The Hackers Behind Stuxnet

Posted: 22nd July 2010 by Matt in news, security
Tags: , , , , , , , , , , , , , , , , , , , ,
1

I thought this was a pretty interesting article that I felt I should share. It talks about the different types of hackers that may have been behind the original stuxnet attack.

(Credit: Symantec)
W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Let’s start by saying we don’t know who is behind the attack, and historically discovering this is very rare. However, if someone proposed this type of attack a month ago, while we would have agreed it was theoretically possible, most would have dismissed such an attack as a movie-plot scenario. Furthermore, attacks of this nature are rarely disclosed publicly.

We know that the people behind this attack aren’t amateurs, but their final motive is unclear.

The principal facts in this case are:

  • The attackers discovered and used a zero-day vulnerability affecting all versions of Microsoft Windows.
  • They developed and used a rootkit to hide their presence.
  • They targeted software which is used to control industrial assets and processes; deep knowledge on the product internals was utilized.
  • The hackers were able to sign their files using a legitimate digital certificate from an innocent third party. This digital certificate expired in June but a new driver appeared in July; it was also digitally signed using a digital certificate from another company. Both of these companies have offices in Taiwan. The hackers either stole private keys or were able to get their files signed. The attackers may have more compromised digital signatures.
  • The hackers did not use a targeted means of attack. Instead, the threat replicates to USB keys and can infect any Windows computer.

    • The zero-day vulnerability, rootkit, main binaries, stolen digital certificates, and in-depth knowledge of SCADA software are all high-quality attack assets. The combination of these factors makes this threat extremely rare, if not completely novel.

    Read the rest of the article here

    If you enjoyed this post, make sure you subscribe to my RSS feed! You can also follow me on Twitter here.
    Share

    Related posts:

    1. Pwn2Own lesson learned – Don’t browse the web.
    2. Spyware, Hacking, & Sexual Exploitation
    3. ARP Poisoning and Man in the Middle Attacks [part 3.1]
    4. File Server LNK Protection
    5. Windows ‘LNK’ Exploit Demonstration
    1. dblanchard says:
      November 2, 2010 at 2:07 pm

      It was also reported that multiple zero-day vulnerabilities were coded in, which ensured greater success, but also played out more of the attacker’s trump cards. Either there are more zero-day exploits up their metaphorical sleeve, and another attack is being readied, or this was purely demonstrative. My bet, and hope, is on the latter. In either case, I expect more interesting developments to come of it.

    Spam Protection by WP-SpamFree