The 1-hour Guide to Stuxnet Carey Nachenberg Vice President, Symantec Fellow Symantec Corporation The 1-hour Guide to Stuxnet 1
This is Natanz, Iran The 1-hour Guide to Stuxnet
And these are Natanz’s Centrifuges The 1-hour Guide to Stuxnet
And this is how they’re controlled Industrial control systems are typically controlled by a standard PC running industrial control software like STEP7 from Siemens. And this is how they’re controlled Windows PC Programmable Logic Controller Communications Processors (Routers) Frequency Converters are responsible for converting AC frequencies to either higher-or lower frequencies to operate motors. STEP7 The PLC is a specialized piece of hardware that orchestrates control of multiple connected mechanical devices. Communications Processors route commands from the PLC to groups of mechanical devices. Centrifuges enrich Uranium so it can be used to power nuclear plants or weapons. . . . Frequency Converters . . . . . . . . . Centrifuges The 1-hour Guide to Stuxnet
And this is how they’re isolated Research Network And this is how they’re isolated Programmable Logic Controller . . . Communications Processors (Routers) Frequency Converters Centrifuges Windows PC STEP7 The 1-hour Guide to Stuxnet
And this is (probably) an Israeli Mossad Programmer Who wants to introduce And this is (probably) an Israeli Mossad Programmer onto this computer right here The 1-hour Guide to Stuxnet
Get onto an “air-gapped” network to disrupt these: So how exactly does this: It’s got to spread on its own… One WinCC (MS SQL) system per N Step7 systems. It holds telemetry data that comes back from the PLCs. Could jump from that machine to developer’s machine via network shares. Until it discovers the proper computers… Where it can disrupt the centrifuges… All while evading detection. The 1-hour Guide to Stuxnet
? It’s got to spread on its own… Stuxnet uses seven distinct mechanisms to spread to new computers. Six of these attacks targeted flaws (back doors) that were unknown to the security industry and software vendors! ? 2.0 It infects SIEMENS PLC data files. It password-cracks SIEMENS DB software. It copies itself to open file-shares. Stuxnet uses thumb drives to bridge the gap! It attacks a hole in Windows’ print spooler. It attacks a hole in Windows RPC. Peers update other peers directly. 2.0 2.0 2.0 2.0 2.0 2.0 Print servers may have been connected between the airgap? And it auto-spreads over thumb drives! Stuxnet uses thumb drives to bridge the gap! But if the centrifuges are air-gapped from the ‘net, how can Stuxnet jump to the enrichment network? Usually we’re surprised when we see a threat targeting one flaw... USB drives! The 1-hour Guide to Stuxnet
Spreading – A Sidebar Windows Tasks Task #1: (the tasks themselves are stored as globally readable/writable XML files) Windows has a built-in task scheduler system. Windows Tasks Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Each user can add new tasks to be run at a certain time and with a certain permission level. (Regular users can’t add “root” level jobs) Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am To prevent tampering, windows computes a CRC32 hash for each task record and stores this in a protected area of the computer. Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 The 1-hour Guide to Stuxnet
Spreading – A Sidebar Windows Tasks Task #1: When it arrives on a machine, Stuxnet starts running with non-administrator privileges. Windows Tasks But to do its mischief, Stuxnet needs to run with “root” privileges. Task #1: Job: Delete temp files Run as: Root user Run at: 10pm So first, Stuxnet creates a new task, using the permissions of the current user. Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am And of course, once Windows verifies that the job is legitimate (the user hasn’t tried to create a root- level job), it calculates the job’s hash and adds it to the security store. Task #4: Job: Run stuxnet.dll Run as: Ted (non-root) Run at: 2pm Task1 hash: 9B7CC653 Task2 hash: 11090343 Task3 hash: 40910276 Task4 hash: DE9DBA76 The 1-hour Guide to Stuxnet
ZERO-DAY! Spreading – A Sidebar Windows Tasks Next Stuxnet modifies the XML job file it just added, changing its permission to “root”! (Remember, the XML files are writable) But wait! The updated job file hash no longer matches the protected hash stored by Windows! If Windows were to process the updated job file, it would detect this and reject it! Windows Tasks Task #1: Job: Delete temp files Run as: Root user Run at: 10pm Ah, but Stuxnet is more clever than that. Stuxnet knows how to forge a CRC - it computes a set of values which, if appended to the file, will result in its CRC matching the original! And then it appends these bytes to the file! ZERO-DAY! Task #2: Job: Clean registry Run as: Jim (non-root) Run at: 6pm Task #3: Job: Print receipts Run as: Ted (non-root) Run at: 2am Task #4: Job: Run stuxnet.dll Run as: Ted (non-root) Run at: 2pm And Windows will happily run the updated job, giving Stuxnet root-level privileges! Ted (non-root) Root user XQ Task1 hash: 9B7CC653 Task2 hash: 11090343 New hash: 66C35150 New hash: DE9DBA76 Task3 hash: 40910276 Task4 hash: DE9DBA76 The 1-hour Guide to Stuxnet
