Friday, October 21, 2011

Major Security Firms Detect New Trojan Capable Of Disrupting Power Plants, Oil Refineries and Other Critical Infrastructure Networks

In our October 7, 2011 report There Have Been Intrusions, we noted that DHS Undersecretary Greg Shaffer warned that hackers and foreign governments are “knocking on the backdoor” of the networked systems which connect everything from infrastructure grid control systems to financial networks.

It now appears that our interconnected smart grid is actively under attack, as evidenced by a new Stuxnet-style trojan that has been detected by major cyber security leaders Symantec and McAfee. Much like its predecessor, the trojan dubbed “Duqu” is designed to infilitrate the networks that control everything from power production facilities to oil refineries. It is not yet clear exactly how the trojan operates, what its intended purpose is, or who designed it (though it is believed that the code for Duqu and Stuxnet likely originated with U.S. intelligence agencies). Both Symantec and McAfee continue to investigate the threat:

Security researchers have detected a new Trojan, scarily similar to the infamous Stuxnet worm, which could disrupt computers controlling power plants, oil refineries and other critical infrastructure networks.

The Trojan, dubbed “Duqu” by the security firm Symantec, appears, based on its code, to have been written by the same authors as the Stuxnet worm, which last July was used to cripple an Iranian nuclear-fuel processing plant.

“Duqu shares a great deal of code with Stuxnet; however, the payload is completely different,” researchers for the security firm Symantec wrote on its Security Response blog.

Instead of directly targeting the SCADA system, Duqu gathers “intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

“Duqu is essentially the precursor to a future Stuxnet-like attack,” the researchers added.

Source: Fox News

You may recall that Stuxnet was so advanced that it crashed the physical centrifuges used to enrich uranium in Iran’s nuclear facilities. Stuxnet did this by exploiting software and hardware vulnerabilities, essentially reporting to Iranian research facility engineers that everything was functioning properly by controlling the software interface, while in the background it sent centrifuges spinning out of control to the point of hardware failure.

Duqu, which is apparently a similar piece of advanced code with a slightly different modus operandi, is not yet completely understood, but like Stuxnet in Iran, it is now actively functioning inside of critical infrastructure systems gathering information. To what end? The answer to that question may remain elusive until it’s too late.

In reportedly unrelated news, the Department of Homeland Security, in an unclassified National Cybersecurity and Communications Integration Center Bulletin (pdf), has issued warnings about the hacking group Anonymous and the possibility that they are becoming increasingly capable of targeting advanced Industrial Control Systems (ICS):

(U//FOUO) The information available on Anonymous suggests they currently have a limited ability to conduct attacks targeting ICS. However, experienced and skilled members of Anonymous in hacking could be able to develop capabilities to gain access and trespass on control system networks very quickly. Free educational opportunities (conferences, classes), presentations at hacker conferences, and other high profile events/media coverage have raised awareness to ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques, and procedures (TTPs) to disrupt ICS. Control system exploits are released in common penetration testing software such as Metasploit release 4.0 that can be directly used with novice level skills in hacking and little to no background in control systems. Common packet inspection tools such as WireShark and Netmon have improved to the point where industrial protocols are supported minimizing the effectiveness of security-by-obscurity. In addition, there are control systems that are currently accessible directly from the Internet and easy to locate through internet search engine tools and applications. These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations.

(U//FOUO) Anonymous has recently called on their members to target energy companies based on “Green Energy” initiative performance. This targeting could likely extend beyond Anonymous to the broader hacktivist community, resulting in larger-scope actions against energy companies. Asset owners and operators of critical infrastructure control systems are encouraged to engage in addressing the security needs of their control system assets.

Curiously, the Duqu trojan doesn’t seem to have originated from individual hackers or hacking groups, or foreign intelligence services. Rather, like Stuxnet, the virus was likely written under control and/or guidance of U.S. intelligence, possibly in collaboration with Israeli intelligence.

While DHS has issued warnings about Anonymous and other hacking groups potentially attacking the grid, someone – and it’s likely not a lone hacker or the Anonymous hacking group – is actively involved in probing for vulnerabilities in our infrastructure control systems. These are the systems that monitor and control our electricity, water supplies, gas pipelines, oil refineries, financial exchanges, and even certain military operations.

There seems to be no immediate danger at this time, as the Duqu trojan is reportedly gathering intelligence, as opposed to actively attempting to bring down the systems via a hardware style attack like Stuxnet.

But once it acquires all of the necessary information, such as personnel access codes, security certificates and a mapped layout of a particular grid infrastructure, it wouldn’t take much to take things to the next level.

Imagine for a moment the effect of an attack on major refining operations, cascading electrical outages, urban water purification systems that added excessive chemicals to water supplies, or the massive flooding that might result if a dam were compromised.

Or, consider that the U.S. drone fleet was recently attacked by an unknown trojan or malware, which was logging access commands and passwords for high security military systems. What would happen if an enemy of the people of the United States gained access to our entire drone fleet, weapons systems and all?

The possibilities for damage via compromised infrastructure systems would be nothing short of a digital apocalypse, with the potential to adversely affect the lives of tens of millions of unsuspecting Americans virtually overnight.

No comments: