Iranian contractor named as Stuxnet 'patient zero' Malware researchers have named five Iranian companies infected with Stuxnet , identifying one as 'patient zero' from which the worm leaked to the world after causing havoc in the Natanz uranium plant. Joint research by Kaspersky Lab and Symantec found the organisations, contractors to Natanz, were targeted between June 2009 …
The most straightforward way of getting a virus into this sort of target is through the subcontractors. The ones who write the PLC and SCADA programs (e.g. Foolad) would become infected, and then pass it on to the final target when they installed or updated the control software for their customers.
If you work in the PLC and SCADA programming field, you will have to deal with customer e-mails all the time for quotes, service, etc. Typically, you will get e-mails saying "we're looking at upgrading our production line, can you give us a quote on the controls work - here's a copy of the PLC program and CAD drawings so you know what you're dealing with". You open the files to look through what's there so you can make an estimate of how many man-hours are involved. This is a routine part of bidding, but of course not all such things lead to a contract. It should be possible to slip some bogus requests into a few likely subcontractors of your target.
One of the interesting things which came out early in the Stuxnet investigation was that one of the vulnerabilities in Step-7 was in MS-SQL Server. Siemens Step-7 is the IDE for developing software for Siemens S7 control systems. It's the PLC programmer's equivalent to MS Visual Studio. All the tag (variable) configuration data is held in a database which uses an embedded version of MS-SQL Server. Yes it's a crap design, but it's how Siemens solved the issue of allowing multiple programmers to work on the same piece of equipment at the same time (they call it "Totally Integrated Automation"). That embedded database had a known but unpatched (by Siemens) vulnerability which was triggered by the "wrong" data.
So, to make this all work you do a bit of research into who does the controls work for the utility industry, and then send out e-mails purporting to be RFQs from an Iranian front company which carry the infection vector in a Step-7 project. The front company can be a genuine Iranian manufacturing company (making something like refrigerators or automobiles) where you bribe the appropriate low level person to include the infection in their next RFQ. You might even skip the bribery step by simply spoofing an e-mail from them.
As for the various zero-days being used, there are companies which find these things and sell them to governments. The actual viruses are pretty bog standard PC Windows viruses with an unusual end purpose. The PLCs themselves don't get a virus, they just get altered programs downloaded to them from an infected PC. The industrial hardware to test it on are the most common models on the market, so there is nothing esoteric about it.
You do have to know something about centrifuges and the enrichment process in order to bugger them up in a subtle but effective way, and that's where the real technical know-how came into place in all this.
Overall though, I think this sort of thing is quite do-able by anyone who has some inside knowledge of his target. There wouldn't be much point in attacking something like an auto-parts plant. They would simply clean it up and carry on after some loss of production. However, electrical utilities, gas pipelines, water supplies, and other similar targets can have widespread influence and a lot of these have very standardized designs (especially generating plants which use gas turbine plants).
Most of the engineering staff who design, build, and look after these systems know a great deal about their field, but they don't know any more about "computers" than your average accountant does. They just use them. IDEs like Step-7 do a lot to coddle their users. Anyone with the motivation could come up with their equivalent of Stuxnet and probably find a lot of very soft targets out there.
I like most of your writeup but...
"The PLCs themselves don't get a virus, they just get altered programs downloaded to them from an infected PC. "
Maybe not a PLC virus, but perhaps a PLC rootkit? I'm choosing that name because the unauthorised PLC program modifications attempt to hide themselves from a PLC programmer looking at the infected PLC?. A few of the Stuxnet references mention rootkits, but among the good writeups there are masses of dross.
Don't rely solely on the writeups sourced from outfits like Symantec. Ralph Langner had a lot more clue about the PLC side of things than Symantec ever could.
See e.g.
http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
for an interesting writeup, though unlike some of Langner's other writings, it doesn't use the word "rootkit".
There's a TEDtalk too, but if I remember rightly it's light on technical content. There's plenty of technical content on the blog on his company's website.
"among the good writeups there are masses of dross."
s/among the/as well as the/
Is there an 'edit' button on the mobile website? There isn't for me. Mind you, where I'm typing this, there isn't any article content on the non-mobile website. IE8, Win7, symantec webfilter.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
