1.x. There was at least one previous version of Stuxnet released, version 0.5 (which we analyzed in our whitepaper), for which this infection path information is not available.

While version 0.5, which did not spread as aggressively as version 1.x, could have been planted inside Natanz and then spread outwards, this version was no longer operational during the conversation timeframe (the summer of 2010) outlined in the Sanger article. As a result, it is unlikely the 0.5 version is the subject of his article.

To make up your own mind, you should read Kim Zetter’s “Countdown to Zero Day”, which is out today.

Ataques Dirigidos al Sector Energético

La energía es crucial para mantener nuestro estilo de vida moderno, por ello resulta inquietante el incremento anual de intentos de ataques reportados contra las compañías e industrias que la proveen. En la primera mitad de 2013, el sector energético fue el quinto más atacado a nivel mundial, recibiendo el 7.6 por ciento de todos los intentos de ciberataquesen el mundo, lo que se traduce en siete ataques dirigidos por día. Por ello no es de sorprender que en mayo de 2013 el Departamento de Seguridad Nacional de Estados Unidos de América advirtió sobre un incremento en la ola de ataques orientados a sabotear los procesos en las compañías energéticas. En Symantec, nuestros investigadores descubrieron que las empresas tradicionales de servicios públicos de energía están particularmente preocupadas por los escenarios creados por amenazas como Stuxnet o Disttrack / Shamoon, los cuales pueden sabotear instalaciones industriales.

En este escenario estamos aprendiendo que los agresores que tienen como blanco al sector energético también intentan robar propiedad intelectual sobre nuevas tecnologías, como generadores de energía eólica y solar, o diagramas de exploración de campos de gas. Si bien los incidentes de robo de datos pueden no representar una amenaza inmediata y catastrófica para una organización, pudieran ser aprovechados para crear una amenaza estratégica a largo plazo y la información robada podría ser utilizada en el futuro para realizar acciones más dañinas.

La motivación y origen de los ataques dirigidos a este sector pueden ser variable; desde la solicitud de un competidor para tomar acciones contra compañías de energía con el fin de ganar una ventaja de forma sucia, hasta grupos de “hackers a sueldo” como la agrupación Hidden Lynx  que están más que dispuestos a realizar este tipo de acciones. También se pueden encontrar hackers patrocinados por naciones para atacar empresas de energía, en un intento por desactivar infraestructura crítica; los grupos de “hacktivistas” también pueden atacar a las empresas para promover sus propios objetivos políticos. En este sentido los investigadores de Symantec saben que las amenazas pueden provenir de cualquier parte del mundo, y algunas veces, los responsables pueden estar familiarizados con los sistemas de la empresa e incluso dentro de la misma compañía, con la intención de llevar a cabo ataques para extorsionar, sobornar o como venganza. Las interrupciones en la operación también pueden simplemente ocurrir por accidente, como una mala configuración o un problema del sistema, por ejemplo en mayo de 2013, la red eléctrica en Austria estuvo cerca de sufrir un apagón debido a un problema de configuración.

Nuestras investigaciones han encontrado que los sistemas de energía modernos se están volviendo más complejos. Existen controles de supervisión y de adquisición de datos (SCADA, por sus siglas en inglés) o sistemas de control industrial (ICS, por sus siglas en inglés) que se sitúan fuera de los muros de protección tradicional. Conforme la tecnología de redes inteligentes siga ganando impulso y más sistemas nuevos de energía estén conectados al Internet de las cosas, se podrían abrir nuevas vulnerabilidades de seguridad relacionadas con tener un sinnúmero de dispositivos conectados a Internet. Adicionalmente, muchos países han comenzado a abrir su mercado energético y han añadido pequeños contribuyentes a la red de energía eléctrica, como plantas hidroeléctricas privadas, turbinas eólicas o colectores solares. Si bien, estos sitios más pequeños representan sólo una pequeña parte de la red, las entradas de alimentación de energía descentralizada pueden ser un desafío para la gestión, y más si los recursos de TI son limitados, por lo cual se deben monitorear cuidadosamente con el fin de  evitar pequeños cortes o interrupciones, que podrían ocasionar un efecto dominó en las redes más grandes.

En este sentido vemos la necesidad de una estrategia colaborativa que combine la tecnología con componentes de seguridad industrial para proteger la información de la industria energética. Para contribuir con este esfuerzo, Symantec realizó un estudio amplio sobre los ataques que se llevaron a cabo en el sector energético durante los últimos 12 meses. La investigación presenta los hechos y las datos sobre impactos, además de incluir información sobre los métodos, motivaciones, y la historia de estos ataques.

Para descargar una copia del informe de clic aquí.

También preparamos la siguiente infografía con el fin de ilustrar algunos de los hechos clave alrededor de los ataques dirigidos al sector energético.

Infografia-Ataques-Sector-Energetico-SPA-LR.jpeg
 

Ataques contra o setor de energia

      No Comments on Ataques contra o setor de energia

A energia é crucial para o nosso estilo de vida moderno. Entretanto, relatos de tentativas de ataques virtuais contra as empresas fornecedoras estão aumentando a cada ano. No primeiro semestre de 2013, o setor de energia foi o quinto mais visado em todo o mundo, sendo alvo de  7,6 % de todos os ataques cibernéticos. Assim, não é surpreendente que, em maio de 2013, o Departamento de Segurança Interna dos EUA alertou para uma crescente onda de ataques que visavam sabotar processos em empresas de energia. Na Symantec, nossos pesquisadores descobriram que as concessionárias de energia tradicionais estão particularmente preocupadas com os cenários criados por ameaças como Stuxnet ou Disttrack / Shamoon, que podem danificar instalações industriais.

Nós também descobrimos que os agressores que têm como alvo o setor de energia ainda tentam roubar a propriedade intelectual sobre novas tecnologias, como geradores de energia solar ou eólica, ou ainda gráficos de exploração de campos de gás. Enquanto incidentes de roubo de dados podem não representar uma ameaça imediata e catastrófica para uma empresa, eles podem criar uma ameaça estratégica de longo prazo. Informações roubadas poderão ser usadas no futuro para realizar ações mais graves.

As motivações e origens de ataques podem variar consideravelmente. Um competidor pode “encomendar” ações danosas contra as empresas de energia para ganhar uma vantagem injusta. Há grupos de “hackers para contratar”, como o grupo Hidden Lynx, que estão mais do que dispostos a se engajar nesse tipo de atividade. Hackers patrocinados pelo Estado podem ter como alvo as empresas de energia em uma tentativa de desativar sua infraestrutura crítica. Grupos “hacktivistas” também podem vitimar empresas para promover seus próprios objetivos políticos. Pesquisadores da Symantec sabem que estas ameaças podem ser provenientes de todo o mundo e, por vezes, de dentro da própria empresa. Funcionários que estão familiarizados com os sistemas podem realizar ataques para extorsão, suborno ou vingança. Além disso, interrupções podem simplesmente acontecer por acidente, como um erro de configuração ou uma falha do sistema. Por exemplo, em maio de 2013, a rede de energia austríaca quase teve um apagão devido a um problema de configuração.

Nossa pesquisa concluiu que os sistemas de energia modernos estão se tornando mais complexos. Há controle de supervisão e aquisição de dados (SCADA), ou sistemas de controle industrial (ICS) que estão fora dos padrões de segurança tradicionais. E como a tecnologia smart grid , ou rede inteligente, continua a ganhar impulso, cada vez mais sistemas de energia serão conectados à Internet das Coisas, o que abre novas vulnerabilidades de segurança relacionadas a inúmeros dispositivos conectados. Além disso, muitos países começaram a abrir seu mercado de energia e adicionar contribuintes menores para a rede de energia elétrica, como usinas de água privada, turbinas eólicas ou painéis solares. Embora essas empresas menores representem apenas uma pequena parte da grade, a entrada de energia descentralizada pode ser um desafio para gerenciar os recursos de TI limitados e precisam ser cuidadosamente monitorados para evitar pequenas falhas que poderiam criar um efeito dominó em toda a grade maior.

Vemos a necessidade de uma abordagem colaborativa, que combine o componente industrial e a segurança para proteger as informações do setor. Para ajudar neste processo, a Symantec realizou um estudo em profundidade sobre ataques focados no setor de energia que ocorreram nos últimos 12 meses. Esta pesquisa apresenta fatos e números, e abrange os métodos, motivações e história desses ataques.

Faça o download do whitepaper.

O infográfico a seguir ilustra os principais pontos a respeito dos ataques contra as indústrias do setor de energia.

infographic_attacks.jpg

????????????

      No Comments on ????????????
エネルギーは、現代の生活になくてはならないものです。憂慮すべきことに、エネルギーを供給する企業や産業に対する攻撃未遂の報告は毎年増加しています。2013 年の上半期には、全世界で標的となった業界のうちエネルギー業界が上位 5 位を占め、サイバー攻撃全体の 7.6% に当たりました。したがって、2013 年 5 月に米国国土安全保障省が、エネルギー企業における工程の妨害を目的とした攻撃が増加傾向にあると警告したのも当然です。シマンテックの調査でも、産業施設の妨害が可能な Stuxnet や Disttrack/Shamoon などによって発生しうるシナリオについて、旧来のエネルギー企業は特に懸念しているという結果が出ています。
 
またシマンテックは、エネルギー業界を狙う攻撃者が、風力発電や太陽光発電などの新技術、あるいはガス田探査地図といった知的財産も盗み出そうとしていることも突きとめています。データ窃盗事案は、企業にとってすぐさま壊滅的な緊急事態になるとは限りませんが、長期的な戦略上の脅威となる恐れがあります。盗み出された情報は、今後さらに破壊的な活動を行うために利用されかねません。
 
