A Farewell to Air Gaps, Part 1

OUT OF BAND

Hal Berghel, University of Nevada, Las Vegas

One of the most fundamentally misguided charged with the oversight and ways to protect a networked infrastructure management of these acquisitions. Going back at least 30 years be- is to introduce an air gap. The US has been fore the Farewell revelation, the US mastering the art of crossing them for more and its NATO allies were keen to keep the keys to the kingdom out of than 30 years. Soviet hands. Through export and other economic policies, they op- posed Line X and the forces behind ager to send détente to an early grave, US Pres- it. Thus the sharing of nuclear secrets, certain sophisti- ident Ronald Reagan wasted no time taking cated manufacturing techniques, semiconductor tech- advantage of the intelligence provided by the nology, and sensitive trade secrets was verboten, and the French domestic intelligence agency’s KGB spy, corresponding products, weapons, advanced computers, EColonel Vladimir Vetrov, codenamed “Farewell.” In 1981, machinery, and the like were embargoed. French President François Mitterrand offered Reagan the But that didn’t stop the KGB. Line X populated visiting “Farewell Dossier,” 4,000 KGB documents that by some Soviet delegations with KGB agents to learn about agri- accounts triggered a spectacularly kinetic CIA response. culture, manufacturing, defense, and whatever else they Gus Weiss documented the entire affair in his capac- could. What they didn’t learn from direct inspection, ity as a special assistant to the secretary of defense as they tried to buy. What they couldn’t buy directly, they well as director of International Economics for the Na- tried to purchase through third parties. Failing that, theft tional Security Council (NSC). According to Weiss,1 the was always a viable option. This was Cold War technol- Soviets under Leonid Brezhnev viewed détente as some ogy transfer Soviet style: a continuation of the atom bomb much needed economic breathing room that enabled spying effort, but with economic objectives that contin- them to improve the USSR’s economy. To expedite this ued to some degree until Reagan found out about all of it improvement, the Soviet Council of Ministers and the from Mitterrand. Communist Party of the Soviet Union’s Central Com- mittee established the KGB’s Directorate T to find and THE CIA’s MARK TO MARKET retrieve Western targets of opportunity (read: stolen in- At the NSC, Weiss read the Farewell Dossier and deter- tellectual property). A new operating arm, Line X, was mined that the Soviets were acquiring technology trade

secrets at breakneck speed. “Our sci- explanation. Reed claims that Weiss remote-access Trojan and information ence was supporting their national de- told him the story and provided him stealer, W32.Duqu,2 and the espionage fense,” he reported.1 From the dossier, with his notes shortly before his mys- hack, Flame.3 In fact, early versions of William Casey’s CIA developed a Line terious death on 25 November 2003. Stuxnet (circa v0.5) are thought to de- X shopping list in 1982 and, with the Although some dispute whether the rive from the Flame platform, whereas FBI’s help, assisted the Soviets on their hack resulted in the actual explosion, later versions (circa v1.0) also derive shopping spree by seeing that they got it wasn’t for lack of effort on the part of from the Tilded platform—so-called enhanced versions of the things they the Reagan administration. So far as I because contributors tended to start sought—these items “would appear can determine, no authoritative source filenames with tildes. Other Flame- genuine, but would later fail.”1 De- disputes the rest of Reed’s account. and Tilded-based malware are certain fective computer chips, flawed parts, Some of Weiss’s notes appeared on to remain in circulation in some form and misleading or bogus technical the CIA website under his name on 14 In Countdown to Zero Day: Stuxnet information were supplied to vendors April 2007,1 more than two years after and the Launch of the World’s First Dig- known to sell to the Soviet Union. We Reed’s book had removed any cover ital Weapon,4 journalist Kim Zetter— know this from Weiss’s report,1 but of secrecy. The Trans-Siberian Pipe- who’s covered cybercrime for Wired things got much more interesting line part of the story isn’t included in and other publications—convincingly when Thomas Reed, also a member of Weiss’ published CIA notes; add this documents (see “The Legend of Stux- Reagan’s NSC, came into the picture. to Weiss’s strong opposition to the Iraq net” sidebar) that although Flame and Weiss and Reed were with the NSC war and you have the stuff of which Duqu are derived from the Flame and when the Reagan–Casey–CIA–FBI in- great conspiracies are made. I’d be re- Tilded codebases, respectively, Stux- trigue began in early 1982. miss if I didn’t mention here that Reed net borrows from both, and in differ- Reed picked up Weiss’s storyline remains a partisan loyalist to Reagan ent proportions over time.4 Kaspersky in At the Abyss: An Insider’s History of and his politics, so it could be that Lab’s Costin Raiu believes that the the Cold War (Presidio Press, 2005). his account is biased and somewhat Stuxnet cyber aggressors borrowed He tells how the Soviets were in need sanitized—perhaps there’s much more heavily from the Flame platform code of some software for their natural gas to the story than even Reed reported. and then shifted to Tilded later in de- pipeline that stretched from Siberia velopment due to the simplicity and to Eastern Europe. They dispatched a MALWARE ARCHAEOLOGY tightness of the latter code.5 KGB operative to a Canadian software AND STUXNET In Confront and Conceal: Obama’s supplier. The US intelligence folks For the next chapter on international Secret Wars and Surprising Use of Amer- were given the heads-up through Fare- cyber sabotage, we turn to Stuxnet. ican Power (Broadway Books, 2012), well, prompting the FBI to work with So that we’re all on the same page, you journalist David Sanger explains Op- the Canadians to “enhance” the soft- need to know that the officially uncon- eration Olympic Games in the context ware, which the KGB then obtained. firmed US/Israeli cyberattack against of the political climate during both According to Reed, the software the Iranian uranium enrichment facil- the latter George W. Bush and early included a Trojan horse allowing the ity at Natanz—reported in 2010—was Barack Obama administrations. He West to regulate the pipeline’s pump never called Stuxnet by those who al- speculates that Flame was a US arti- speeds and settings, valve openings, legedly deployed it. “Operation Olym- fact used when Stuxnet was in the ex- and internal pressures—pushing them pic Games” was the codename used by perimental stage, and that the Duqu/ well beyond safe operating limits. the planners when they presented the Tilded code was primarily an Israeli Needless to say, the flawed software idea to the George W. Bush administra- product. Only after Bush authorized produced the desired result of disrupt- tion originally. The Stuxnet moniker Operation Olympic Games did the ing the pipeline’s operations—in fact, came much later, from investigators two teams begin sharing code. There’s it’s alleged to have caused the larg- external to the project who juxtaposed considerable evidence for this be- est non-nuclear explosion in history fragments of contained filenames. cause Flame and Duqu differ greatly in (equivalent to detonating three kilo- The Stuxnet archaeology produced sophistication—pointing to the likeli- tons of TNT). In response to the NSC’s sufficient digital artifacts from which hood that different teams with differ- concern about the resulting explosion, several conclusions can be drawn. ent skill levels contributed to it. The Weiss is reported to have told them First, it actually shares some of the Stuxnet payload—the part directed at not to worry about it, but he gave no architecture and codebase with the specific industrial controllers—seems

