Malware 'disguised as Siemens software drills into 10 industrial plants'

Re: The ineritors of Stuxnet

Blackmail/extortion and mercenary attacks are all I can think of. It may be possible to do remote monitoring to lift confidential process control 'secrets' I suppose.

Re: The ineritors of Stuxnet

"so how does one make money out of ICS mallware?"

Well there's a population of miscreants that want to for reasons other than profit. (espionage, sabotage, LULZ, whatever)

So obviously, you profit by selling it to them.

Re: The ineritors of Stuxnet

El Reg appears to have the story backwards. It isn't firmware that is installed on the PLC. It's trojans hidden in Windows programs that are used to load files into various bits of industrial hardware.

In other words, we're talking about bog standard Windows PC trojans that just happens to be riding along inside software that is used by people on their laptops to service industrial control systems. It's no different from trojans hidden inside pirated copies of games or Photoshop. Presumably the perpetrators will make money off this the same way they make money from any of the other trojanned software. These laptops after all will be spending a lot of their time hooked up to the Internet while the user is doing all the routine office work everyone else has to do.

This is nothing new to people who actually work in the industrial field. I was seeing this in cracked copies of Siemens software at least 15 years ago. Everyone in the business back then knew you could get cracked copies of their very, very, expensive development software from servers in eastern Europe and places like that, but that various bits of malware were guaranteed to come along for the ride. Piracy of this sort of software is pretty widespread, so trojanned copies are as well.

What has happened here is that companies selling Windows security software have smelled money in all the concern about cyber warfare, and they are now addressing a market that was too niche for them to care about before. All they need to due is to tune their existing Windows anti-virus software to look for the normal trojans these packages.

Re: 4 years

I suspect the goal of this type of attack is very different than an email scam and the like. This might be more of industrial espionage to steal closely guarded process secrets. The attack would prefer not call attention to itself or harm a system.

Re: Iran?

> Steel plant in German

Stahlwerk. You're welcome.

Re: here's ya problem

> First rule of security, physically isolate the network.

Not in my company. Around here the first rule of security is we don't talk about security.

Re: here's ya problem, there is no first rule

Many systems, including Siemens PLC based systems are designed to be secure, isolated from the Internet, accessed only by those with training and clearances but industry cares little about such things.

As a result systems and/or laptops used to access the PLC's are almost always (IME) connected to the internet at some point, usually while being installed. The contractors do so because it is "easier" (cheaper) for them and often allows for subcontracting without having the subcontractors showing up on site. Even when the equipment cannot be connected to the internet at site it is before it is shipped to site, again to make it easier for the contractor.

Once at site the staff actually responsible for the equipment rarely receive proper training. Even if Techs get training it will be only those working there when it is first installed. And of course managers are quick to cancel the purchase of any dedicated Laptops or use those supplied as general laptops for anyone in the shop. They can be equally quick to hand over servers to a contracted out stretched thin IT department. Even if a laptop gets set aside for dedicated use they rarely stay that way. As for servers, every Tech and Engineer responsible wants access via their smartphone and sometimes wires in a connection to accomplish that. In one case the password for access was the make of the Engineers vehicle. I didn't mention how I "discovered" the password but suggested if they were going to plug the LAN cable back in after I left the least they could do is use a better password.

In another case the main SCADA access to the servers was restricted and properly air gaped. Data for regular reports was transferred using USB drives. The $15B site couldn't afford USB drives so workers had to use their own. As a result it had an active Trojan that was constantly trying to connect via the internet. It was rather easy to find, all I did was turn on the antivirus. I asked why it was off and was told because they didn't know how to cancel the Alert and Warnings it gave while running. I sent an email pointing out that deleting some files and minor registry edits would clean the system. The ensuing emails are now classics in some circles. Years later they still had the Trojan and I suspect it finally made that call home when they added more equipment.

When it comes to business and industry there are no rules, and those few that do exist are easily bypassed. IMO the very model of capitalistic industry is too flawed to use for important or critical infrastructure. For such models to work properly requires considerable oversight and even if it had such oversight industry will co-opt such programs to protect the company from expense and litigation and ensure oversight never gets in the way of making money. Their mantra is less oversight, less regulation, is always better, after all it is citizens, society and taxpayers that will have to pay.

Like politics the old systems have failed, what the new systems are is not clear at this point in time but I suspect we will not adopt them until well after the worst occurs.