IEEE Globecom 2011
Information Warfare
Tom Chen Swansea University Wales, UK [email protected] Outline
• Background - Definitions; actors; targets; historical cases • Attack techniques - Reconnaissance; intrusions; stealth; persistent control; DDoS • Defense techniques - Deterrence; prevention; detection; attribution; intrusion tolerance; self healing • Open research issues • Conclusions and future directions
TC/Globecom2011/12-9-11 p. 2 Background
TC/Globecom2011/12-9-11 p. 3 Section Outline
• Definitions • Actors • Targets • Historical cases
TC/Globecom2011/12-9-11 p. 4 Definitions
• Info. warfare (or cyber warfare): military or political conflicts between nations carried out through computer networks - Actions to adversely affect enemy’s info. and info. systems while defending own - Information is both target and means for gaining advantage (in support of military/political goals) - Definitions vary, e.g., U.S. DoD defines broadly: “operations directed against information in any form, transmitted over any media, including operations against information content, its supporting systems and software, the physical hardware device that stores the data or instructions, and also human practices and perceptions” TC/Globecom2011/12-9-11 p. 5 DoD Definitions
Info. Operations Broad (info. warfare) definition
Psychological Military Operations Computer Electronic operations deception security network warfare Propaganda Weapon hiding, Classified operations Radio Examples: leaflets target decoys info. (CNO) jamming *Definition here
Computer Computer Computer network network network exploitation/ attack (CNA) defense (CND) espionage (CNE) DDoS, Firewalls, Backdoors, malware IDS data theft
TC/Globecom2011/12-9-11 p. 6 Recognition as Warfare Domain
• U.S. DoD Strategy for Operating in Cyberspace (July 2011) recognizes cyberspace as 5th operational domain (with sea, air, land, space)
“Potential U.S. adversaries may seek to exploit, disrupt, deny, and degrade the networks and systems that DoD depends on... particularly concerned with three areas of potential adversarial activity: - theft or exploitation of data; - disruption or denial of access or service...; - destructive action including corruption, manipulation, or direct activity that threatens to destroy or degrade networks...”
TC/Globecom2011/12-9-11 p. 7 Definitions (cont)
Espionage, reconnaissance, data Increasingly theft common
DDoS Suspected (Stuxnet) Attacks Attacks for damage but no blatant incidents Attacks for control
Defense Ongoing
TC/Globecom2011/12-9-11 p. 8 Relation to Cyber Crime
• Cyber crime differs in: - Profit motive - Criminals, not state - Aim for theft of personal information, fraud - Targeted to consumers, businesses • Common tools (e.g., malware, botnets) usable for cyber war - Same exploits involved in cyber war: govt. depends on civilian providers for computer equipment, software, services
TC/Globecom2011/12-9-11 p. 9 Relation to Cyber Terrorism
• Terrorist groups make use of Internet as tool and perhaps see as target to multiply physical attack (no incidents yet) - Terrorist groups al-Qaeda, Armed Islamic Group, Aum Shinrikyo, Hizballah, Hamas building up cyber skills - Uses: communications, organization, propaganda, recruiting, fund raising, research targets - Benefits: anonymity, accessibility • U.S. govt. stated that other nations are greater cyber threat than terrorists
TC/Globecom2011/12-9-11 p. 10 Actors
• U.S. Cyber Command (CYBERCOM) and NSA (joint director and location) - CYBERCOM coordinates and conducts activities to defend DoD networks and conduct full spectrum military cyberspace operations - Includes: training; situational awareness; create secure and resilient networks; build partnerships for collective defenses; integrate and deploy innovative capabilities
TC/Globecom2011/12-9-11 p. 11 Actors (cont)
• Services (Army, Navy, AF, Marines) each have cyber unit to support CYBERCOM: Army Cyber Command, 10th Fleet, 24th Air Force, Marine Forces Cyber Command, Coast Guard Cyber Command • Dept. Homeland Security (DHS) to defend civilian networks • Some responsibilities for cyber security: Secret Service, FBI, Homeland Security Council, DoD, Office of Management and Budget (OMB)
TC/Globecom2011/12-9-11 p. 12 Actors (cont)
• China: People’s Liberation Army (PLA); unknown whether large population of hackers is affiliated - Report by U.S. Office of the National Counterintelligence Executive (Oct. 2011) identified China as most active in cyber espionage, though difficult to confirm ties to govt. - Pointed to ‘Project 863’ funding covert activities to acquire US technology and info. - Russian intelligence services also aggressive and capable
TC/Globecom2011/12-9-11 p. 13 Actors (cont)
• Russia: Federal Security Service of Russian Federation (FSB); Federal Guard Service; General Staff • UK: Office Cyber Security (OCS); Cyber Security Operations Centre (CSOC) • Israel: C4I Directorate of Israel Defense Force (IDF); Unit 8200 of Directorate of Military Intelligence • Many emerging: Australia, France, India, S. Korea, Estonia, Brazil
TC/Globecom2011/12-9-11 p. 14 Actors (cont)
• Various non-state actors: script kiddies, malware writers, criminals, scammers, blackhats, hacktivists (e.g., Anonymous) • Cyber terrorists (debatable) aiming at violence, disruption, fear, confusion, for sake of political or ideological agenda
TC/Globecom2011/12-9-11 p. 15 Motivations
• Asymmetric warfare: means for weaker nation to fight stronger nation through indirect tactics - Low cost of entry • Potential payoffs are high - Much information available for espionage - Modern societies are more dependent on networks (vulnerable to disruption) • Risks are low - Attribution is very difficult - International laws are not coordinated
TC/Globecom2011/12-9-11 p. 16 Targets
