Stuxnet strikes China

According to Chinese media reports, within just a few days, Stuxnet has infected millions of PCs and almost 1,000 industrial facilities. Since emerging, the worm had, until now, failed to spread extensively in China. Why it should suddenly have infected millions of Chinese systems is not clear. On its knowledge base, Siemens lists just 15 known infections of plant control systems worldwide.

The figures appear to have come from Chinese anti-virus software vendor Rising International and may need to be taken with a pinch of salt – Chinese anti-virus software vendors have a habit of exaggerating infection numbers. In April, for example, Chinese anti-virus vendor NetQin reported that millions of mobile phones had been infected with the MMS Bomber malware.

A report being distributed by state news agency Xinhua claims that the Stuxnet attack originated from servers located in the USA. Stuxnet can also spread over networks, but does so by exploiting a vulnerability in the Windows printer spooler, which is deactivated by default and not usually accessible from the web. Dissemination via infected USB flash drives at the sort of pace being claimed is not credible. It may be that the worm is able to spread by using a further as yet undiscovered method.

The worm infects any Windows system into which it comes in contact, be it a home or industrial system. It then attempts to spread from infected machines. However, it is only on systems running Siemens WinCC process virtualisation software or on development systems for programming STEP 7 PLCs where it attempts to carry out specific nefarious activities. Even in these cases, it only becomes active under specific circumstances, apparently watching out for PLCs with a specific configuration.

Reports on the damage being caused by Stuxnet infections in China are somewhat contradictory. According to the South China Morning Post, there has been considerable disruption to industrial facilities. By contrast, AFP quotes an analyst at the China Information Technology Security Evaluation Centre as saying that no major damage has been observed. According to the South China Morning Post, the government plans to carry out a nationwide assessment of plants using Siemens software and examine whether contracts should continue to be awarded to Siemens in future.

To be fair, it should be pointed out that Stuxnet actually exploits Windows vulnerabilities for which Siemens is not responsible. Plant operators with infected control and visualisation systems also need to ask themselves what sort of security guidelines they are using – these are not home PCs to which just anyone can connect a USB flash drive. Nonetheless, once an infection has taken place, Siemens does make the worm's work easier by using the same access credentials for the WinCC database on all installations.

(trk)