SCADA malware caught infecting European energy company • The Register Forums

Tuesday 12th July 2016 15:49 GMT Paul Crawford

Impressive analysis, but infection vector not apparent

Seems they do a lot to avoid VMs and sandboxes, so why are they not in more common use for security sensitive systems anyway? After all, the actual controllers are dedicated hardware boxes and the SCADA PCs just Windows machines to supervise them. Any reason why those PCs can't be run in a VM?

But how were those machines infected in the first place?

Why were they internet connected?

When will we see serious personal fines and jail time for managers who fail to put sufficient security design, monitoring and management in to critical infrastructure?

Trusting some AV or firewall vendor who said they would stop trouble is just not good enough. Unless, of course, they are offering to pay the fines and do the jail time if they fail.

13 0 Reply
1. Tuesday 12th July 2016 15:57 GMT The Original Steve
  
  Re: Impressive analysis, but infection vector not apparent
  
  Good point, although just cat and mouse.
  
  A lot of SCADA kit needs special legacy hardware keys to run via parallel or RS232 ports, and often needs its own special 'NIC' to talk its own special protocol to the rest of the SCADA network.
  
  Tried to virtualize the control systems for a large crisp manufacturer a few years back. Got about 2/3rds done, the rest I couldn't for the reasons above.
  
  15 0 Reply
  1. Tuesday 12th July 2016 16:16 GMT Anonymous Coward
    
    Re: Impressive analysis, but infection vector not apparent
    
    Tried to virtualize the control systems for a large crisp manufacturer a few years back.
    
    Now that's what I call critical infrastructure. Hoy! Ruskies! Walker's SCADA kit is only partly defended.
    
    Then again, maybe the Ruskies have been attacking, and disrupting the flavour-dosing controls. That creates a lot of over or under-flavoured crisps, which Walkers then have to sell to supermarkets for resale as their own brands.
    
    6 0 Reply
    1. Wednesday 13th July 2016 08:29 GMT Anonymous Coward
      
      Re: Impressive analysis, but infection vector not apparent
      
      Now I know who to blame for the bags of air from Walkers, Ruskies!
      
      0 0 Reply
2. Tuesday 12th July 2016 16:01 GMT Sir Runcible Spoon
  
  Re: Impressive analysis, but infection vector not apparent
  
  "But how were those machines infected in the first place?"
  
  Considering the lengths this software went to avoid detection I'm interested in how it was discovered (unless I rushed past that bit to get to the detail).
  
  There is a ton of stuff in the analysis that could be used to foil this malware, so it's obviously relied on being obscure enough to not be detected, but even something as simple as using internal CNAME's for AV sites would break one aspect of the functionality (i.e. routing all those common AV names to 0.0.0.0).
  
  Also just putting a few dummy files on the secured system to make it look like it's running AV to make it self terminate - it would be a lot of faffing about, but it's something I would consider doing if I were managing these windows boxes.
  
  5 0 Reply
3. Tuesday 12th July 2016 17:43 GMT Rob pledge
  
  Re: Impressive analysis, but infection vector not apparent
  
  Well if its probably a state sponsored attack it's not beyond the the realms of possibility that the infection vector was via a human agent in place or visiting a facility on the power network.
  
  7 0 Reply
  1. Tuesday 12th July 2016 19:53 GMT Anonymous Coward
    
    Re: Impressive analysis, but infection vector not apparent
    
    NATO General Breedlove: Fluoridation is the most monstrously conceived and dangerous Russky plot we have ever had to face .... Crisps, Mandrake! Flavored Walker Crisps!!
    
    3 0 Reply
4. Tuesday 12th July 2016 21:37 GMT a_yank_lurker
  
  Re: Impressive analysis, but infection vector not apparent
  
  I suspect many SCADA systems are fairly old (> 10 years) and were never really designed to be connected to the Internet. To replace these otherwise functional systems is not trivial and are likely to remain until the plant gets modernized. Many older SCADA systems use what is now obsolete protocols and hardware.
  
