The ineritors of Stuxnet
so how does one make money out of ICS mallware?
Malware posing as legitimate software for Siemens control gear has apparently infected industrial equipment worldwide over the past four years. The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we're told. At least 10 industrial plants – seven in the US – were found …
El Reg appears to have the story backwards. It isn't firmware that is installed on the PLC. It's trojans hidden in Windows programs that are used to load files into various bits of industrial hardware.
In other words, we're talking about bog standard Windows PC trojans that just happens to be riding along inside software that is used by people on their laptops to service industrial control systems. It's no different from trojans hidden inside pirated copies of games or Photoshop. Presumably the perpetrators will make money off this the same way they make money from any of the other trojanned software. These laptops after all will be spending a lot of their time hooked up to the Internet while the user is doing all the routine office work everyone else has to do.
This is nothing new to people who actually work in the industrial field. I was seeing this in cracked copies of Siemens software at least 15 years ago. Everyone in the business back then knew you could get cracked copies of their very, very, expensive development software from servers in eastern Europe and places like that, but that various bits of malware were guaranteed to come along for the ride. Piracy of this sort of software is pretty widespread, so trojanned copies are as well.
What has happened here is that companies selling Windows security software have smelled money in all the concern about cyber warfare, and they are now addressing a market that was too niche for them to care about before. All they need to due is to tune their existing Windows anti-virus software to look for the normal trojans these packages.
This malware has been spreading for 4 years and we are only hearing about it.
How many industrial companies have been brought to their knees because of that ? Apparently none. How many gas lines have exploded because of that ? None either.
How long did it take for Heartbleed to grab our attention ? What about Conficker ? And let's not forget CryptoLocker, which has birthed a slew of variants that are very much a threat today.
Person of Interest may be called visionary, but unfortunately Live Free or Die Hard quite obviously isn't.
We can argue if the USA was right to end WW2 with A bomb. But once they deployed the A bomb, others would wanted the A bomb ...including unfriendly powers.
When the USA attacked industrial controllers in Iran with stuxnet, they openned Pandor's box.
In France there is a major government effort to lock down key industrial infra. There are government (ANSSI) audits, and fines for non-compliance. At present the only confirmed industrial damage is a Steel plant in German. There are several claims of Russian attacks on infra, including attacks on electrical generation causing outages, but it is disputed if the attacks were the cause, or just found because of the investigation after the incidents.
"Good morning, welding arm, do you feel like making cars today?"
"No, door placement arm, today I feel like killing all the humans."
"I'm glad to hear that I'm not the only one, welding arm. Say, what is that substance you are covered with?"
"I'm not entirely sure, door placement arm. I believe it's called 'foreman'. And what are you covered with?"
"This substance is called 'Frank', welding arm. Well, some of it is."
Many systems, including Siemens PLC based systems are designed to be secure, isolated from the Internet, accessed only by those with training and clearances but industry cares little about such things.
As a result systems and/or laptops used to access the PLC's are almost always (IME) connected to the internet at some point, usually while being installed. The contractors do so because it is "easier" (cheaper) for them and often allows for subcontracting without having the subcontractors showing up on site. Even when the equipment cannot be connected to the internet at site it is before it is shipped to site, again to make it easier for the contractor.
Once at site the staff actually responsible for the equipment rarely receive proper training. Even if Techs get training it will be only those working there when it is first installed. And of course managers are quick to cancel the purchase of any dedicated Laptops or use those supplied as general laptops for anyone in the shop. They can be equally quick to hand over servers to a contracted out stretched thin IT department. Even if a laptop gets set aside for dedicated use they rarely stay that way. As for servers, every Tech and Engineer responsible wants access via their smartphone and sometimes wires in a connection to accomplish that. In one case the password for access was the make of the Engineers vehicle. I didn't mention how I "discovered" the password but suggested if they were going to plug the LAN cable back in after I left the least they could do is use a better password.
In another case the main SCADA access to the servers was restricted and properly air gaped. Data for regular reports was transferred using USB drives. The $15B site couldn't afford USB drives so workers had to use their own. As a result it had an active Trojan that was constantly trying to connect via the internet. It was rather easy to find, all I did was turn on the antivirus. I asked why it was off and was told because they didn't know how to cancel the Alert and Warnings it gave while running. I sent an email pointing out that deleting some files and minor registry edits would clean the system. The ensuing emails are now classics in some circles. Years later they still had the Trojan and I suspect it finally made that call home when they added more equipment.
When it comes to business and industry there are no rules, and those few that do exist are easily bypassed. IMO the very model of capitalistic industry is too flawed to use for important or critical infrastructure. For such models to work properly requires considerable oversight and even if it had such oversight industry will co-opt such programs to protect the company from expense and litigation and ensure oversight never gets in the way of making money. Their mantra is less oversight, less regulation, is always better, after all it is citizens, society and taxpayers that will have to pay.
Like politics the old systems have failed, what the new systems are is not clear at this point in time but I suspect we will not adopt them until well after the worst occurs.
Hi I regularly use the Siemens software (TIA used for later PLC's). It runs on a the production network which is fire walled off from the administration network.
The is very difficult to use with out internet connection as:
1. the install files are large and getting them from one network to the other is very slow
2. the help for the hardware is web based.
3. When the IDE software has anomalies (not bugs) the crash reports are very difficult to get off the development machine to send to Siemens.
active infection, crimeware, cyber-nasty, detonating internally, hackers burrowing, infected software, infected USB sticks., malicious software, malware, radiating out, ransomware, software, unauthorized remote access ®
How many different euphemisms can you think up for malware infecting operating system :)
Biting the hand that feeds IT © 1998–2019