Until it discovers the proper computers… It’s got to spread on its own… Stuxnet is extremely picky and only activates its payload when it’s found an exact match. STEP7 The targeted computer must be running STEP7 software from Siemens. The targeted computer must be directly connected to an S7-315 Programmable Logic Controller from Siemens. The PLC must further be connected to at least six CP-342-5 Network Modules from Siemens. Each Network Module must be connected to ~31 Fararo Paya or Vacon NX frequency converters. … The 1-hour Guide to Stuxnet
Until it discovers the proper computers… Stuxnet is extremely picky and only activates its payload when it’s found an exact match. What a coincidence! The creators of Stuxnet must have guessed all of these details. STEP7 Now if you do the math…. Threat reads the PLC from the windows box to determine how many routers are connected to the PLC. The number of routers/network modules must be six (CP-342-5) – (found by querying the PLC), and the frequency converters must be of the two types from Iran or wherever. In Iran, there are 160 centrifuges in a cascade, we know this, and so with 31 motors per network module, this would cover up to 6*31 possible frequency converters. 5 router would be too little. ProfibusIDs like a UPC code for each frequency converter; this PID is stored in the PLC’s configuration data. PLC model itself 315-2 must be correct. Has to monitor for 13 days of operation between 800hz and 1200hz Washing machine analogy – off-balance due to load, danger of domino effect Stuxnet verifies that the discovered Programmable Logic Controller… Is controlling at least 155 total frequency converters… And recently we learned that Iran’s Uranium enrichment “cascade” just happens to use exactly 160 centrifuges. … The 1-hour Guide to Stuxnet
Until it discovers the proper computers… Now Stuxnet gets down to business… What you (probably) didn’t realize is that the PLC uses a totally different microchip & computer language than Windows PCs. Stuxnet is the first known threat to target an industrial control microchip! Stuxnet starts by downloading malicious logic onto the PLC hardware. The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… And makes sure the motors are running between 807Hz and 1210Hz. (This is coincidentally the frequency range required to run centrifuges.) (After all, whoever wrote Stuxnet wouldn’t want it to take out a roller coaster or something.) Next, Stuxnet measures the operating speed of the frequency converters during their normal operation for 13 days! The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… Once it’s sure, the malicious PLC logic begins its mischief! Stuxnet raises the spin rate to 1410Hz for 15 mins. Then sleeps for 27 days. Then slows the spin rate to 2Hz for 50 mins. Sets the frequency converters to 1410Hz for 15 minutes (ramp up time may be > 16 minutes and thus, reach only ~1381Hz) Waits 27 days (must be operating between 807Hz and 1210Hz) Sets the frequency converters to 2Hz for 50 minutes (ramp down time ~33 minutes) Repeat at 2 (1410Hz for 15 minutes) Then sleeps for 27 days. Stuxnet repeats this process over and over. 0Hz 1500Hz The 1-hour Guide to Stuxnet
Now Stuxnet gets down to business… Why push the motors up to 1410Hz? Well, ~1380Hz is a resonance frequency. It is believed that operation at this frequency for even a few seconds will result in disintegration of the enrichment tubes! Sets the frequency converters to 1410Hz for 15 minutes (ramp up time may be > 16 minutes and thus, reach only ~1381Hz) Waits 27 days (must be operating between 807Hz and 1210Hz) Sets the frequency converters to 2Hz for 50 minutes (ramp down time ~33 minutes) Repeat at 2 (1410Hz for 15 minutes) Why reduce the motors to 2Hz? At such a low rotation rate, the vertical enrichment tubes will begin wobbling like a top (also causing damage). 0Hz 1500Hz The 1-hour Guide to Stuxnet
What about Iranian failsafe systems? Now Stuxnet gets down to business… What about Iranian failsafe systems? (Surely by now you’re thinking that alarm bells should have been blaring at the enrichment plant, right?) Maybe Stuxnet pulled a mission impossible?!? The 1-hour Guide to Stuxnet
What about fail-safe systems. Well, Stuxnet hid itself from these What about fail-safe systems? Well, Stuxnet hid itself from these. The threat actively recorded normal operation of the centrifuges and played this back while it was accelerating these centrifuges to dangerous speeds – just like the picture on the wall here hides the fact that the person is falling down the stairs. <click> So, none of the fail-safe systems noticed that anything was wrong, just like this security guard doesn’t notice anything unusual on his screen. So, if Stuxnet can do all of this, imagine what a targeted attack launched by a state-sponsored competitor could do to Qualcomm...
Now Stuxnet gets down to business… And in fact, that’s exactly what Stuxnet did! Stuxnet records telemetry readings while the centrifuges are operating normally. Well, in fact, these facilities typically do have fail-safe controls. And when it launches its attack, it sends this recorded data to fool the fail-safe systems! They trigger a shutdown if the frequency goes out of the acceptable range. But worry not… Stuxnet takes care of this too. And Stuxnet disables the emergency kill switch on the PLC as well… Just in case someone tries to be a hero. 0Hz 1500Hz The 1-hour Guide to Stuxnet
#5 All while evading detection… Now Stuxnet gets down to business… Stuxnet uses five distinct mechanisms to conceal itself. #5 Stuxnet hides its own files on infected thumb drives using 2 “rootkits.” Stuxnet also uses another trick hide itself on removable drives. It adds a second Open menu option to the right-click menu. One of these Open commands is the legitimate one and one is the command added by Stuxnet. If a user chooses to open the drive via this menu, Stuxnet will execute first. Stuxnet then opens the drive to hide that anything suspicious has occurred. The 1-hour Guide to Stuxnet
#4 All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #4 Stuxnet inhibits different behaviors in the presence of different security products to avoid detection. Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D Launch Attack A Launch Attack B Launch Attack C Launch Attack D The 1-hour Guide to Stuxnet
#3 All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #3 Stuxnet completely deletes itself from USB keys after it has spread to exactly three new machines. The 1-hour Guide to Stuxnet
#2 All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #2 Stuxnet’s authors “digitally signed” it with stolen digital certificates to make it look like it was created by well-known companies. The two certificates were stolen from RealTek and Jmicron… Realtek …as it turns out, both companies are located less than 1km apart in the same Taiwanese business park. The 1-hour Guide to Stuxnet
#1 All while evading detection. Stuxnet uses five distinct mechanisms to conceal itself. #1 Stuxnet conceals its malicious “code” changes to the PLC from operational personnel (It hides its injected logic)! SIEMENS PLC (To centrifuges) Instructions to the Centrifuges During normal operation: Spin at 1410hz In case of emergency: IGNORE OPERATOR COMMANDS During normal operation: Spin at 1064hz In case of emergency: Spin down to 0hz The 1-hour Guide to Stuxnet
Stuxnet Epidemiology The 1-hour Guide to Stuxnet
Did It Succeed? Well, based on some clever Symantec engineering, we’ve got some interesting data. Fact: Stuxnet contacts two command-and-control servers every time it runs to report its status and check for commands. Working with registrars, Symantec took control of these domains, forwarding all traffic to our Symantec data centers. Fact: As Stuxnet spreads between computers, it keeps an internal log of every computer it’s visited. www.todaysfutbol.com www.mypremierfutbol.com The 1-hour Guide to Stuxnet
Stuxnet Bookkeeping 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 27.42.97.152 27.42.97.152 151.21.32.19 151.21.32.21 151.21.32.19 151.21.32.21 93.154.11.42 151.21.32.19 151.21.32.19 151.21.32.21 93.154.11.42 93.154.12.78 93.154.11.42 93.154.12.78 Stuxnet embeds its “visited list” inside its own body as it spreads, enabling detailed forensics! The 1-hour Guide to Stuxnet
Here’s What We Found The 1-hour Guide to Stuxnet
(These graphs show how the discovered samples spread) Here’s What We Found (These graphs show how the discovered samples spread) The 1-hour Guide to Stuxnet
Data at time of discovery (July, 2010) Here’s What We Found Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet
Data at time of discovery (July, 2010) Here’s What We Found Data at time of discovery (July, 2010) The 1-hour Guide to Stuxnet
Did It Succeed? Indications are that it did! Symantec telemetry indicates that rather than directly trying to infiltrate Natanz… The attackers infected five industrial companies with potential subcontracting relationships with the plant. These companies (likely) then unknowingly ferried the infection into Natanz’s research and enrichment networks. The Institute for Science and International Security writes: “It is increasingly accepted that, in late 2009 or early 2010, Stuxnet destroyed about 1,000 IR-1 centrifuges out of about 9,000 deployed at the site.” The 1-hour Guide to Stuxnet
19790509 June 22, 2009 4:31:47pm GMT June 22, 2009 6:31:47pm Local Whodunit? According to Wikipedia, On May 9th, 1979 “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” 19790509 June 22, 2009 4:31:47pm GMT June 22, 2009 6:31:47pm Local GMT + 2 The 1-hour Guide to Stuxnet
Stuxnet has signaled a fundamental shift in the malware space. To Conclude Stuxnet has signaled a fundamental shift in the malware space. Stuxnet proves cyber-warfare against physical infrastructure is feasible. Unfortunately, the same techniques can be used to attack other physical and virtual systems. The 1-hour Guide to Stuxnet
The 1-hour Guide to Stuxnet