  1 0 Reply
5. Wednesday 13th July 2016 08:23 GMT phil 27
  
  Re: Impressive analysis, but infection vector not apparent
  
  How would virtualizing a out of date operating system with vulnerable ports protect it any better than installing it on bare metal?
  
  The fail is how the airgapped network got compromised, however I once was involved with writing scanning software that went hunting for interconnects amongst other things on a global "secure" airgapped network, and we found significant numbers when digging through our results. Some people breached with wifi modems to make laptops easier, some as it transited less -ahem- lawful areas etc. Most of the problem was people being lazy and processes not being rigid enough nor penalties severe enough for doing stupid things which compromised the network's security.
  
  Lock it down, secure it, get maintainence agreements including code fixes for the life time of the kit in the original contract when buying, take steps to establish a in house policy and responsibilities and delegation to keep it patched and integral but sticking it in a vm isn't going to help, especially as the next step would be to combine all of those windows machines into a single host, giving yet another vector for a sophsiticated attack to jump about sight unseen by any network probes..
  
  The reason the malware looks for the vm environment is a large amount of security researchers spin the vulnerable machine up in a vm because theyre looking at x different device types a week, and to have each one as a physical box to be maintained for the audit record of testing would make life awkward. Its a lazy convienience thing, not a good practice one, you cant beat electrical seperation done properly.
  
  0 0 Reply
  1. Wednesday 13th July 2016 19:53 GMT Charles 9
    
    Re: Impressive analysis, but infection vector not apparent
    
    "Lock it down, secure it, get maintainence agreements including code fixes for the life time of the kit in the original contract when buying, take steps to establish a in house policy and responsibilities and delegation to keep it patched and integral but sticking it in a vm isn't going to help, especially as the next step would be to combine all of those windows machines into a single host, giving yet another vector for a sophsiticated attack to jump about sight unseen by any network probes.."
    
    Um, who's got the budget for that who can get it past the accountants? Most higher-ups don't take a long view, especially if they have investors (also very short-sighted) to appease.
    
    0 0 Reply
    1. Thursday 14th July 2016 17:06 GMT phil 27
      
      Re: Impressive analysis, but infection vector not apparent
      
      Anyone who wants their control network to survive a determined attack. Someone with a scada network controlling assets isn't in the same category as your local webhost or SME with a single server in the corner and they should realize the value of protecting it properly. I've worked on projects where a unprotected device put upstream of the boundary firewalls would last maybe a minute or two before getting compromised such was their exposure to attack. They had rigid control, quality targets, correct processes and investment and boy did they need it.
      
      High profile attacks like Talktalk and others have highlighted the need to do a thorough job of securing things to a wider audience given the beancounters saved them a small sum skimping on security only to find significant amounts of value wiped off shortly after the attacks.
      
      Talktalk have been recruiting security staff like mad since then given the amount of times I've been messaged on linked in from recruiters about it, so its a good chance at least their subset of investors and accounts are acutely aware of that lesson. If your an influencer at early adoption stage, its part of your overall governance to instill the need for security best practices at the procurement stage too, not just slap them on as a afterthought and there are some from that procurement involvement here I hope taking notes to improve things.
      
      The industry at large has massive amounts of work to do on this front, and the security industry has to sort its own house out also. If you give recommendations to secure things and the business decides to take the risk against your advice for financial reasons, that is their decision but you have done what you can and they must own the fall out if it happens. And you get to say "I told you so" in a very sombre and professional manner...
      
      0 0 Reply
      1. Thursday 14th July 2016 17:12 GMT Charles 9
        
        Re: Impressive analysis, but infection vector not apparent
        
        "Anyone who wants their control network to survive a determined attack. "
        
        Then they get overridden by the board, who have to answer to the investors.
        
        "High profile attacks like Talktalk and others have highlighted the need to do a thorough job of securing things to a wider audience given the beancounters saved them a small sum skimping on security only to find significant amounts of value wiped off shortly after the attacks."
        
