Stuxnet brings more new tricks to cyberwar

New means through which the Stuxnet worm, which is able to infect industrial facilities and take over their control systems, spreads have been identified. According to Symantec analysts, Stuxnet is able to reinfect previously disinfected Windows systems that are running Siemens STEP 7 industrial automation software by writing itself into the project folders created by the development environment for STEP 7 programmable logic controllers. The worm modifies certain files and saves infected DLLs, some of them encrypted.

Through a mechanism comparable to that exposed by the Windows DLL search path vulnerability disclosed in August, when a STEP 7 project with a dormant infection is opened the library is loaded. This DLL then decrypts and launches the actual Stuxnet library. The result is reinfection. Forwarding of project folders can also lead to infection.

It has also been revealed that it is only since March 2010 that Stuxnet has been exploiting the LNK vulnerability to spread via USB flash drives. Prior to that it used crafted autorun.inf files, which could be interpreted by Windows as either autorun or executable files. In combination with further subterfuge and depending on the system's autorun settings, this increased the probability of infecting a Windows system.

Speculation about Stuxnet's target has continued. The theory that it was aimed at Iran's Bushehr nuclear plant has gained ground, with reports that Iran has admitted that some staff computers at Bushehr were infected. However the point of destroying the plant, which is unanimously reported to be for civil purposes only, remains an issue. Even Israel has failed to express concerns about the plant.

Another factor which suggests that Bushehr may not have been the target is the fact that Stuxnet appears to be designed to target Siemens S7-400 and S7-300 PLCs. Siemens has informed The H's associates at heise Security that these controllers do not have the SIL 44 / AK7 certification required for use in nuclear facilities. It is, of course, possible that Iran has ignored this international standard and that Russian nuclear plant builder Atomstroyexport has installed these uncertified components – Bushehr is also reported to be running unlicensed versions of the virtualisation application WinCC.

As CCC member Frank Rieger commented in an article in German newspaper FAZ, the actual thorn in the West's side is Iran's underground uranium enrichment facility at Natanz. He believes that Stuxnet attacked and damaged its target in Natanz in mid 2009, as evidenced by an entry on Wikileaks and by low plant production figures.

Interestingly, in mid 2009 in an interview with Israeli news website Ynetnews, Scott Borg, head of the US Cyber Consequences Unit, described exactly this attack scenario in connection with Mossad. Borg stated that someone could infiltrate malware into a uranium enrichment facility to destroy systems, "A contaminated USB stick would be enough." Mossad has long been trying to disrupt any attempt by Iran to create a nuclear weapons programme and many alleged spies have been arrested and executed in Iran.

It is also possible that Iranian plants have been infected as a result of an attack on India which has got out of control. Kaspersky has released new figures which show that India was, and is, the epicentre of Stuxnet activity. Russian nuclear plant builder Atomstroyexport, which is believed to have introduced the Stuxnet worm into Bushehr via infected laptops, is also currently working on India's Kudankulam nuclear plant.

This raises the question of whether the virus' author might originate from the East, rather than from the West. India and China are, for example, fierce rivals and China has amply demonstrated its cyberwar capabilities in incidents such as the penetration of parts of the US power grid in 2003. Such incidents are likely to have given the Chinese a very clear picture of the effect attacks on critical infrastructure can have, and they are likely to have used this knowledge to protect their own industrial systems. According to McAfee, China leads the world in SCADA system security.

(trk)