Countdown to zero day by Kim Zetter
Stuxnet and the launch of the world’s first
digital weapon
In January 2010, inspectors with the
International Atomic Energy Agency noticed that centrifuges at an Iranian
uranium enrichment plant were failing at an unprecedented rate. The cause was a
complete mystery—apparently as much to the technicians replacing the
centrifuges as to the inspectors observing them.
A small time anti-virus firm in Belarus
(VirusBlokAda) got a call from their resellers in Iran who reported a
persistent problem with a customer’s machine in that country. The
infected computer was caught in a reboot loop, crashing and rebooting
repeatedly while defying the efforts of technicians to control it.
The Belarus team identified a malware and that
spreads via USB flash drives. Even though the team had seen similar infection,
this was very peculiar. When it was infected a Windows 7 machine, the malicious
driver module (malware) installed without any warning. Windows 7 has a security
feature that was supposed to tell users if an unsigned driver or one signed
with an untrusted certificate was trying to install itself on their machines.
That was because, VirusBlokAda team found out that the malicious driver
was using a signed certificate of a company called RealTek Semiconductors
in Taiwan.
The VirusBlokAda team published their finding
and almost immediately an antivirus firm in Slovakia names ESET spotted another
malicious driver that appeared to be related to Stuxnet (named after the
malicious driver name) and this new malicious driver was signed from a company
called JMicron technologies, in Taiwan, a maker of electronic circuits.
The hacker who created the malware hacked these
two companies digital signing keys (private keys) and certificates.When deeply
examined, the attackers appeared to be searching for computers that had one of
two Siemens proprietary software program called SIMATIC WinCC. This program are
part of industrial control system (ICS) to work with Siemens programmable logic
controllers (PLC).
Each time Stuxnet infected a system, it ‘phoned
home’ to one of two internet domains masquerading as soccer fan sites -
mypremerfutbol.com and todaysfutbol.com. The domain names, registered by
someone who used fake names and fraudulent credit cards, pointed to servers to
Denmark and Malaysia that served as command-and control stations for the
attack.
But of all the information Stuxnet reported to
its masters, the Siemens data was the most important because, as the
researchers would soon learned, if Stuxnet found itself on a system that didn’t
have the Siemens software installed, it simply shut itself down.
Symantec team who got involved in this malware
tracking program, contacted the DNS service provider of these two domains and
asked them to redirect all the traffic to Symantec servers. When they analyzed
the traffic coming into their servers, out of the initial 38,000 machines they
tracked, more than 22,000 were based in Iran.
Once in the malware is in place, whenever an
engineer tried to send commands to PLC, Stuxnet made sure its own malicious
command code got sent and executed instead. The second aprt of the attack was
even ingenious. Before Stuxnet’s malicious commands went into action, the
malware sat patiently on the PLC for about two weeks, sometimes longer,
recording legitimate operations as the controller sent status reports back to
monitoring stations. Then when Stuxnet’s malicious commands leapt into action,
the malware replayed the recorded data back to operators to blind them to
anything amiss on the machines. While Stuxnet sabotaged the PLC, it also
disabled automated digital alarms to prevent safety systems from kicking in and
halting whatever process the PLC was controlling if it sensed the equipment was
entering a danger zone. Stuxnet modifying the data the safety system relied on,
the system was blind to dangerous conditions and never had a chance to act.
While reverse engineering the malware, the
Siemens engineers reached a startling conclusion. Stuxnet wasn’t just attacking
two specific models of Siemens PLC, it was attacking a specific facility where
the PLCs was used. The PLC has to be configured in a very precise way.
Right before Stuxnet unleashed its destructive payload on a 315 PLC, it
searched the PLC for three magic values and it had reached its target when it
found all three.
Three months into the discovery of Stuxnet, the
rest of the world now knew about the mysterious code that had evidently
targeted iran. yet speculation that it had specifically targeted the uranium
enrichment program at ntanz remained just that speculation.
While this news was available outside, Iranian
officials revealed for the first time that computers at Bushehr (nuclear plant
in Iran) had indeed been hit by Stuxnet.
Symantec had resolved the mystery of the devices
the digital weapon attacked, Albright had made the final connections between
Stuxnet and the centrifuges at Natanz and although the US government still
hadn’t made a formal admission of responsibility for the attack, the New York
Times had confirmed what everyone suspected - that the United States and Israel
were behind it.
Flame
The revelations began that April 2012, when a
virus began running wild on computers at the Iranian Oil Ministry and the
Iranian National Oil Company, wiping out the hard drive of every system it
touched. The damage was systematic and complete, destroying gigabytes of data
at a time. First, the malware eliminated documents and data files, then it went
after system files, zapping core parts of the hard drive to cause them to crash
and burn. The name given to the virus was Flame.
Stuxnet had tipped the scales at 500 kilobytes
when compressed, but Flame was at least 20 megabytes with all of its components
combined and consisted of more than 650,000 lines of code.
Flame appeared to be a multipurpose espionage
tool created to meet every need, depending on the mission. A 6MB starter kit
got loaded onto many infected machines first, which included a back door
through which the attackers could install new spy modules from their command
server at will.
The infrastructure is set up to support Flame
was also massive and like nothing the researchers had seen before. They found
at least eight domains operating as command servers in Germany, Netherlands,
Switzerland and elsewhere through which the attackers controlled infected
machines and collected siphons documents from them.
The Microsoft info-sec team was inspecting the
Flame virus in detail, they realized they were looking at something much worse
than a zero day - Flame was performing a sophisticated attack against part of a
Microsoft Windows Update system to spread itself between machines on a local
machine.
Like the Windows software, the update tool
itself gets periodically updated by Microsoft. Each time the tool launches on a
customer’s machine, it sends out a kind of beacon to Microsoft servers to see
it a new version of itself is available. Microsoft distributes the updates
through a series of so-called . CAB files signed with a Microsoft certificate
to verify their legitimacy.
The attackers subverted this process by first
infecting one machine on a victim’s network with Flame. Then when the update
client on any other machine on the victim’s network sent out a beacon to
Microsoft servers to check for updates to the Windows update tool, the infected
machine intercepted the beacon and sent a malicious Flame file, masquerading as
a legitimate Microsoft .CAB file, to the new machine instead, thus
infecting it with the spy tool. This wasn’t the most sophisticated part of the
attack. To pull off the hijack, the attackers had signed their malicious .CAB
file with a legitimate Microsoft certificate - except in this case the
certificate indicated that the company it belonged was ‘MS’ not Microsoft
Corporation as it should have said.
It turned out the attackers had pulled this off
using something called an MD5 hash collision. Exploited the weakness in MD5 and
thus faking it as these updates are original updates from Microsoft.
Operation Olympic Games were a covert and still
unacknowledged campaign of sabotage by means of cyber disruption, directed at
Iranian nuclear facilities by the United States and likely Israel. As reported,
it is one of the first known uses of offensive cyber weapons.Started under the
George W. Bush administration in 2006, Olympic Games was accelerated under
President Obama, who heeded Bush’s advice to continue cyber attacks on Iranian
nuclear facility at Natanz. Bush believed that the strategy was the only way to
prevent an Israeli conventional strike on Iranian nuclear facilities.[Wikipedia]