        And then the public forgets them next week, guaranteed. Meanwhile, the other investors will simply go, "Glad it wasn't me." Unless we see a board overthrow BEFORE a breach hits, I don't think the investors really care.
        
        1 0 Reply
Tuesday 12th July 2016 16:31 GMT Anonymous Coward

wow

People don't realize with this SCADA stuff war won't simply be something you watch on CNN. When they can't charge their iPhones then the anarchy will begin. Many people also don't realize they are also three days away from not being able to get food. Oh well carry on nothing to see.

10 1 Reply
1. Tuesday 12th July 2016 18:01 GMT NomNomNom
  
  Re: wow
  
  I have many neighbours around me, I won't run out of food in an emergency for quite some time
  
  5 1 Reply
  1. Tuesday 12th July 2016 18:53 GMT Anonymous Coward
    
    Re: wow
    
    Lol like my buddy said when the crap hits the fan the single best item to have to guarantee food is a 45.
    
    4 0 Reply
    1. Tuesday 12th July 2016 19:44 GMT lukewarmdog
      
      Re: wow
      
      Your buddy is going to listen to old vinyl records?
      
      Oh I see.. you can then use them as frisbees to kill zombies like in Shaun of the Dead.
      
      I was watching an in-game chat yesterday which started off all bravado, who had how many guns and whose farm was bigger. It finally descended into who would eat the worst foods. One guy would shoot deer to survive, someone else said good luck when you run out of deer, they'd shoot dogs. Dogs, scoffed another, when I was on wilderness camp we would survive on squirrels and frogs. Oh sure, said the next guy, I've heard humans fed on a diet of frogs taste the best.
      
      I'm kinda hoping we run out of power at some point so I just don't have to play with those guys any more.
      
      10 0 Reply
      1. This post has been deleted by its author
      2. Tuesday 12th July 2016 22:55 GMT Anonymous Coward
        
        Re: wow
        
        >they'd shoot dogs. Dogs, scoffed another
        
        Scoff all you want but eating and using only dogs is why Amundsen conquered the South Pole instead of becoming a lime Popsicle on the Ross Ice Shelf.
        
        2 0 Reply
    2. Wednesday 13th July 2016 04:50 GMT Anonymous Coward
      
      Re: wow
      
      "Lol like my buddy said when the crap hits the fan the single best item to have to guarantee food is a 45."
      
      Not if the food keeper raises you a .357 Magnum...
      
      1 0 Reply
  2. Tuesday 12th July 2016 19:53 GMT Anonymous Coward
    
    Re: wow
    
    I have many neighbours around me, I won't run out of food in an emergency for quite some time
    
    Daaaad! Not long pig for tea again
    
    9 0 Reply
Tuesday 12th July 2016 16:35 GMT amanfromMars 1

Oh that things were so simple ...... in a world full of opportunities and vulnerabilities

Udi Shamir, chief security officer at SentinelOne, commented: “The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.”

Hi, Udi Shamir,

There is practically zero cost in the free sharing of smarter sophisticated intellectual property between developers and/or across live open source platforms which creates software of advanced nature.

Nation states might seek to purchase and use it though, thus leading one to jump to erroneous conclusions, just as easily as they could purchase protection and security against it use from its developers who may very well be dedicated non state actors/anonymous rogue freelancing agents.

5 2 Reply
1. Thursday 14th July 2016 17:13 GMT Charles 9
  
  Re: Oh that things were so simple ...... in a world full of opportunities and vulnerabilities
  
  "There is practically zero cost in the free sharing of smarter sophisticated intellectual property between developers and/or across live open source platforms which creates software of advanced nature."
  
  Two words: trade secrets.
  