• Critical infrastructures (communications, energy, transport, finance, human services) • Govt. and military systems • Defense contractors • Industrial control systems • Internet - Most of US gov’t and military communications travel over civilian networks - Servers, databases are easy targets
TC/Globecom2011/12-9-11 p. 17 Historical Cases
• Is information warfare real? None formally declared
Year Name Suspect Nature
1998 Moonlight Maze Russia Espionage
2003 Titan Rain China Espionage
2006 Operation Shady RAT China Espionage
2007 Estonia Russia (initially) DDoS
2009 GhostNet China Espionage
2009 Night Dragon China Espionage
2010 Aurora China Espionage
2010 Stuxnet US, Israel Malware attack
TC/Globecom2011/12-9-11 p. 18 Moonlight Maze
• 1998 Series of infiltrations into Pentagon, NASA, DoE, affiliated labs over 2 years • Tens of thousands of files - military maps, US troop configurations, military hardware designs, naval codes • Traced to mainframe in Russia but denied - Russia cooperated with DoD investigation
TC/Globecom2011/12-9-11 p. 19 Titan Rain
• 2003 (disclosed in 2005) Series of intrusions into DoD, Sandia Nat. Labs, NASA, Redstone Arsenal military base, World Bank, defense contractors • Military intelligence stolen - not classified but sensitive, e.g., Army helicopter specs, Falconview (flight planning software), aerospace documents • Term “APT” (advanced persistent threat) created
TC/Globecom2011/12-9-11 p. 20 Titan Rain (cont)
• Discovered by Sandia security expert Shawn Carpenter - Tracked through chat rooms, servers, planted homemade bugging code in primary router to track all connections - Stolen files transmitted to zombie servers in S. Korea, Hong Kong, Taiwan, before relaying to Guangdong (Chinese province) - Estimated 6-10 full time hackers - Red Hacker Alliance group suspected; unknown ties to PLA
TC/Globecom2011/12-9-11 p. 21 Titan Rain (cont)
• Carpenter passed discoveries to Army and FBI • When Sandia learned of activities, Sandia ordered Carpenter to stop - Illegal for American citizens to hack into foreign computers - When he persisted, he was fired and stripped of top secret clearance - Carpenter won law suit against dismissal
TC/Globecom2011/12-9-11 p. 22 Shady RAT
• 2006 (disclosed 2011) McAfee report of 5 year cyber espionage by one actor (not identified but most assume China) - Compromised 72 defense contractors, various businesses, U.N., Int. Olympic Committee
TC/Globecom2011/12-9-11 p. 23 Shady RAT (cont)
• Targets in U.S., Taiwan, S. Korea, Japan, Hong Kong, UK, Singapore, India, Germany (notably not China)
TC/Globecom2011/12-9-11 p. 24 Shady RAT (cont)
• Stolen emails, contracts, proprietary business documents, source code, govt. secrets, SCADA configurations - maybe 1,000 TB data - Spear phishing installed RAT (remote access tool) • Unspecified by McAfee but said detected by heuristic signatures (Generic BackDoor.t, Generic Downloader.x) - RAT opens backdoor to remote command & control (C&C) servers • Interesting aspect is variety of targets, not techniques
TC/Globecom2011/12-9-11 p. 25 Estonia
• 2007 Moving statue of Soviet soldier from capital to war cemetery caused Russian protests • DDoS shut down hundreds of Estonian govt. services, news sites, e-commerce sites for 2 weeks - 3 waves of attacks April 26 - May 18 - Peaked on May 9 with 4 million packet/sec launched by botnets
TC/Globecom2011/12-9-11 p. 26 Estonia (cont)
• Estonia is highly wired - 60% population used Internet daily - 97% banking transactions done online • Expected cyber attacks after moving statue but not at such scale • Attacks were well coordinated, sustained, and effective (by Estonia standards) - Choice of govt. and business targets suggested political motive - Russia had motive, means, and opportunity
TC/Globecom2011/12-9-11 p. 27 Estonia (cont)
• Estonia called on NATO for help, blaming Russia for “cyber war” - Some attacks traced to Russia but denied involvement - DDoS instructions discussed on Russian web forums - Botnets commonly owned by Russian crime gangs, eg. Russian Business Network • NATO countries saw as serious but helped only with network security experts - Raised question whether cyber attacks qualify for “mutual defense” (Article 5) of NATO members
TC/Globecom2011/12-9-11 p. 28 Estonia (cont)
• 19 year old student in Estonia arrested and fined, but clearly not solely responsible - Further investigations impeded by Russia lack of cooperation • Russian govt. not directly linked but encouraged attacks through rhetoric • Not clearly “cyber war” but opened eyes to potential effects of real cyber war
TC/Globecom2011/12-9-11 p. 29 GhostNet
• 2008 Investigation by Info. Warfare Monitor (Canada) of alleged Chinese cyber espionage against Tibet uncovered very wide infections of ‘gh0st RAT’ Trojan - Included Tibetan computers, ministries of foreign affairs and embassies in many countries - 1,295 infected computers in 103 countries reported to network of C&C servers - Gh0st RAT allowed remote, real-time, complete control - Spread by emails with attachments packed with exploit code TC/Globecom2011/12-9-11 p. 30 GhostNet (cont)
TC/Globecom2011/12-9-11 p. 31 GhostNet (cont)
• For year, China-based hackers alleged to have penetrated govt. computers in US, UK, France, Germany, S. Korea, Taiwan • China’s policy is “active defense” - cyber capabilities are major part of modern conflicts, and must be ready to respond to aggression immediately • Gh0st RAT open source Trojan developed originally in China, later translated to English • Network monitoring traced malware to C&C servers in China (8), US (1), Hong Kong (1)
TC/Globecom2011/12-9-11 p. 32 GhostNet (cont)
• Many victims linked to Chinese foreign and defense policy, suggesting Chinese govt. involvement - Several IP traces to Hainan Island, home of Lingshui signals intelligence office and PLA 3rd Technical Dept
TC/Globecom2011/12-9-11 p. 33 Night Dragon
