Reply to post: Infection Vectors

Iranian contractor named as Stuxnet 'patient zero'


Infection Vectors

The most straightforward way of getting a virus into this sort of target is through the subcontractors. The ones who write the PLC and SCADA programs (e.g. Foolad) would become infected, and then pass it on to the final target when they installed or updated the control software for their customers.

If you work in the PLC and SCADA programming field, you will have to deal with customer e-mails all the time for quotes, service, etc. Typically, you will get e-mails saying "we're looking at upgrading our production line, can you give us a quote on the controls work - here's a copy of the PLC program and CAD drawings so you know what you're dealing with". You open the files to look through what's there so you can make an estimate of how many man-hours are involved. This is a routine part of bidding, but of course not all such things lead to a contract. It should be possible to slip some bogus requests into a few likely subcontractors of your target.

One of the interesting things which came out early in the Stuxnet investigation was that one of the vulnerabilities in Step-7 was in MS-SQL Server. Siemens Step-7 is the IDE for developing software for Siemens S7 control systems. It's the PLC programmer's equivalent to MS Visual Studio. All the tag (variable) configuration data is held in a database which uses an embedded version of MS-SQL Server. Yes it's a crap design, but it's how Siemens solved the issue of allowing multiple programmers to work on the same piece of equipment at the same time (they call it "Totally Integrated Automation"). That embedded database had a known but unpatched (by Siemens) vulnerability which was triggered by the "wrong" data.

So, to make this all work you do a bit of research into who does the controls work for the utility industry, and then send out e-mails purporting to be RFQs from an Iranian front company which carry the infection vector in a Step-7 project. The front company can be a genuine Iranian manufacturing company (making something like refrigerators or automobiles) where you bribe the appropriate low level person to include the infection in their next RFQ. You might even skip the bribery step by simply spoofing an e-mail from them.

As for the various zero-days being used, there are companies which find these things and sell them to governments. The actual viruses are pretty bog standard PC Windows viruses with an unusual end purpose. The PLCs themselves don't get a virus, they just get altered programs downloaded to them from an infected PC. The industrial hardware to test it on are the most common models on the market, so there is nothing esoteric about it.

You do have to know something about centrifuges and the enrichment process in order to bugger them up in a subtle but effective way, and that's where the real technical know-how came into place in all this.

Overall though, I think this sort of thing is quite do-able by anyone who has some inside knowledge of his target. There wouldn't be much point in attacking something like an auto-parts plant. They would simply clean it up and carry on after some loss of production. However, electrical utilities, gas pipelines, water supplies, and other similar targets can have widespread influence and a lot of these have very standardized designs (especially generating plants which use gas turbine plants).

Most of the engineering staff who design, build, and look after these systems know a great deal about their field, but they don't know any more about "computers" than your average accountant does. They just use them. IDEs like Step-7 do a lot to coddle their users. Anyone with the motivation could come up with their equivalent of Stuxnet and probably find a lot of very soft targets out there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon