What is Stuxnet?

What did Stuxnet do?

How Stuxnet works: The air gap myth

  • Attackers lack sufficient knowledge and incentive to target ICS and SCADA systems.
  • Cyber security is important mostly for IT and enterprise systems.
  • Proven security strategies don’t apply to the majority of operational technology systems because the risk of disruption is too high in OT.

How did Stuxnet spread?

  • Noisily pivoted through the environment via Windows Remote Procedure Calls (RPC), Server Message Block (SMB), and MS SQL protocols.
  • Leveraged a Windows Shortcut (.lnk) zero-day vulnerability that thwarted the disabling USB and removable media auto-play.
  • Used stolen code signing certificates to make its malicious payloads appear as legitimate drivers that were recognized by the operating system and ignored by anti-virus and policy enforcement controls.
  • Leveraged vulnerabilities in Windows print spooling network services (usually on by default) hosts where infection was not possible through RPC/SMB/SQL and USB insertion. This included privilege escalation.
  • Possessed the ability to leverage the OPC protocol to traverse segments.
  • Infected Siemens STEP7 project files, replacing legitimate STEP7 DLLs with modified malicious ones, and using hard-coded credentials to log in to the Siemens WinCC SCADA database to identify specific targets.
  • Rendered itself dormant if appropriate criteria were not met.

How to prevent Stuxnet

  • Reliance on an air gap as a stand-alone security measure was an absolute failure.
  • Traditional anti-virus would not have found this type of malware.
  • Updated host OS may have helped with some of the exploits, but again, unlikely given the attackers’ skill level.
  • Application whitelisting and host integrity checking probably would have detected the replaced STEP7 DLLs and altered project files.
  • Strict removable media policies and enforcement (potentially even hot glue) could have prevented an initial infection or, at least, made it much harder.
  • Sufficient host hardening to include disabling unnecessary services like the Windows printer spooling service would have made lateral movement more difficult.
  • Sufficient network segmentation might have stopped the attackers from pivoting across the environment while better monitoring might have alerted defenders to anomalous traffic.
  • Diligent application of security policy could have isolated and contained the malware as it beaconed across network zones and layers where it did not belong.
  • Most importantly, better-trained resources and appropriate out-of-band (OOB) monitoring for anomalies within the centrifuge halls could have contained the damage early on in the attack.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Verve Industrial Protection

Verve Industrial Protection

Verve's mission is to protect the world's critical infrastructure. Learn more at verveindustrial.com