News: Malicious Computer Worm Infects Power Plants, Pipelines, Factories

News: Malicious Computer Worm Infects Power Plants, Pipelines, Factories

Sep 24

WARNING OVER MALICIOUS COMPUTER WORM
By Joseph Menn in San Francisco and Mary Watkins in London
Financial Times
September 23, 2010

Original Link

A piece of highly sophisticated malicious software that has infected an unknown number of power plants, pipelines and factories over the past year is the first program designed to cause serious damage in the physical world, security experts are warning.

The Stuxnet computer worm spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes.

Stuxnet can hide itself, wait for certain conditions and give new orders to the components that reverse what they would normally do, the experts said. The commands are so specific that they appear aimed at an industrial sector, but officials do not know which one or what the affected equipment would do.

While cyber attacks on computer networks have slowed or stopped communication in countries such as Estonia and Georgia, Stuxnet is the first aimed at physical destruction and it heralds a new era in cyberwar.

At a closed-door conference this week in Maryland, Ralph Langner, a German industrial controls safety expert, said Stuxnet might be targeting not a sector but perhaps only one plant, and he speculated that it could be a controversial nuclear facility in Iran.

According to Symantec, which has been investigating the virus and plans to publish details of the rogue commands on Wednesday, Iran has had far more infections than any other country.

“It is not speculation that this is the first directed cyber weapon”, or one aimed at a specific real-world process, said Joe Weiss, a US expert who has testified to Congress on technological security threats to the electric grid and other physical operations. “The only speculation is what it is being used against, and by whom.”

Experts say Stuxnet’s knowledge of Microsoft’s Windows operating system, the Siemens program and the associated hardware of the target industry make it the work of a well-financed, highly organised team.

They suggest that it is most likely associated with a national government and that terrorism, ideological motivation or even extortion cannot be ruled out.

Stuxnet began spreading more than a year ago but research has been slow because of the complexity of the software and the difficulty in getting the right industry officials talking to the right security experts.

Microsoft has patched the vulnerabilities in Windows but experts remain concerned because of the worm’s ability to hind once it is in a system.

Experts have only begun publishing more of their analyses in the last few weeks, hoping that such steps will get more answers from private companies and government leaders.

Siemens said that since July 15, when it first learnt about Stuxnet, 15 of its customers had reported being infected by the worm. The company would not name the customers but said that five were in Germany and the rest were spread around the world. Siemens said critical infrastructure had not been affected by the virus and in each case the worm had been removed.

The German conglomerate said it had offered its customers a fix for the virus and that since the Stuxnet virus was detected, there had been 12,000 downloads of its anti-virus software.

…………..

STUXNET COMPUTER WORM MAY BE AIMED AT IRAN NUCLEAR SITES, RESEARCHER SAYS
By Arik Hesseldahl
Bloomberg
September 24, 2010

Original Link

A computer worm that has infected industrial computers around the world may be part of a campaign targeting nuclear installations in Iran, computer-security researchers said.

The highest concentration of affected systems — almost 60 percent — is in Iran, according to data from Symantec Corp., the maker of computer-security software based in Mountain View, California. The Stuxnet worm’s origins and purpose aren’t fully known, according to both Symantec and Frank Rieger, chief technology officer at GSMK, a maker of encrypted mobile phones.

The level of sophistication in the worm’s programming and its ability to hide itself suggest it may have been built by a government-sponsored organization in a country such as the U.S. or Israel, Rieger said.

He estimates that building the worm cost at least $3 million and required a team of as many as 10 skilled programmers working about six months.

“All the details so far to me scream that this was created by a nation-state,” Rieger said in a telephone interview. Iran’s nuclear facilities may have been targets, said Rieger and Richard Falkenrath, principal at the Chertoff Group, a Washington-based security advisory firm.

Iran, which has the world’s second-largest oil reserves, is under United Nations sanctions because it refuses to curtail uranium enrichment and the development of ballistic missiles that might carry a weapon. The country started a 1,000-megawatt nuclear-power reactor near the southern city of Bushehr in August.

‘Hides in Windows’

“It is theoretically possible that the U.S. government did this,” Falkenrath said during an interview today with Bloomberg Television. “But in my judgment, that’s a very remote possibility. It’s more likely that Israel did it.”

A message left at the Israeli embassy’s press office wasn’t immediately returned.

The worm initially infects computers running several editions of Microsoft Corp.’s Windows, including older versions such as Windows 2000, and recent ones such as Windows 7, using one of four vulnerabilities known only to the worm’s creators, said Liam O Murchu, manager of North American security-response operations for Symantec.

“It hides in Windows and then tries to spread itself to other computers running Windows,” O Murchu said. An infected computer shows no ill side effects and the worm ensures that no software running on the computer crashes, which is unusual, he said.

Specific System

As it spreads, the worm searches for connections to a device known as a programmable logic controller, which helps link Windows computers and computerized industrial control systems, converting commands sent from the Windows machine into a format the industrial machines can understand. The worm targets industrial software made by Munich-based Siemens AG, researchers said.

Once an industrial machine is infected, the worm lies dormant until certain conditions in the machine are met, O Murchu said. For example, when the temperature of a certain component gets hot, the worm might prevent a cooling system from functioning. What conditions the worm waits for are unclear, he said.

‘It was designed to go after a specific system set up in a very specific way,” O Murchu said. “What we don’t yet know is where such a system exists in the real world.”

Siemens’ Software Fix

Symantec estimated in July that 14,000 individual computers connected to the Internet worldwide had shown signs of Stuxnet infections. The highest concentration — 59 percent — were in Iran; 18 percent were in Indonesia; 8 percent in India and less than 2 percent in the U.S.

Siemens learned of the worm the same month and within a week, issued software to detect and remove it, said Alexander Machowetz, a company spokesman in Erlangen, Germany. The fix was downloaded 12,000 times, and 15 customers said they were affected.

No new cases of Stuxnet infections have been reported since the end of August, and Siemens was not able to determine the worm’s country of origin, Machowetz said.

Microsoft teamed up with researchers at Symantec and at Kasperksy Lab, a Moscow-based antivirus software firm, to create a removal tool for Stuxnet, Jerry Bryant, group manager for the Redmond, Washington-based company’s response communications, said in a company blog post dated Sept. 13. Since then “the threat has gone way down from the spike we saw in early August,” Bryant wrote.

Government Cyber Attacks

Symantec plans to publish more details from its analysis of the worm on Sept. 29.

There is historical precedent for cyber attacks by nation- states, according to a 2004 book by a former U.S. Air Force secretary.

Spies working for the U.S. Central Intelligence Agency inserted malicious software into computer-control systems for a Soviet natural-gas pipeline in Siberia, Thomas C. Reed wrote in “At The Abyss: An Insider’s History Of The Cold War.”

Ultimately the effort caused a massive explosion, said Reed, who was Air Force Secretary in the 1970s and later advised President Ronald Reagan on national security policy.

The Financial Times published a story on the worm yesterday.

……………

2 comments

  1. Good blog, where did you come up with the knowledge in this piece of content? I’m glad I found it though, ill be checking back soon to see what other articles you have.

  2. Thanks for taking the time to share this, I feel strongly about it and love learning extra on this topic. If doable, as you achieve experience, would you mind updating your weblog with extra information? It is extremely useful for me.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.