• Feb 2011 McAfee revealed multi-year espionage to steal sensitive data from oil and energy companies - Stolen files related to oil and gas production, financial data related to field exploration and bidding - McAfee attributes origin to China based on techniques and tools used, network activities - Relatively unsophisticated range of methods
TC/Globecom2011/12-9-11 p. 34 Night Dragon (cont)
Web server compromised, e.g. by SQL injection
Hacker tools installed on server, used to attack intranet
Password cracking gained authenticated access to data
RATs (e.g., zwShell) planted, connect to C&C servers
RAT used for more reconnaissance, compromises, data theft
TC/Globecom2011/12-9-11 p. 35 Aurora
• 2009 Google announced 34 companies (Morgan Stanley, Intel, Adobe, Juniper,...) attacked by China - Blog said attackers wanted to access gmail accounts of Chinese dissidents - Threatened to pull out of China and stop censoring search results - Worked with NSA to investigate - U.S. Secretary of State Hillary Clinton called on China to investigate but no official China response
TC/Globecom2011/12-9-11 p. 36 Aurora (cont)
• Attackers used 0-day exploit for Internet Explorer and exploit for Perforce (source code revision software used by Google) - Victims lured to malicious web site by spear phishing - Also tricked victims with email attachments - malicious PDFs - Installed ‘Hydraq’ Trojan - created backdoor to connect to C&C servers in Illinois, Texas, Taiwan - Variety of malware and several layers of encryption used to evade detection - Similar attacks seen on military systems before
TC/Globecom2011/12-9-11 p. 37 White Paper Protecting your Critical Assets
Executive Summary As Operation Aurora highlighted, advanced persistent threats (APT) are an increasingly common form of complex and directed attacks that use insidious techniques for gaining access to privileged systems and maintaining that access until all of the attackers’ goals and objectives have been met. Operation Aurora employed an APT technique that proved extremely successful in targeting, exploiting, accessing, and exfiltrating highly valuable intellectual property from its victims. This paper details Operation Aurora and provides some insight into what was learned and how to prevent such attacks from being successful in the future.
How Aurora Worked Operation Aurora included numerous steps that all occurred invisibly in an instant from the user’s perspective. As you can see in the illustration below, without any apparent signs of malicious intent or actions, Operation Aurora completed its attack in six simple steps: 1. A targeted user received a link in email or instant message from a “trusted” source. 2. The user clicked on the link which caused them to visit a website hosted in Taiwan that also contained a malicious JavaScript payload. 3. The user’s browser downloaded and executed the malicious JavaScript, which included a zero-day Internet Explorer exploit. 4. The exploit downloadedAurora a binary disguised as an image(cont) from Taiwan servers and executed the malicious payload. 5. The payload set up a backdoor and connected to command and control servers in Taiwan. 6. As a result, attackers had complete access to internal systems. They targeted sources of intellectual property, including software configuration management (SCM) systems accessible by the compromised system. The compromised system could also be leveraged to further 6. Attackers penetrate the network. 1. Link delivered by gain access spear phishing to internal systems
2. Web site in Taiwan 5. Backdoor serves malicious connects to Javascript C&C servers in Taiwan
3. 0-day Internet Explorer exploit 4. Malware disguisedFigure 1. The complete steps of Operation Aurora’s attack. compromises target as image downloaded 3 from Taiwan server
[McAfee] TC/Globecom2011/12-9-11 p. 38 Aurora (cont)
• Aurora tools similar to those on open Chinese hacker forums • Later revealed attackers’ main goal was source code for Google password management program, Gaia - Google caught unprepared for breach - Companies do not specifically lock down source code management systems [McAfee] - Also targeted Google’s signing certificates but those too well protected
TC/Globecom2011/12-9-11 p. 39 Stuxnet Discovery in 2010
June 17 Stuxnet discovered by Belarus security company VirusBlokAda July 13 Stuxnet confirmed by Symantec and other antivirus companies July 19 Press report Stuxnet aimed at Siemens industrial control systems July 22 Most vulnerable systems are reportedly in Iran Sept 7 Symantec report four Windows 0-day exploits to Microsoft Sept 24 Press speculated target was Iran’s nuclear plant Sept 25 Iran admitted 30k PCs infected but not nuclear plant Oct 5 Iran blamed US and Israel (no response; Siemens also) Nov 12 Symantec and PLC experts determined likely target was Iran’s Natanz uranium enrichment centrifuges
Stuxnet source code in the wild
TC/Globecom2011/12-9-11 p. 40 Stuxnet (cont)
• Highly sophisticated, complex, stealthy malware • Very selective - designed for a specific target • Aimed beyond computers at industrial control systems for real world impact - Many believe target was Bushehr nuclear plant or Natanz uranium enrichment plant in Iran
TC/Globecom2011/12-9-11 p. 41 Stuxnet’s Infection Path
PLC controls WinCC/Step 7 many types of software equipment programs a Stuxnet PLC Stuxnet spreads infects to PCs PLC Various mechanical equipment in industrial Stuxnet Windows PC with control Siemens Siemens WinCC/ systems Step 7 control Simatic Step 7 software programmable logic controller (PLC)
TC/Globecom2011/12-9-11 p. 42 What are PLCs
• PLCs are specialized computers for controlling automated equipment in industrial control systems (factories, assembly lines, critical infrastructures) - Rugged for different physical environments - Elaborate input/output arrangements but no keyboard, optical drive, monitor - Run a single specific-purpose, real-time application - Programmed by Windows PCs, then operate by themselves
TC/Globecom2011/12-9-11 p. 43 Programming a PLC
4
Siemens Other PLCs Simatic Step 7 PLC PLC Commun.