攻撃の動機も発生源も多種多様です。競合他社が、不正に有利な立場に立とうとしてエネルギー企業に対する攻撃を仕掛ける可能性もあれば、Hidden Lynx グループのような「雇われハッカー」グループが、この手の活動に血道を上げている場合もあります。国家の支援を受けたハッカーが重要なインフラを停止させようとしてエネルギー企業を狙うこともある一方、ハックティビストグループが自らの政治的目標を達成するために企業を狙う場合もあります。シマンテックの調査では、こうした脅威は世界中の至るところで発生しており、ときには企業内に端を発しているケースもあることが判明しています。システムに精通したインサイダーであれば、恐喝、収賄、報復のために攻撃を実行することもできます。そして、設定の不備やシステム上の欠陥のような偶発事故が起きるだけでもシステムは停止に追いやられます。たとえば 2013 年5 月には、オーストリアの電力網が設定上の問題のためにブラックアウト寸前の事態になりました
 
シマンテックが調査したとおり、現在のエネルギーシステムは複雑化の一途をたどっています。従来のセキュリティウォールの外部には、SCADA(Supervisory Control And Data Acquisition)や、産業用制御システム(ICS)が控えています。その一方で、スマートグリッド技術は勢いが衰えず、新しいエネルギーシステムがますますモノのインターネットにつながるようになれば、接続される無数のデバイスに関連して新たなセキュリティ上の脆弱性も生まれてくるでしょう。しかも、多くの国や地域でエネルギー市場が開放され、自家用の水力発電、風力発電、太陽光発電など、電力グリッドには小さな企業が増えつつあります。こうした小規模な施設は電力網のごく一部にすぎませんが、分散型の電力供給は、限られた IT リソースで管理すべきひとつの課題と言えます。グリッドの広域にわたってドミノ倒しのような影響を及ぼしかねないため、わずかな停止も発生しないよう慎重に監視を行う必要があります。
 
IT と産業向けセキュリティを組み合わせて産業情報を保護する協力的なアプローチが必要であることは明白です。そうした取り組みに関与するために、シマンテックは過去 12 カ月間にエネルギー業界を狙って発生した攻撃について詳しい調査を実施しました。この調査では、エネルギー業界を狙う攻撃についての事実やデータが示され、攻撃の手法、動機、経緯なども明らかにされています。
 
 
以下の解説画像では、エネルギー業界の企業を標的とする攻撃について重要なポイントをまとめています。
 
AttacksAgainstEngerySectorInfoGraphic2014.png
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Attacks Against the Energy Sector

      No Comments on Attacks Against the Energy Sector
Energy is crucial to our modern lifestyle. Disturbingly, reports of attempted attacks against the companies and industries that supply it are increasing every year. In the first half of 2013, the energy sector was the fifth most targeted sector worldwide, experiencing 7.6 percent of all cyberattacks. So, it’s not surprising that in May 2013, the US Department of Homeland Security warned of a rising tide of attacks aimed at sabotaging processes at energy companies. At Symantec, our researchers are finding that traditional energy utility companies are particularly concerned about scenarios created by the likes of Stuxnet or Disttrack/Shamoon which can sabotage industrial facilities. 
 
We are also learning that aggressors who target the energy sector also try to steal intellectual property on new technology, like wind or solar power generators or gas field exploration charts. While data theft incidents may not pose an immediate and catastrophic threat to a company, they can create a longer term strategic threat. Information stolen could be used in the future to perform more disruptive actions. 
 
The motivations and origins of attacks can vary considerably. A competitor may commission actions against energy companies to gain an unfair advantage. There are “hackers for hire” groups such as the Hidden Lynx group, who are more than willing to engage in this type of activity. State-sponsored hackers could target energy firms in an attempt to disable critical infrastructure. Hacktivist groups may also victimize companies to further their own political goals. Symantec researchers know these threats can originate from all over the world and sometimes from within company walls. Insiders who are familiar with the systems can carry out attacks for extortion, bribery or revenge. And disruptions can simply happen by accident such as a misconfiguration or a system glitch. For example, in May 2013, the Austrian power grid nearly had a blackout due to a configuration issue.
 
Our research has found that modern energy systems are becoming more complex. There are supervisory control and data acquisition (SCADA) or industrial control systems (ICS) that sit outside of traditional security walls. And as smart grid technology continues to gain momentum, more new energy systems will be connected to the Internet of Things, which opens up new security vulnerabilities related to having countless connected devices. In addition to this, many countries have started to open the energy market and add smaller contributors to the electric power grid, such as private water power plants, wind turbines or solar collectors. While these smaller sites make up only a small portion of the grid, the decentralized power input feeds can be a challenge to manage with limited IT resources and need to be carefully monitored to avoid small outages that could create a domino effect throughout the larger grid. 
 
We see the need for a collaborative approach combining IT and industrial component security to protect the industry’s information. To partner in this effort, Symantec has conducted an in-depth study into attacks focused on the energy sector that took place in the past 12 months. This research presents the facts and figures, and covers the methods, motivations, and history of these attacks. 
 
 
The following infographic illustrates some of the key points around attacks against the industries in the energy sector.
 
AttacksAgainstEngerySectorInfoGraphic2014.png