Re. Stuxnet
Firstly take the reports in the press with a bucket load of salt, particularly Langner’s wild speculations in post 14.
If you are interested in this malware read Symantec’s report (64 page .pdf ) which outlines the function of all code modules, propagation methods and variations in great detail.
What is clear (see graphs around page 6) and from the infection method is that the intended target was in Iran. The intended end result is the speeding up, and slowing down, of some industrial motors. It is very specific in the criteria needed for activation the report outlines the nitty gritty on page 42
What is going on here is the authors – of the malware - are only interested in motors running at between 807 & 1210Hz they could instruct the motor to spin at very high speed in reverse and cause immediate catastrophic damage but what they do is introduce a cycle that waits a couple of week then increases the revs to 1410Hz (not wildly above the normal range) then returns to normal operation for weeks before almost stopping the motor (2Hz) then setting it to 1064Hz (inside the normal range) before restarting the cycle. What effect this would have obviously depends on what the motors are driving and this control equipment is so generic the Siemens site has a sales .pdf with case studies of various companies using their system controlling sewing machines and motors moving packages off a conveyor belt and onto a palette. The very specific criteria and precise speed changes imply a detailed knowledge of the target and imply an attempt not to cause collateral damage.To more clearly illustrate the behavior of the injected code, we’ve outlined the key events that would occur with an infected 315-2 CPU connected to multiple CP 342-5 modules each with 31 frequency converter drive slaves, as shown in the diagram below.
The PLC is infected.•
Frequency converter slaves • send records to their CP-342-5 master, building a frame of 31 records The CPU records the CP-342-5 addresses.
The frames are examined and the fields are recorded.•
After approximately 13 days, enough events have been recorded, showing the system has been operating • between 807 Hz and 1210 Hz.
The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.#
The extreme complexity of the code, the use of 3 Windows zero day exploits (these are like gold dust they are previously undocumented security weakness each of which would normally be the basis of a new virus, to ‘waste’ 3 in one attack is unheard of) and one in the Siemens Step 7 control software. This is man years of work and probably needed someone to gain access to the premises of both Realtek & JMicron (both in Tiawan)
I do not know where in Iran the target was but the report shows that Iran alone had 60,000 infected computers in 30,000 organisations at one point with nearly 70% running the Step 7 control software. The complexity, specificity, absence of pecuniary advantage, and attempts not to damage systems, other than the target, does point to a Nation State. The fact that Iran was the epicentre of the attack does make one wonder if its nuclear facilities were the intended target but I have seen no reports that state that Natanz or Bushehr use the S7-315 CPU which is the very specific target.“The attackers would have needed to obtain the digital certificates from someone who may have physically entered the premises of the two companies and stole them, …”
Now if anyone here can tell me authoritatively that the Natanz centrifuges spin speeds are controlled by 6ES7 315-2 (it is that specific) processors then …
Bookmarks