JUNE 2015 65 OUT OF BAND

THE LEGEND OF STUXNET

he discovery of the Stuxnet worm by VirusBlokAda (http:// by 2000, it was becoming ineffective by the time that v0.5 Tanti-virus.by/en/index.shtml), a small Belarus security was released, so Stuxnet’s authors instead went with newer company, is itself an interesting story that’s now part of cyber and more sophisticated exploits. Unlike v0.5, v1.0 used a lore. Stuxnet’s creators went to considerable trouble to thwart multi-exploit. discovery by major security software vendors, but VBA was In all, Symantec and Kaspersky Lab identified five different apparently too small to be on their radar. An Iranian reseller for infection hacks: the Autorun exploit in v0.5, the .LNK hack VBA reported events of interest from several customers that in v1.0 and later, and three elevation-of-privileges exploits couldn’t seem to rid themselves of malware infection. This through vulnerabilities in the Windows keyboard file handler, alerted VBA, which in turn uncovered a kernel-level rootkit print spooler, and task manager. In addition, Kim Zetter2 doc- operating on its customers’ computers. Further analysis uments eight different propagation tactics once the malware discovered an injector based on Windows .LNK files carried by was installed on one computer: USB flash drives. VBA had unknowingly uncovered the first few layers of Stuxnet because its security monitoring was more 1. the .LNK hack described above continuing to work on effective in this case than more widespread security software. new USB targets, .LNK files are simply file shortcuts or links to local files for 2. infecting Siemens Simatic Step 7 project files, use with Microsoft Explorer. If the local file is an executable, 3. exploiting a security-through-obscurity defect in the way activating the link causes it to load and run. Actually, the Siemens handled user authentication, Stuxnet v1.0 .LNK exploit started out as a Microsoft feature. 4. injecting malware into shared Siemens databases, Not content to allow users access to a distracting array of file 5. using a peer-to-peer exploit on LAN file sharing that extensions, Microsoft shipped Windows with the extensions worked in much the same way as software updaters do, to known file types (.doc, .ppt, and so on) suppressed. To see 6. installing a covert file-sharing server on each infected the common file extension, the user has to disable this option machine for redundancy, using Folder Options in the Control Panel. What’s more, even if 7. spreading via network file shares, and you disable this feature, Windows will still suppress system-re- 8. exploiting a Conficker-style Trojan-horse vulnerability served file extensions like—you guessed it—.LNK. These file that had been reported and for which a patch had been extensions aren’t file-system links and thus aren’t suppressed created but not necessarily installed. in Explorer, but rather are handled by the Windows Registry. By default, the Registry entry for .LNK is NeverShowExt. So, Of these, (1) and (2) were the most heavily used. The novelty of this “feature” was already weaponized by Microsoft: to wit, if the exploits, together with the complexity of the code and the .LNK file extensions are suppressed, your file.doc.lnk appears multitude of attack vectors, distinguishes Stuxnet from other instead as an innocuous file.doc. That this .doc file will link to malware and made it the current gold standard of cyber warfare. something other than a Word file is inherently concealed. For a politician, the allure of Stuxnet-style cyber-kinetic Stuxnet’s .LNK injector took advantage of a design flaw in attacks is that they don’t immediately put American lives at IconHandler within the Windows Shell that incorrectly parses risk. As such, Operation Olympic Games can be thought of as .LNK files. IconHandler allowed the execution of the executable a tactical sibling to the current US drone war, the ideological linked to the icon instead of just displaying the icon on USB ancestry of which dates back to Eisenhower-era covert CIA devices (see “Shortcut Icon Loading Vulnerability” at https:// operations in the Middle East (Operation Ajax) and Central technet.microsoft.com/library/security/ms10-046). VBA an- America (Operation PBSUCCESS). alysts spotted this attack vector and hence were credited with the Stuxnet discovery, although they didn’t reverse engineer the code enough to reveal the payload. That was done by Syman- References tec1 and others. Although the injector was designed for Win- 1. N. Falliere, L.O. Murchu, and E. Chien, W32.Stuxnet Dossier, re- dows, the payload was optimized for the industrial controllers. port v. 1.4, Symantec, Feb. 2011; https://www.symantec.com The .LNK injector wasn’t a zero-day exploit, but it was /content/en/us/enterprise/media/security_response/whitepapers novel. Autorun was the default injector for removable stor- /w32_stuxnet_dossier.pdf. age and media before the mid-2000s. Since responsible 2. K. Zetter, Countdown to Zero Day: Stuxnet and the Launch of the security consultants had recommended disabling Autorun World’s First Digital Weapon, Crown, 2014.

