際際滷

際際滷Share a Scribd company logo

The World's First Cyber Weapon - Stuxnet

Sean Xie
Sean Xie

Understand the worlds first cyber weapon Stuxnet in 10 minutes. * Discovery Of the First Cyber Weapon * High Level Architecture Overview Of The Target * How Does Stuxnet Sabotage A Uranium Enrichment Plant Cyber-physical Attack * Summary * References

1 of 6
Downloaded 17 times
The Worlds First Cyber Weapon Stuxnet Sean Xie Apr 2019 SET SAVE = L 6.1 L 1 T DB888.DBW614 L *IN0 L 30 ***I JCN M001 A DBX 696.3 JCN M002 L 146
Discovery Of the First Cyber Weapon Target Specific SCADA System Siemens WinCC & Step 7 U.S. & Israel Operation Olympic Games Discovered in Jun 2010 by VirusBlokAda in Belarus Named by Symantec Revealed in 2012 by The New York Times Purpose: Sabotage Irans Nuclear Program by Physically Damage Centrifuges Target Irans Uranium Enrichment Process at Natanz Fuel Enrichment Plant Target Specific Programmable Logic Controllers (PLC) S7-400 S7-300 Gas Centrifuge
High Level Architecture Overview Of The Target 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Cascade 164 Centrifuges PLC S7-315 PLC S7-415 WinCCWinCC Step7 IT Network Layer Industrial Control Layer Highly secure and isolated network behind multiple Firewalls without Internet connection Plant Layer Feed To waste Stage Exhaust Valves Product Tail Stage Fuel Enrichment Process Production Scheduling & Control Plant Supervisory & Direct Control S C A D A Monitors in the Cascade Hall Field Level Frequency Converter Communication ProcessorsPROFIBUS Network Pressure Transducers/Sensors Isolation Valves/Control Valves Pressure Controller Feed Product Tail There are three cascade modules installed at Natanz Each cascade module consists of 18 cascades Six cascades (984 centrifuges) constitute a sub-unit sharing one feed, one production, and one tails Cascade Module
ICS Layer Control & Attack Air Gap Defeat IT Layer Propagate How Does Stuxnet Sabotage A Uranium Enrichment Plant Cyber-physical Attack Win32k.sys Local Privilege Escalation 0-Day (MS10-073) (Win XP & Win2k & 2003) Task Scheduler Privilege Escalation 0-Day (MS10-092) (Win Vista, Win 7, Win 2008) Installation via Privilege Escalation Propagate via network shares Peer-to-Peer communication & update Print Spooler Service 0-Day (MS10-061 ) Server Service Vulnerability (MS08-067) Propagation Infect Siemens WinCC via hardcoded DB password Bypass antivirus software detection Hide itself via installing Windows rootkit Avoid suspicion via using two genuine digital certificates Concealment Remote Control Allow attacker to execute the code or update code via C&C server PLC Attack Modify Siemens PLCs by replacing the communication DLL with malicious file Hide the code via PLC rootkit ICS Attack Take over control Siemens Step 7 PLC programming software via infection Target PLC Sub Controller Model Value/# Known Attack Strategy Centrifuge Drive System (CDS) S7- 315 Communication Processors Siemens CP-342-5 6 /cascade Speed up to 1410Hz (15 min) Slow down to 2Hz (50 min) Avoid suspicion through a break of 27 days in between Frequency Converter 7050h(FararoPaya) 9500h(VaconNX) 31 /cascade Centrifuge Rotor IR-1 gas centrifuge rotor 807 Hz 1210 Hz Cascade Protection System (CPS) S7- 415 Pressure Controller MKS PR-4000 21 /cascade Dominant and wait Man-in-middle attack: replay the recorded 21 seconds signals in a constant loop during attack Disable manual shutdown of the system Close isolation valves of the first two and last two enrichment stages Close stage exhaust valves affecting 110 centrifuges out of 164/cascade Avoid catastrophic damage Pressure Transducer/ Sensor MKS Baratron (according to Langners Report) 164 /cascade Centrifuge Isolation Valve N/A 164 * 3 /cascade Stage Exhaust Valve N/A 15 /cascade Shortcut Icon Loading 0-Day Vulnerability (MS10-046) Physical Layer Damage Physically Damage Centrifuges Overpressure Attack Rotor Speed Attack Rotor Break Physical Vulnerability: Fragility of Centrifuge Rotors
Summary First computer worm to attack SCADA system First computer worm to attack PLC devices First computer worm to exploit multiple 0-day vulnerabilities First computer worm to use genuine digital certificates (compromised) First computer worm to cause industrial devices physical damage Opens new era of Cyber War Demonstrates a method to attack a hard target by breaking through air-gap Demonstrates a methodology for cyber-physical attack A textbook example of Cyber Warfare Ralph Langner
References 1. Falliere, N., Murchu, L. O., & Chien, E. (February 2011). W32.Stuxnet Dossier. Synamtec Security Response Paper. 2. Langner, R. (November 2013). To Kill a Centrifuge. The Langner Group. 3. Gibney, A. (Director). (2016). Zero Days [Documentary Film]. 4. Sanger, D. E. (2012, June 1). Obama Order Sped Up Wave of Cyberattacks Against Iran. Retrieved from The New York Times: https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of- cyberattacks-against-iran.html 5. Sanger, D. E. (2012). Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. Penguin Random House LLC. 6. GReAT. (2014, November 11). Stuxnet: Zero victims. Retrieved from Securelist | Kaspersky Lab's cyberthreat research and reports: https://securelist.com/stuxnet-zero-victims/67483/ 7. Albright, D., Brannan, P., & Walrond, C. (February 16, 2011). Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report. Institute for Science and International Security. 8. Gross, M. J. (2011, March 2). A Declaration of Cyber-War. Retrieved from Vanity Fair: https://www.vanityfair.com/news/2011/03/stuxnet-201104?verso=true

More Related Content

The World's First Cyber Weapon - Stuxnet

  • 1. The Worlds First Cyber Weapon Stuxnet Sean Xie Apr 2019 SET SAVE = L 6.1 L 1 T DB888.DBW614 L *IN0 L 30 ***I JCN M001 A DBX 696.3 JCN M002 L 146
  • 2. Discovery Of the First Cyber Weapon Target Specific SCADA System Siemens WinCC & Step 7 U.S. & Israel Operation Olympic Games Discovered in Jun 2010 by VirusBlokAda in Belarus Named by Symantec Revealed in 2012 by The New York Times Purpose: Sabotage Irans Nuclear Program by Physically Damage Centrifuges Target Irans Uranium Enrichment Process at Natanz Fuel Enrichment Plant Target Specific Programmable Logic Controllers (PLC) S7-400 S7-300 Gas Centrifuge
  • 3. High Level Architecture Overview Of The Target 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Cascade 164 Centrifuges PLC S7-315 PLC S7-415 WinCCWinCC Step7 IT Network Layer Industrial Control Layer Highly secure and isolated network behind multiple Firewalls without Internet connection Plant Layer Feed To waste Stage Exhaust Valves Product Tail Stage Fuel Enrichment Process Production Scheduling & Control Plant Supervisory & Direct Control S C A D A Monitors in the Cascade Hall Field Level Frequency Converter Communication ProcessorsPROFIBUS Network Pressure Transducers/Sensors Isolation Valves/Control Valves Pressure Controller Feed Product Tail There are three cascade modules installed at Natanz Each cascade module consists of 18 cascades Six cascades (984 centrifuges) constitute a sub-unit sharing one feed, one production, and one tails Cascade Module
  • 4. ICS Layer Control & Attack Air Gap Defeat IT Layer Propagate How Does Stuxnet Sabotage A Uranium Enrichment Plant Cyber-physical Attack Win32k.sys Local Privilege Escalation 0-Day (MS10-073) (Win XP & Win2k & 2003) Task Scheduler Privilege Escalation 0-Day (MS10-092) (Win Vista, Win 7, Win 2008) Installation via Privilege Escalation Propagate via network shares Peer-to-Peer communication & update Print Spooler Service 0-Day (MS10-061 ) Server Service Vulnerability (MS08-067) Propagation Infect Siemens WinCC via hardcoded DB password Bypass antivirus software detection Hide itself via installing Windows rootkit Avoid suspicion via using two genuine digital certificates Concealment Remote Control Allow attacker to execute the code or update code via C&C server PLC Attack Modify Siemens PLCs by replacing the communication DLL with malicious file Hide the code via PLC rootkit ICS Attack Take over control Siemens Step 7 PLC programming software via infection Target PLC Sub Controller Model Value/# Known Attack Strategy Centrifuge Drive System (CDS) S7- 315 Communication Processors Siemens CP-342-5 6 /cascade Speed up to 1410Hz (15 min) Slow down to 2Hz (50 min) Avoid suspicion through a break of 27 days in between Frequency Converter 7050h(FararoPaya) 9500h(VaconNX) 31 /cascade Centrifuge Rotor IR-1 gas centrifuge rotor 807 Hz 1210 Hz Cascade Protection System (CPS) S7- 415 Pressure Controller MKS PR-4000 21 /cascade Dominant and wait Man-in-middle attack: replay the recorded 21 seconds signals in a constant loop during attack Disable manual shutdown of the system Close isolation valves of the first two and last two enrichment stages Close stage exhaust valves affecting 110 centrifuges out of 164/cascade Avoid catastrophic damage Pressure Transducer/ Sensor MKS Baratron (according to Langners Report) 164 /cascade Centrifuge Isolation Valve N/A 164 * 3 /cascade Stage Exhaust Valve N/A 15 /cascade Shortcut Icon Loading 0-Day Vulnerability (MS10-046) Physical Layer Damage Physically Damage Centrifuges Overpressure Attack Rotor Speed Attack Rotor Break Physical Vulnerability: Fragility of Centrifuge Rotors
  • 5. Summary First computer worm to attack SCADA system First computer worm to attack PLC devices First computer worm to exploit multiple 0-day vulnerabilities First computer worm to use genuine digital certificates (compromised) First computer worm to cause industrial devices physical damage Opens new era of Cyber War Demonstrates a method to attack a hard target by breaking through air-gap Demonstrates a methodology for cyber-physical attack A textbook example of Cyber Warfare Ralph Langner
  • 6. References 1. Falliere, N., Murchu, L. O., & Chien, E. (February 2011). W32.Stuxnet Dossier. Synamtec Security Response Paper. 2. Langner, R. (November 2013). To Kill a Centrifuge. The Langner Group. 3. Gibney, A. (Director). (2016). Zero Days [Documentary Film]. 4. Sanger, D. E. (2012, June 1). Obama Order Sped Up Wave of Cyberattacks Against Iran. Retrieved from The New York Times: https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of- cyberattacks-against-iran.html 5. Sanger, D. E. (2012). Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. Penguin Random House LLC. 6. GReAT. (2014, November 11). Stuxnet: Zero victims. Retrieved from Securelist | Kaspersky Lab's cyberthreat research and reports: https://securelist.com/stuxnet-zero-victims/67483/ 7. Albright, D., Brannan, P., & Walrond, C. (February 16, 2011). Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report. Institute for Science and International Security. 8. Gross, M. J. (2011, March 2). A Declaration of Cyber-War. Retrieved from Vanity Fair: https://www.vanityfair.com/news/2011/03/stuxnet-201104?verso=true