  0 0 Reply
Tuesday 12th July 2016 17:09 GMT Lotaresco

Never as easy as it seems from an armchair

SCADA like "cloud" covers a multitude of sins. Many systems are supplied by vendors as modular units running on their own hardware. Virtualising the kit isn't easy or even possible in many cases. Many vendors won't license their code to run in a VM (not that running in a VM protects against anything).

The vendors are also incredibly naïve. I've had meetings with companies tendering to supply SCADA systems and have been on the receiving end of presentations where someone explains that their controllers run on Windows CE (an out of support version) and their actuators and sensors are all proprietary and only work with that version of the controller. "But don't worry because the system is air-gapped so it can't be infected." Then when you ask how it will be maintained they say an engineer will download patches and code via the internet onto his laptop (which he also uses for home banking, p0rN, childrens' games and submitting his timesheets) and connect his laptop to the controller to upload the patches. Simples!

They can't see anything wrong with this or why I'm twitching like a tasered catfish.

But all of the vendors are like this and SCADA systems are niche products so where do you go to buy a system that wasn't designed by idiots?

29 0 Reply
1. Tuesday 12th July 2016 20:38 GMT Nunyabiznes
  
  Re: Never as easy as it seems from an armchair
  
  "They can't see anything wrong with this or why I'm twitching like a tasered catfish"
  
  Thanks for the laugh!
  
  Glad I'm not the only one.
  
  9 0 Reply
2. Tuesday 12th July 2016 20:56 GMT Paul Crawford
  
  Re: Never as easy as it seems from an armchair
  
  But all of the vendors are like this and SCADA systems are niche products so where do you go to buy a system that wasn't designed by idiots?
  
  This is why we need the law to step in and for security folks to draw up regulations, including things like operating in a VM as an essential attribute, otherwise no sale (and no insurance or license for a business which fails to follow the rules).
  
  Sure there will be a lot of bitching at first, but niche market or not, we need a nice big stick to beat them with so all of the usual software good practice is followed. Things like forcing a declaration on matters like hard-coded passwords, support back-doors, operation with AV/VM tools, respect for proper multi-user practice (i.e. no need for interfaces to run as admin), 10 year or more support that will include replacing any protocol or SSL certificate found to be weak or compromised, etc, etc, etc.
  
  2 1 Reply
  1. Wednesday 13th July 2016 06:08 GMT Charles 9
    
    Re: Never as easy as it seems from an armchair
    
    "This is why we need the law to step in and for security folks to draw up regulations, including things like operating in a VM as an essential attribute, otherwise no sale (and no insurance or license for a business which fails to follow the rules)."
    
    But the vendors have more bribing power than the citizens. They can just lie and bribe anyone they need to swear by it. Or they can make themselves "too big to fail" as in if they go, so does a good chunk of the country.
    
    1 0 Reply
  2. Wednesday 13th July 2016 19:32 GMT Doctor Syntax
    
    Re: Never as easy as it seems from an armchair
    
    "10 year or more support"
    
    Easy to promise but what good's your regulation or contract if the vendor's in liquidation? You'll need a source code escrow scheme, assuming the source isn't open anyway.
    
    0 0 Reply
3. Tuesday 12th July 2016 21:42 GMT a_yank_lurker
  
  Re: Never as easy as it seems from an armchair
  
  Tasered catfish? lol! Sounds more like fried catfish, extra crispy.
  
  0 0 Reply
4. Tuesday 12th July 2016 22:40 GMT PNGuinn
  
  Tasered catfish.
  
  Strikes me the problem can't be solved until all those kind of vendors are well tasered like catfish.
  
  Just internet connect the taser and we can all have some fun.
  
  1 0 Reply
Tuesday 12th July 2016 17:59 GMT Anonymous Coward

"But don't worry because the system is air-gapped so it can't be infected." Then when you ask how it will be maintained they say an engineer will download patches and code via the internet onto his laptop (which he also uses for home banking, p0rN, childrens' games and submitting his timesheets) and connect his laptop to the controller to upload the patches. Simples!

BINGO!!

