Updated: May 7
As you study SCADA/ICS hacking and security, it is useful to look back at some of the most successful SCADA/ICS attacks in history. In this way, you may gain some insight as to how future attacks may attempt to infiltrate your industrial control systems.
Among the most famous and ingenious of these SCADA/ICS attacks became know as "Stuxnet". It was the first malicious code found to specifically attack SCADA/ICS systems. In this sticle, we will examine the anatomy of this very sophisticated attack-- even by standards of today.
Stuxnet was an Advanced Persistent Threat (APT) that was targeted at a specific manufacturing facility in Natanz, Iran. It took its unusual name from the string pf letters buried in its code (see the Strings window in IDA Pro). At at the time of its discovery, it was the most complex virus/worm ever discovered.
This very sophisticated worm exploited four previously unknown zero-day vulnerabilities in the Windows operating system. When Stuxnet infected a host, the first thing it did was to check to see whether the host was connected to industrial control system, specifically the Siemens Simatic S7 PLC. If it wasn't connected, it did little or no harm and continued on it way to infect other systems.
In retrospect, it has become clear that Stuxnet was a project of the US and Israeli governments to derail the Iranian efforts to develop nuclear weapons. To that end, it definitely was successful at delaying those efforts by many years (Iran still does not have nuclear weapons).
While the average virus is about 10k bytes in size, Stuxnet was over 500 KB !
While it is unusual for a virus to contain even one zero-day vulnerability, Stuxnet had four zero-day vulnerabilities.
Stuxnet also acted like a rootkit – hiding its actions and its presence.
It was the first virus to include code to attack Supervisory Control and Data Acquisition (SCADA) systems.
Stuxnet was discovered by a diligent and persistent security researcher, Sergey Ulasen, in June, 2010. At the time he discovered Stuxnet, he was working for a small Belarus anti-virus company (VirusBlokAda). One of their customers in Iran had been experiencing a number of BSOD (Blue Screen of Death) failures and asked Ulasen for help finding the cause.
His research into that problem led to the discovery of the Stuxnet.
The target environment (the uranium enrichment facility at Natanz) was expected to be an air-gapped network. The Stuxnet version, discovered in June, 2010, initially spread through flash drives. It contained *.lnk files on a flash drive that identifies a reference to a file (expected to be an icon). These were then used to reference a file on the flash drive that contained the virus.
The Stuxnet worm was 100% reliable in the targeted environment and led to no memory corruption. Once the .lnk performs it task of uploading the virus, it automatically hid the .lnk and source files (this zero-day was patched with MS10-046).
The removable drive contained:
1. 2 tmp files: file names variable (∑ mod 10 = 0)
2. WT4132.tmp – main DLL ~500KB
3. WT4141.tmp – loader for main dll ~25KB
4 .lnk files
Multiple links were needed to attack different versions of Windows (Windows 2000, Windows XP, Windows Server 2003, Vista, Windows 7)
How the Worm Propagated
The worm was craftily designed to only infect 3 hosts before erasing itself. In this way, it limited detection. An infected host then only infects another new removable drive if three conditions are met;
1. The flash drive is not already infected
2. The infection is less than 21 days old
3. The Flash drive has at least 5mb of available space
4. The flash drive has at least 3 files on it.
Carried by the Flash Drive
1.Copies to open file shares
2. Passed through vulnerable a print spooler code (zero-day vulnerability – MS 10-061)
3. Passed the RPC vulnerability found in Conficker (MS-08-067)
4. Created a vulnerable scheduled task, then modified the task and pads it until its CRC32 matches original task. (It will now run under scheduler.)
5. Creates rootkit for Vista+
6. Allows users to load different keyboard layouts. Can be loaded from anywhere. Load pointers and then transfer to code.
7. Creates rootkit for Windows XP.
Stuxnet Uses RPC
Some of the machines were expected to be network-isolated, but might have access to infected machines.
Stuxnet searches through a set of 5 programs that might be infected (depending on OS version, vulnerabilities, etc.)
Each infected machine searches for other infected machines (with RPC servers).
It then queries for the current virus (Stuxnet) version. If server has older version of Stuxnet, it then sends an update of the current version. Interestingly, Stuxnet used a hash collision of the Microsoft digital certificate so that the system believed that the update was coming directly from Microsoft.
Stuxnet Uploaded New Ladder Logic to Siemens PLC
Ladder logic is a visualization program to support design and development of supervisory control and data acquisition (SCADA) programs. In addition, this ladder logic included a database to store projects. This database included a hard-coded password – backdoor into the system.
Stuxnet modified a WinCC view to start virus .exe each time view is accessed.
Stuxnet then writes itself into a new table and creates a stored procedure that extracts and executes code, then deletes stored procedure
Searches through all user accounts and all shared drives to find access to remote machine.
If none found, will try Windows Management Instrumentation (WMI) to access shares and download a copy of the virus.
Virus uses a weakness in print spooler on shared machines to propagate an executable file.