66 COMPUTER WWW.COMPUTER.ORG/COMPUTER to have remained relatively constant of use—as they were designed without agency, Media Suffix, whose tag line, over time, suggesting that it was de- robust security in mind. “Deliver What the Mind Can Dream,” veloped first and held in reserve while That’s what Stuxnet did. Of course, is an apt mantra for what I’ll call post- awaiting an opportunity to launch. that doesn’t explain how the feat was modern, neoconservative, malware Absent leaks or whistleblowers, we accomplished. Because the earlier epistemology. might never know the full extent of the Stuxnet version (v0.5 from 2005– cyber mischief Stuxnet and its various 20078) wasn’t Internet enabled, it only sources have contributed to, although propagated through shared S7 project he detailed technical reports the Flame arsenal of attacks is now files on Windows computers. Unlike on Operation Olympic Games/ known to include a hack of Microsoft its more effective descendant, v0.5 TStuxnet are consistent in their Windows Updater—a feature not pres- manipulated the input and output recognition of its aggressiveness and ent in the Stuxnet-era exploits. Much valves on the centrifuges. Although capabilities—when measured in terms of the current analysis of Flame and its derivatives must end with some specu- lation, of course, since state-sponsored developers don’t use networked ver- We might never know the full extent sion control repositories like GitHub. of the cyber mischief Stuxnet CENTRIFUGE SUBTERFUGE and its various sources contributed to. Details of the Stuxnet worm have been well documented by scores of security excessive pressure would damage the of breadth and depth, the destructive analysts.6,7 It’s well known that it tar- centrifuges, v0.5 wasn’t as effective potential certainly qualifies as revolu- gets a very narrow range of industrial as v1.0, which could actually manipu- tionary. Not only was it a hydra-headed SCADA (supervisory control and data late centrifuge rotors until they spun near-zero-day exploit—and the first acquisition) systems running Siemens out of control. v1.0 also used existing known rootkit to target PLCs—the op- Simatic Step 7 (S7) software. By cor- Windows vulnerabilities to more ef- eration also deployed a sophisticated rupting programmable logic control- fectively propagate the worm through injector into the S7 processors. The lers (PLCs) that use two specific fre- a LAN, removable USB storage devices, worm was also a self-replicator par quency converters, the worm causes network file shares, Windows remote excellence—working well in LANs, the PLCs to direct the systems to oper- procedure calls, printer spools, or the peer-to-peer communications, remov- ate outside safe limits to the point of Internet itself. able storage devices, network shares, self-destruction (sound familiar?). The initial v0.5 injection was ac- and I/O streams. It also used a sophis- The SCADA systems themselves are complished using a Flame platform ticated covert command-and-control controlled by Windows-compatible Autorun exploit through infected interface, an advanced form of anti- computers, so the attack vector is indi- USB drives, which were carried to malware sonar for most of the popu- rect via Windows PLCs that are likely the Natanz facility and inserted into lar security products available, strong isolated from the Internet by means of network computers by four Iranian encryption to hide its binaries, and an air gap. More specifically, Stuxnet subcontractors—a relatively simple an embedded playback mechanism to targets the S7 PLC software running injection strategy compared to v1.0. In- spoof normal operation. on Windows computers, which in turn terestingly, the payload didn’t change Although not as complicated as regulates S7 controllers with S7-315 or in subsequent versions of the worm, Flame, Stuxnet represents a serious S7-417 frequency converters used by suggesting that the weaponized S7/ contribution to the art of cyber war- the IR-1 family of uranium centrifuges. SCADA attack code was likely mature fare and is unique as a cyber-kinetic That last sentence is a mouthful, but it by the time President Bush approved attack tool. Attacking a sovereign highlights the fact that Stuxnet’s pay- proceeding to the attack’s final stages. nation’s infrastructure puts it in a load was precisely targeted. The partic- Symantec also assesses the payload league of its own. This hasn’t escaped ular S7 controllers used by these cen- code to be far superior to the injector the attention of political leaders and trifuges were specifically introduced and call-home code, which many have state-supported technologists of every as a cost-saving measure to replace the used to speculate on the nationality stripe. Not only did Stuxnet set a new hardwired and telemetry-controlled of the teams that developed each. As standard for hacking into industrial systems of the 1950s and 1960s. Al- an interesting aside, v0.5 used four control systems, it upped the ante in though they effectively reduced the command-and-control servers to up- the global cyber-arms race. cost, it’s difficult to discount the neg- date the code, all of which claimed Although the inevitable retalia- ative externalities from the total cost to be from a nonexistent advertising tory attacks by anti-Western interests