3 0 Reply
Tuesday 12th July 2016 18:41 GMT John Deeb

What a conjecture

""It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions"

What a conjecture! Reverse engineering antivirus solutions or reverse engineering recent state-sponsored malware caught in the wild which would contain already much of the basic know-how, what's the difference exactly?

3 0 Reply
Tuesday 12th July 2016 23:02 GMT Anonymous Coward

How were those machines infected in the first?

None of that matters, all you need to concentrate on is that it has all the hallmarks of a nation-state attack by some no good commie atheist salo eaters.

2 0 Reply
1. Wednesday 13th July 2016 13:47 GMT Sir Runcible Spoon
  
  Re: How were those machines infected in the first?
  
  Didn't I see this comment on /.?
  
  https://it.slashdot.org/comments.pl?sid=9375045&cid=52501057
  
  I also see that it was discovered on a dodgy site somewhere - not from an actual infection
  
  0 0 Reply
Wednesday 13th July 2016 00:13 GMT Anonymous Coward

A third tier AV company

trying to become bigger by hinting that that they have caught a nation state being naughty.

This has the hallmarks of poor security design and lack of controls.

0 3 Reply
1. Wednesday 13th July 2016 08:22 GMT Sir Runcible Spoon
  
  Re: A third tier AV company
  
  "This has the hallmarks of poor security design and lack of controls"
  
  I hate to break it to you Mr/Mrs/Ms/Dr AC, bu network security in the real world is a dogs mess no matter where you look.
  
  0 0 Reply
  1. Wednesday 13th July 2016 08:28 GMT Charles 9
    
    Re: A third tier AV company
    
    When your basic infrastructure depends on a third party, who by default can never be completely trusted, you have a problem.
    
    Problem is, EVERYTHING relies on trusting a third party. So what happens to civilization?
    
    0 0 Reply
    1. Wednesday 13th July 2016 12:36 GMT amanfromMars 1
      
      Re: A third tier AV company
      
      When your basic infrastructure depends on a third party, who by default can never be completely trusted, you have a problem.
      
      Problem is, EVERYTHING relies on trusting a third party. So what happens to civilisation? .... Charles 9
      
      Civilisation and IT move over to trusting Virtual Machines, Charles 9, with AI in Advanced IntelAIgent Command with Remote NEUKlearer HyperRadioProActive IT Control.
      
      Try to fight and deny it be so if you will, but you will not find a foe to defeat nor a friend to hinder such Future Progess.
      
      0 1 Reply
      1. Wednesday 13th July 2016 19:57 GMT Anonymous Coward
        
        Re: A third tier AV company
        
        "Civilisation and IT move over to trusting Virtual Machines, Charles 9, with AI in Advanced IntelAIgent Command with Remote NEUKlearer HyperRadioProActive IT Control.
        
        Try to fight and deny it be so if you will, but you will not find a foe to defeat nor a friend to hinder such Future Progess."
        
        I suspect IT people are savvy enough to recognize Rise of the Machines...
        
        0 0 Reply
        
        Wednesday 13th July 2016 20:49 GMT amanfromMars 1
        
        Re: Upper Top Tier Company Leaderships ..... Smarter Monitoring Mentorships
        
        ........ for All Seeing Eye Systems ‽ .
        
        I suspect IT people are savvy enough to recognize Rise of the Machines... .... Anonymous Coward
        
        The massive scale and vast depth of Man's stupidity has me thinking of leaving nothing to chance and always trying to ensure they be led simply by the nose to what they be missing and needing, AC. Recognising others more than just simply aware of the changed fields of power and energy in command and control of assets and liabilities, is most refreshing and encouraging.
        
        0 1 Reply
Wednesday 13th July 2016 06:02 GMT John Smith 19

STUXNET.

Now any nation can play "disrupt your (potential) enemies infrastructure"

Wonder if this happens to Merkins wheather they'll declare war on the source?

The precedent is Iran, and they did not.

Could America manage to behave as well?

1 1 Reply