Motors, valves,
Outputs drives, pumps, in Temperatures, Inputs CPU factories, gas pressures, Sensing Load devices devices assembly lines, etc. Memory manufacturing plants
Windows PC PC loads program Programming with Siemens device (PC) into PLC, then PLC WinCC/Step 7 operates by itself
TC/Globecom2011/12-9-11Fig. 1. A typical PLC architecture p. 44
However, Stuxnet goes through numerous checks on the host configuration including whether:
any of numerous antivirus software products are present and circumventable; • the operating system is one of the targeted versions of Windows; • the PC is not 64-bit; • a certain registry key (suspected to be a type of infection marker) is not a specific value; • the current date is earlier than June 24, 2012. • The infection process will stop at any point if a check fails. In order to load malicious code to a Simatic S7 PLC, Stuxnet replaces the s7otbxdx.dll file on an infected PC with a malicious version. The s7otbxdx.dll file handles reading and writing blocks between the PC and PLC. The malicious version of this file loads malicious blocks to the PLC and conceals the presence of the malicious blocks from the user. However, the infection of the PLC is carried out only after checking:
the type of CPU is the targeted one; • the presence of Profibus (a standard industrial network bus); • Stuxnet Spreading Methods
• Initial infection probably by infected USB flash drive - Creators knew industrial control system networks are not Internet-connected • Once introduced, Stuxnet spread aggressively to PCs by multiple ways through LAN - Creators knew industrial control systems usually connected by LANs - Ultimately aiming for PCs programming a Siemens Simatic Step 7 PLC
TC/Globecom2011/12-9-11 p. 45 Vulnerabilities Exploited 6 TABLE I
VULNERABILITIES EXPLOITED BY STUXNET
Reference Vulnerability Potential impact MS08-067 Windows Server service not properly handling Remote code (CVE-2008-4250) specially crafted RPC requests execution MS10-046 Windows Shell incorrectly parses shortcuts when Remote code (CVE-2010-2568) displaying icon of specially crafted shortcut execution * MS10-061 Windows Print Spooler service insufficiently restricts Remote code (CVE-2010-2729) user permissions to access shared print spoolers execution * MS10-073 Multiple vulnerabilities in Windows kernel-mode Escalation of drivers privilege * MS10-092 Windows Task Scheduler improperly validates Escalation of (CVE-2010-3338) whether scheduled tasks run in intended privilege security context * CVE-2010-2772 Hard-coded password in Siemens Simatic WinCC Local access to and PCS 7 SCADA systems back-end database * 0-day exploits
TC/Globecom2011/12-9-11Stuxnet’s payload is an inauspicious omen for future malware in the smart grid. Stuxnet was clearlyp. 46 meant to affect the real world through industrial control systems. Malware in the smart grid may have a direct impact on the generation, transmission, and distribution of energy as well as any systems interfacing to the smart grid such as electric vehicles and home appliances. As more things become dependent on the smart grid, the scope for potential physical damage becomes boundless.
IV. METHODS OF SPREADING
The initial infection vector is suspected to be a removable drive because the target network was not connected to the Internet. A copy of Stuxnet may have been introduced into the target network on an infected USB flash drive. Once a PC has been infected, Stuxnet uses various means to spread through local networks to other PCs [11], [12]. The vulnerabilities exploited by Stuxnet are listed in Table I.