File (%system%\winsta.exe) can be loaded to any machine that uses print spooler.
Only used if date is before 6/1/2011). Expect the vulnerability to be fixed by then??
Vulnerability had been published in 2009 edition of Hakin9 magazine – but not patched by Microsoft.
Patched in MS10-061
Patched as MS08-067
Patch had been available, but if machines not updated, this vulnerability is easy to exploit.
Virus verifies that date is before 1/1/2030 ??
Verifies that antivirus products are dated before 1/1/2009.
Verifies that kernel32.dll and netapi32.dll timestamps are before 10/12/2008.
Appears to be testing whether exploit is likely to be detected or not.
Virus records infection history – can track ancestors.
5 Different organizations targeted (all in Iran)
Represents ~12,000 out of ~100,000 hosts
Primary Infection 1 (version 1.000)– June 22, 2009
~360 infected hosts
Primary Infection 2 (version 1.100) – March 1, 2010
~8300 infected hosts
Primary Infection 3 (version 1.101) April 14, 2010
~3300 infected hosts
August,2010 –stopped recording infected sites from within Iran (link blocked to “sinkhole”).
Command and Control
Once the virus had successfully infected the target systems, it attempts to communicate to four Command & Control (C&C) servers. These were;
These four servers used http to communicate to the Command and Control (http-c2). The messages were then forwarded to another unknown server controlled by the Stuxnet developer (probably NSA). It was capable of uploading information and updates encrypted with AES using several different keys making it very difficult to decrypt.
As mentioned earlier, Stuxnet was very selective in its propagation. It only infected 3 machines from a single flash drive infection and then sought out the Siemens Step 7 development software. It then attempted to modify the programs used to control the Simatic PCS's.
Stuxnet then looked for PLC logic running frequency converters. It specifically looked for more than 155 converters running at a frequency between 800 and 1200 Hz.
Very few frequency converters in industry run at frequencies above 1000. (Uranium centrifuges are the exception)
Iran’s Natanz nuclear facility has (had) 160 frequency converters used to run their centrifuges.
Siemens Step7 development system used to build programs that run industrial controllers.
Virus modifies exe and dll files in the development environment to allow virus to download files into existing projects.
Projects are infected if:
Project has been accessed within the last 3.5 years
Project contains a wincproj folder
Project is not an example project (*\step7\examples)
Virus infects *.s7p and *.mcp files
Creates new *.tmp files that contain the virus.
Virus can verify virus version and update the infection (through RPC) if needed.
Test and development environment (like Visual Studio)
Used to develop programs to control programmable Logic Controllers
Can connect directly to PLCs to:
Once program is downloaded, Step7 can disconnect and PLC will function by itself.
Data Blocks (DB) contain program-specific data, such as numbers, structures, and so on.
¡System Data Blocks (SDB) contain information about how the PLC is configured. They are created depending on the number and type of hardware modules that are connected to the PLC.
Organization Blocks (OB) are the entry point of programs. They are executed cyclically by the CPU. In regards to Stuxnet, two notable OBs are:
OB1 is the main entry-point of the PLC program. It is executed cyclically, without specific time requirements.
OB35 is a standard watchdog Organization Block, executed by the system every 100 ms. This function may contain any logic that needs to monitor critical input in order to respond immediately or perform functions in a time critical manner.
Function Blocks (FC) are standard code blocks. They contain the code to be executed by the PLC. Generally, the OB1 block references at least one FC block.
Stuxnet copies original s7otbxdx.dll to s7otbxsx.dll
Stuxnet then inserts its own version of s7otbxdx.dll
Original library contains 109 different functions (exports)
93 exports unmodified (passed through to original library
Remaining 16 exports modified to change commands, hide data, etc.
Check PLC code for PLC type. Looking for 6ES7-315-2
If found, check SDB for Profibus communications processor CP342-5 (used to control a number of devices, including frequency converters).
Now, look for at least 33 specific freq. converters
Type code 7050H (part # KFC750V3 – frequency converter made by Fararo Paya (Iran)
Type code 9500H (Vacon NX frequency converter made by Vacon (Finland).
If above detected and #7050H > 9500H, use Sequence A
OB1 (main entry to PLC program) infection
Prepend infection to original code
Monitors flow of data between PLC program and controller station.
Modifies some instructions sent to PLC
Replaces some status data sent from PLC to controller.
Normal State sequence 1-2-3-4-5-1
Cycle may be adjusted if other controllers in the set have moved to a higher state.
Monitor traffic events (typically 60/min – max 186). Count events (cap at 60/min) until 1.1 million observed (~13 days)
Expecting a base frequency of 1064 Hz.
Seems to be only a delay of 2 hours.
Sequence 1 – set frequency to 1410 Hz; Wait 15 minutes
Sequence 2 – set frequency to 2 Hz; Wait 50 minutes
Set frequency to 1064 Hz
Reset event counter and wait for ~2.3 million events (~26.6 days)