JUNE 2015 67 OUT OF BAND

will be decried as naked cyber aggres- /csi-publications/csi-studies/studies .symantec.com/content/en/us sion in the mass media (as the bogus /96unclass/farewell.htm. /enterprise/media/security_response claims surrounding the Sony hack 2. W32.Duqu: The Precursor to the Next /whitepapers/w32_stuxnet_dossier.pdf. make clear9), the cyber-aware global- Stuxnet, white paper v1.4, Symantec, 7. K. Zetter, “An Unprecedented Look ists will always regard the US and Is- 23 Nov. 2011; www.symantec.com at Stuxnet, the World’s First Digital rael as mentors. Future cyber-kinetic /content/en/us/enterprise/media Weapon,” Wired, 3 Nov. 2014; www attacks will predictably involve fail- /security_response/whitepapers .wired.com/2014/11/countdown-to ures of power grids, water supplies, /w32_duqu_the_precursor_to_the -zero-day-stuxnet. and transportation. This cyber genie _next_stuxnet.pdf. 8. G. McDonald et al., Stuxnet 0.5: The is out of the bottle. 3. W32.Flamer, report, Symantec, up- Missing Link, report v. 1.0, Symantec, If nothing else, the Trans-Siberian dated 5 Jun. 2012; www.symantec 26 Feb. 2013; www.symantec.com Pipeline hack and Stuxnet attack on .com/security_response/writeup /content/en/us/enterprise/media Natanz demonstrate that air gaps have .jsp?docid=2012-052811-0308-99. /security_response/whitepapers been ineffective for well over 30 years. 4. K. Zetter, Countdown to Zero Day: /stuxnet_0_5_the_missing_link.pdf). The air gap joins security-through- Stuxnet and the Launch of the World’s 9. H. Berghel, “Cyber Chutzpah: The obscurity as classic examples of faith- First Digital Weapon, Crown, 2014. Sony Hack and the Celebration of based security—a strategy for protec- 5. Resource 207: Kaspersky Lab Hyperbole,” Computer, vol. 48, no. 2, tion that’s based on faith alone (see my Research Proves that Stuxnet and 2015, pp. 77–80. column “Faith-Based Security”10). Flame Developers Are Connected, 10. H. Berghel, “Faith-Based Security,” Next month we’ll investigate what, report, Kaspersky Lab, 11 Jun. 2012; Comm. ACM, vol. 51, no. 4, 2008, if any, lessons we’ve learned. www.kaspersky.com/about/news pp. 13−17. /virus/2012/Resource_207_Kaspersky _Lab_Research_Proves_that_Stuxnet REFERENCES _and_Flame_Developers_are HAL BERGHEL is an ACM and IEEE 1. G.W. Weiss, The Farewell Dossier: Dup- _Connected. Fellow and a professor of computer science at the University of Nevada, ing the Soviets, report, CIA, posted 14 6. N. Falliere, L.O. Murchu, and E. Las Vegas. Contact him at hlb@ April 2007; www.cia.gov/library Chien, W32.Stuxnet Dossier, report computer.org. /center-for-the-study-of-intelligence v. 1.4, Symantec, Feb. 2011; www

January/february 2013 www.computer.org/software

marcH/aprIL 2013 www.computer.org/software IEEE Software offers pioneering ideas, expert analyses, and thoughtful insights for cyber Dumpster Diving // 9

the airbus a380’s cabin software // 21 programming with ghosts // 74 software professionals

may/June 2013 www.computer.org/software who need to keep up with rapid technology

from minecraft to minds // 11 change. It’s the authority

Landing a spacecraft on mars // 83 Design patterns: magic or myth? // 87 on translating software theory into practice.

www.computer.org/ software/subscribe storytelling for software professionals // 9

In Defense of Boring // 16

Beyond Data mining // 92

68 COMPUTER WWW.COMPUTER.ORG/COMPUTER