A. Removable Drives
Stuxnet’s use of removable drives as an infection vector is interesting for its unusualness. The earliest computer viruses spread by floppy disks before the invention of the Internet; since then, most malware have found it convenient to spread through the Internet. Stuxnet’s reliance on removable drives suggests that the creators knew that the target PCs would not be reachable by the Internet. Exploits (cont)
MS10-073 and MS08-067 (shared MS10-092 folders) (privilege escalation)
CVE2010-2772 (WinCC database)
Infected USB flash MS10-061 (shared (MS10-046) printers)
Target PLC
TC/Globecom2011/12-9-11 p. 47 Infection to Siemens Step 7 PLC
• On infected PC, Stuxnet replaces a certain .DLL file with a malicious .DLL file • This .DLL file monitors and intercepts all communications between PC and PLC • If specific conditions on PLC are detected, Stuxnet on PC installs malicious code blocks onto PLC, unseen by PC operator
TC/Globecom2011/12-9-11 p. 48 Intention of Payload on PLC
• Malicious code in PLC appears to affect speed of specific types of variable-frequency power supplies (if connected to PLC) - High quality, high frequency, variable-frequency power supplies are export controlled in US because they can be used in gas centrifuge uranium enrichment plants • Stuxnet makes specific changes to frequencies (coincides with frequencies of centrifuges used in Iran’s Natanz uranium enrichment plant) • If target was Natanz, sabotage would have damaged high-speed centrifuges TC/Globecom2011/12-9-11 p. 49 Was Stuxnet a ‘Cyber Weapon’?
Comparison to Previous Malware
Stuxnet Common malware
Very selective - Siemens Targeting Indiscriminate Simatic S7 PLC
Type of target Industrial control system Computers
Slammer = 376 bytes; Size 500 KB Nimda = 37 KB Internet and other Probable initial Removable flash drive infection vector networks
Exploits Four 0-day exploits Possibly one 0-day
TC/Globecom2011/12-9-11 p. 50 Size (Complexity)
Kbytes: 0 100 200 300 400 500
Stuxnet is unusually large and complex Stuxnet
Conficker
Nimda
MyDoom
Code Red
Slammer
TC/Globecom2011/12-9-11 p. 51 Exploits
• Stuxnet used four 0-day exploits - Vulnerabilities are unknown to vendor, therefore no patch is available - 0-day exploits are highly valued by attackers; only used for valuable targets • Previous worms used mostly known exploits (available patches), perhaps one 0-day exploit - 1988 Morris worm: 3 known exploits (no 0-day) - 2001 Nimda worm: 5 known exploits (no 0-day)
TC/Globecom2011/12-9-11 p. 52 Stealth
• Stealth important to buy time to reach target before detection • Stuxnet used multiple stealth mechanisms - Some novel, some known - Considerable effort invested in stealth
TC/Globecom2011/12-9-11 p. 53 Stealth (cont)
Infected USB flash Infected PC Target PLC
Stuxnet files look like Stuxnet inserts Stuxnet installs innocent Stuxnet loads itself into trusted malicious kernel drivers .lnk itself as .DLL in processes signed with 2 stolen novel way recognized as legitimate digital undetected by antivirus certificates - bypasses normal programs Windows Vista and “behavior-based” Windows 7 protection antivirus looking against unsigned drivers TC/Globecom2011/12-9-11 for malicious p. 54 DLLs Stealth (cont)
Infected USB flash Infected PC Siemens Simatic with Siemens Step 7 PLC WinCC/Step 7
If intended target is detected, Stuxnet Stuxnet replaces writes malicious legitimate .DLL with code blocks to PLC Trojan version used without detection by to monitor PC operator connection with PLC
TC/Globecom2011/12-9-11 p. 55 Was Stuxnet “Cyber Weapon”?
• Circumstantial reasons for suspicion: - Very selective about infection target - Payload carries out very specific actions - Vulnerable targets mostly in Iran - Highly technical inside knowledge of target - Enormous resources spent on development • All implies a very resourceful group went to great efforts to reach one very valuable target Biggest difference: Stuxnet aimed at specific physical target for real world impact, not computers
TC/Globecom2011/12-9-11 p. 56 W32.Stuxnet Dossier Security Response
We have observed over 40,000 unique external IP addresses, from over 155 countries. Looking at the percentage of infected hosts by country, shows that approximately 60% of infected hosts are in Iran:
Figure 3 Geographic Distribution of Infections
Stuxnet Target?
Stuxnet Symantecaims to identify those observed hosts which haveStuxnet the Siemens traffic Step 7 software sent installed.to its TheC&C following servers chart shows the percentage of infected hosts by country with the Siemens software installed.
Figure 4 Percentage of Stuxnet infected Hosts with Siemens Software installed
[Symantec] Looking at newly infected IP addresses per day, on August 22 we observed that Iran was no longer reporting new infections.Hence This was most speculation likely due to Iran blockingthat target outward connections was Bushehr to the command nuclear and control plant servers, rather than a drop-off in infections. or Natanz uranium enrichment plant in Iran
TC/Globecom2011/12-9-11 p. 57
Page 6 Stuxnet Target? (cont)
• Copies of Stuxnet kept history of infected machines • Symantec traced original infection to 5 organizations in Iran - Stuxnet spread quickly beyond Iran because of aggressive 0-day exploits used
TC/Globecom2011/12-9-11 p. 58 Specificity
• Infects Windows PC with Siemens WinCC/Step 7 only if: - Recognizes antivirus software and able to circumvent - Version of Windows is vulnerable - PC is not 64-bit - Certain registry key not a specific value (suspected to be type of infection marker) - Current date is earlier than June 24, 2012
TC/Globecom2011/12-9-11 p. 59 Specificity (cont)
• Infects Siemens Simatic Step 7 PLC only if: - Siemens 315 PLC (small general purpose) or Siemens 417 PLC (top of line) - Presence of S7-300 CPU - Presence of CP-342-5 Profibus (a standard network bus) - Presence of at least 33 frequency drives made by Fararo Paya (Iran) or Vacon (Finland), operating at 807-1,210 Hz • Typical for frequency drives used in nuclear plants (and export controlled by US)
TC/Globecom2011/12-9-11 p. 60 How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History | Threat Level | Wired.com 11/07/2011 16:58
Things changed as e-commerce took hold, and hackers began to focus on financial gain for their payloads — stealing credit card data, online banking credentials and corporate secrets. More recently, attacks have evolved to so-called advanced persistent threats — where attackers, some state-sponsored, patiently worked their way deep into a network and sat there months or years silently siphoning national secrets, source code and other sensitive data.
Stuxnet was different from all of these. It wasn’t an evolution in malware, but a revolution. The idea that someone would create such a sophisticated worm to slither blindly through networks in search of a single target was “leaps and bounds” beyond what the Symantec researchers had expected. “I could work in this industry for another twenty years and never see another project like this,” O Murchu said recently.
“We were expecting something to be espionage, we were expecting something to steal credit card numbers…. But we weren’t expecting this.” – Eric Chien
By the end of September, Symantec was slowly building a profile of Stuxnet’s target.
Falliere had reverse-engineered the code that Stuxnet was injecting into the PLC and knew the malware was resetting the value of something connected to the device, but he had no idea what was on the receiving end of these commands or what the changed values would do. It was like watching tracer bullets fly through the night sky without seeing what they hit.
They had already discovered that the specific system Stuxnet targeted used the Profibus standard to communicate. They also noticed that the virus searched for a specific value — 2C CB 00 01 — before deciding to attack its target PLC. They had a hunch this might be some kind of ID the Step7 system assigned to a hardware part, so they set up a simulated Step7 PLC environment, and began plugging in parts. The reference value finally popped up when they attached a Profibus network card.
But there were two numbers Stuxnet sought that were still a mystery — 9500h and 7050h. Neither showed up when they plugged in hardware parts to their simulated system, nor did Google searches on the numbers produce anything.
Then a breakthrough came in November 2010.
The researchers had put out a request on their blog asking for anyone with experience in Profibus and critical infrastructures to contact them, and a Dutch programmer named Rob Hulsebos wrote back. Most of his e-mail discussed information the researchers already knew, but one line stood out. Every Profibus component had to have a unique ID that was a word long, Hulsebos wrote. It suddenly occurred to Chien that the two mystery numbers were manufacturer IDs.
He and O Murchu searched online for Profibus documentation and found a PDF with a list of specs for devices used with Profibus network cards. At the bottom of the list were the two mystery numbers Stuxnet sought. They were product IDs for two types of frequency converters made in Finland and Iran. The first, 9500h, referred to Vacon NX frequency converters made by Vacon in Finland, and the second, 7050h, referred to an unspecified frequency converter made by Fararo Paya in Iran.
Frequency converters modulate the speed of motors and rotors in things like high-speed drills that are used to cut metal parts in factories and in paper mills to force pulp through a grate. Increase the frequency of the drive, and the rotor increases its spin. In the Profibus documentation the researchers found online, they discovered a list of commands to control frequencies; they matched exactly the commands that were written in Stuxnet.
“The STL code [in Stuxnet] was sending down things like ‘word 47F and 1!,” Chien recalls. “And you look at the frequency converter [manual], and it says, ‘To start the frequency converter, send down the word 47F and set this value to 1. We were speechless.”
Based on information in theStuxnet’s code, Stuxnet was targeting aTarget facility that had 33 or more of the frequency converter drives installed, all operating at between 807Hz and 1,210Hz.
PLC Profibus
[Symantec] Stuxnet searches for a facility that has a minimum of 33 frequency converters installed. (Graphic: Symantec) TC/Globecom2011/12-9-11 p. 61
http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 Page 16 of 24 Inside Knowledge
• Previous malware aimed at well known Windows or Unix computers • Stuxnet creators knew - Specific network environment of target - Programming of Siemens Simatic PLCs - Exactly type of equipment (frequency drives) loaded on target PLC
TC/Globecom2011/12-9-11 p. 62 Level of Effort
• Symantec estimates 5-10 people working up to 6 months - Code shows diversity of programming languages and skills - With access to industrial control systems, specifically Siemens Simatic S7 PLCs • Security experts estimate at least one million dollars cost
Effort and target suggest political motive
TC/Globecom2011/12-9-11 p. 63 Successful?
• Destruction - no; delays - probably • Iranian officials had acknowledged delays at Bushehr and Natanz • Jan. 2010 International Atomic Energy Agency inspectors had noticed a very high number of failed centrifuges at Natanz • Head of Israel’s intelligence stated unspecified malfunctions had set back Iran’s ability to create nuclear weapon until 2015
TC/Globecom2011/12-9-11 p. 64 Attack Techniques
TC/Globecom2011/12-9-11 p. 65 Section Outline
• Reconnaissance • Intrusions • Stealth • Persistent control • Distributed denial of service
TC/Globecom2011/12-9-11 p. 66 Reconnaissance
TC/Globecom2011/12-9-11 p. 67 Reconnaissance
• Learn information about targets before attack - Scanning • Pings (see if host is online) • Network mapping (discover network topology) • Port scanning (see if host is listening) • Operating system identification (discover host’s OS) - Vulnerability scanning • Scans are easily detectable but not necessarily considered malicious - Military systems are constantly probed
TC/Globecom2011/12-9-11 p. 68 Scanning - Pings
• Ping sweeps (“ICMP echo request” messages) scan block of IP addresses for live hosts • Easy to detect and source address cannot be spoofed - But attacker might send pings with spoofed addresses to create confusion - Scans can alternatively be done with TCP SYN, TCP resets, or other types of packets - not as conspicuous to detect
TC/Globecom2011/12-9-11 p. 69 Network Mapping
• Traceroute maps network topology - Series of UDP packets with time-to-live (TTL) field set to 1, 2, etc. - “ICMP time exceeded” messages are returned by routers, revealing their addresses and distances • Many tools: Sam Spade, CyberKit, NetScanTools, iNetTools, Cheops
TC/Globecom2011/12-9-11 p. 70 Network Mapping (cont)
Example of network mapping by Cheops
TC/Globecom2011/12-9-11 p. 71 Port Scanning
• Probing well known TCP/UDP ports reveals services running on targets - Examples: TCP 80 = HTTP; UDP 53 = DNS; TCP 25 = SMTP • Also, some ports in higher range are known used for backdoors and Trojan horses - E.g., list at www.emsisoft.com/en/kb/ portlist/ • Many tools: Nmap, Strobe, Ultrascan, Netcat, SuperScan, WinScan
TC/Globecom2011/12-9-11 p. 72 Advanced(Scanning(Functions(Overview( " Nmap" supports" a" number" of" user" selectable" scan" types." By" default," Nmap" will" perform" a" basic" TCP" scan" on" each" target" system." In" some" situations," it" may" be" necessary"to"perform"more"complex"TCP"(or"even"UDP)"scans"in"an"attempt"to"find" uncommon"services"or"to"evade"a"firewall."These"advanced"scan"types"are"covered" in"this"section."
( Port%Scanning%Options%Overview% Port Scanning! # (cont) There#are#a#total#of#Summary(of(features(covered(in(this(section:131,070#TCP/IP#ports#(65,535#TCP#and#65,535#UDP)( .#Nmap,#by# " default,# only# scans# 1,000# of# the# most# commonly# used# ports.# This# is# done# to# save# Feature( Option( time#when#scanning#multiple#targets#as#the#majority#of#ports#outside#the#top#1000# Nmap user interface and options TCP"SYN"Scan" :sS( are# rarely# used.# Sometimes,# however,# you# may# want# to# scan# outside# the# default# TCP"Connect"Scan" :sT( range#of#ports#to#look#for#uncommon#services#or#ports#that#have#been#forwarded#to#UDP"Scan" :sU( a#different#locationTCP"NULL"Scan.#This#section#covers" #the#options#which#allow#this#and#other#port#:sN( specific#features.TCP"FIN"Scan# " :sF( % Xmas"Scan" :sX( TCP"ACK"Scan" :sA( A"Custom"TCP"Scan complete" list" of" TCP/IP"" ports" can" be" found"::scanflags on" the" IANA"( website" at" Tip% www.iana.org/assignments/portIP"Protocol"Scan" =numbers." :sO( ! Send"Raw"Ethernet"Packets" ::send:eth( ! Send"IP"Packets" ::send:ip( ( Summary%of%features%covered%in%this%section:% % ! Feature% Option% You$ must$Perform#a#Fast#Scan login$ with$ #root/administrator$ privileges$;F% (or$ use$ the$ sudo$ Note( commandScan#Specific#Ports)$to$execute$many$of$the$scans$discuss# ;ped%%[port]$in$this$section.% $ Scan#Ports#by#Name# ;p%[name]% Scan#Ports#by#Protocol# ;p%U:[UDP%ports],T:[TCP%ports]% Scan#All#Ports# ;p% % Scan#Top#Ports# ;;top;ports%[number]% Perform#a#Sequential#Port#Scan# ;r% % TC/Globecom2011/12-9-11 p. 73 !
66"
80# TCP$SYN$ScanPort$ Scanning (cont) # The#+sS#option#performs#a#TCP#SYN#scan.# # Nmap example TCP SYN scan
Usage$syntax: nmap -sS [target]#
#"nmap"'sS"10.10.1.48" " Starting(Nmap(5.00(((http://nmap.org()(at(2009708725(11:01(CDT( Interesting(ports(on(10.10.1.48:( Not(shown:(994(closed(ports( PORT(((((STATE(SERVICE( 21/tcp(((open((ftp( 22/tcp(((open((ssh( 25/tcp(((open((smtp( 80/tcp(((open((http( 111/tcp((open((rpcbind( 2049/tcp(open((nfs( MAC(Address:(00:0C:29:D5:38:F4((VMware)( ( Nmap(done:(1(IP(address((1(host(up)(scanned(in(1.73(seconds(
Performing$a$TCP$SYN$scan$ TC/Globecom2011/12-9-11 p. 74 # The#TCP#SYN#scan#is#the#default#option#for#privileged#users#(users#running#as#root#on# Unix/Linux# or# Administrator# on# Windows).# The# default# TCP# SYN# scan# attempts# to# identify#the#1000#most#commonly#used#TCP#ports#by#sending#a#SYN#packet#to#the# target#and#listening#for#a#response.#This#type#of#scan#is#said#to#be#stealthy#because#it# does# not# attempt# to# open# a# fullKfledged# connection# to# the# remote# host.# This# prevents#many#systems#from#logging#a#connection#attempt#from#your#scan.# #
Stealth' operation' is' not' guaranteed.' Modern' packet' capture' programs' Note$ and'advanced'firewalls'are'now'able'to'detect'TCP'SYN'scans.'
67# Vulnerability Scans
• Some types of vulnerabilities: - Default security settings: default accounts and passwords are sometimes not changed - Misconfiguration errors: incorrect settings may weaken security - Well-known vulnerabilities: critical vulnerabilities are published by vendors with patches, but patches may not be applied
TC/Globecom2011/12-9-11 p. 75 Vulnerability Scans (cont)
• Many tools: Nessus, Satan, SARA, SAINT, McAfee CyberCop ASaP, TogerSuite Pro, ISS Internet Scanner, eEye Digital Retina Scanner, Cisco Secure Scanner - Typically discover hosts by ping, then probe for open ports and specific vulnerabilities - Vulnerability scans are easily detectable when certain ports are probed (e.g., port 23 Telnet, TCP port 25 SMTP, TCP port 79 finger,...)
TC/Globecom2011/12-9-11 p. 76 Vulnerability Scans (cont)
• Several sites publish vulnerabilities (cve.mitre.org, nvd.nist.org, www.kb.cert.org, securityfocus.com, secunia.com, us-cert.gov, sans.org,...) - Identified by CVE (common vulnerabilities and exposures) numbers, coordinated by MITRE Name: CVE-1999-0002 Status: Entry Reference: SGI:19981006-01-I Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19981006-01-I Reference: CERT:CA-98.12.mountd Reference: CIAC:J-006 Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml Reference: BID:121 Reference: URL:http://www.securityfocus.com/bid/121 Reference: XF:linux-mountd-bo
Buffer overflow in NFS mountd gives root access to remote attackers, mostly in Linux systems.
TC/Globecom2011/12-9-11 p. 77 VulnerabilityVulnerability Scans Scanner (cont)
Vulnerability scanner GUI for user 1. Basic scans configuration to discover open ports
Vulnerability Scanning database engine
State of 2. Customized probes to current scan discover vulnerabilities
Report Targets
TC/3-14-05/Infocom2005 SMU Engineering p. 35
TC/Globecom2011/12-9-11 p. 78 Vulnerability Scans (cont)
Nessus output
TC/Globecom2011/12-9-11 p. 79 OS Detection
• “TCP stack fingerprinting” tries to discover details of target’s operating system - Different OS’s have specific vulnerabilities • TCP protocol is standardized but responses to illegal TCP packets are not - Operating systems respond differently to illegal TCP packets - Scans are detectable by TCP packets with strange flag combinations or options • Tools: Nmap, Cheops, NetScanTools
TC/Globecom2011/12-9-11 p. 80 Howlett_CH04.fm Page 111 Wednesday, June 23, 2004 10:24 PM
Uses for Port Scanners 111
(not as a pretty Web page), but you will be able to verify that a server is running there. You can do similar things with other services such as FTP or SMTP. In the UNIX version, Nmap also color codes the ports found according to what they are (see Table 4.8) As you can see from Figure 4.3, this output lets you scan a report and quickly deter- mine whether there are any services or ports you should be concerned with. This doesn’t mean you should ignore any unusual numbers that aren’t highlighted or bolded (in UNIX versions). Trojan horses and chat software often show up as unknown services, but you can look up a mystery port in the list of common ports in Appendix C or cross-reference it against a list of known bad ports to quickly determine if the open port is anything to be concerned about. If you can’t find it anywhere, you have to wonder what strange service is running on that machine that doesn’t use a well-known port number.
Table 4.8 Nmap Output Color Coding
Colors Descriptions
Red This port number is assigned to a service that offers some form of direct logon to the machine, such as Telnet or FTP. These services are often the most attractive to hackers.
Blue This port number represents mail service such as SMTP or POP. These services are also often the subject of hackers’ attacks.
Bold black These are services that can provide some information about the machine OSor operatingDetection system such as (cont)finger, echo, and so on.
Plain blackNmap Any otherexample services or ports identified.
Figure 4.3 Nmap Output
TC/Globecom2011/12-9-11 p. 81 Sniffing
• Many free and commercial sniffers, e.g., Snort, Wireshark, tcpdump, dsniff - Allow attacker to intercept and log packets, easiest on wired or wireless LANs • FBI developed Carnivore (replaced by commercial NarusInsight) • Echelon system rumored to intercept satellite signals (by US, UK, Australia, Canada, New Zealand) • Room 641A rumored to intercept Internet backbone packets (by AT&T for NSA)
TC/Globecom2011/12-9-11 p. 82 Deep Packet Inspection (DPI)
• Capability of network equipment (firewalls, intrusion detection systems, packet analyzers) to decode entire packet payloads up to layer 7 • Difficulties - Keeping state information for connections - Encrypted payloads - Unusual port numbers
TC/Globecom2011/12-9-11 p. 83 Intrusions
TC/Globecom2011/12-9-11 p. 84 Intrusions
Intrusions
Password Social Exploits of Malware attacks engineering vulnerabilities
John the Spear Buffer overflow, Trojans, bots, Examples: Ripper phishing SQL injection worms
TC/Globecom2011/12-9-11 p. 85