Stuxnet PART2 : And The Truth Shall Set You Free
PART 1 of Stuxnet article: http://goo.gl/Xi7fU7
What is Stuxnet: it’s the most complicated piece of malware ever written. Up till now there has been wide speculations that it was written by a specific country to attack the Siemens computer control systems used in the nuclear program of Iran. Security experts heavily criticized Siemens because the worm exploited, among many things, a “hard coded password” in the Siemens system. The Stuxnet worm infected critical energy companies in 125 countries.
Siemens Internal CERT (Computer Emergency Response Team) released some slides about Stuxnet as a form of “Official Communication” within their constituents. The slides were taken offline few hours later.
But as I was reading through the slides I decided to take a copy just in case they do just that. In the official slides (Here), Siemens confirmed that Stuxnet was a “targeted” attack by using terms like “targeting a very specific configuration, certain PLC blocks and specific processes or (project)“. These bold statements simply means that Stuxnet makers had (one target) in mind, and this should eliminate any theory out there denying that its a state sponsored malware.
The slides confirmed that the malware is capable of transferring data outside of the infected system back to the command and control servers, yet nothing has been proven specially that the two C&C servers ( • www[.]mypremierfutbol[.]com • www[.] todaysfutbol[.]com ) were brought down by Symantec. “I would like to add that both servers where located in Germany”.
Then the Siemens slides claim that all known infections are now clean and zero enterprise damages reported. Yet they didn’t specify their definition of “damage”, is it seeing the enterprise up in flames or few bytes of data going out? The slides go on listing the great deeds of Siemens since the discovery of the malware: “white papers, cleaning tools, contacting customers, working with top AV vendors, even magazine interviews”. Isn’t this what they are paid to do?
What is really strange is their genius conclusion that future infections are “unlikely”, and this is due to the fact that the malware pattern is now detected by up
to date anti-virus programs. Eureka !! Yes, future “Stuxnet” infections might be unlikely, but this is certainly not the end of this type of attacks as long as top vendors like Siemens still use “hard coded & publicly available” passwords on critical systems in the year 2010 and don’t even admit that this is the REAL problem.
I was able to locate the hard coded (builtin) user names and passwords in Siemens technical online forums:
Another statement that also reflects severe undermining of the terms “due diligence, and responsibility” is a question they highlighted in yellow: “Has the customer done all he can?“. Imagine a car manufacturing company that sold you a very expensive car equipped with an advanced airbag system, then someone smashes into your car and the airbag doesn’t work, while in hospital the car company lawyer asks you why didn’t you bring an airbag from home just in case!
About The Author
Omar Sherin, Mr. Omar Sherin is the head of critical information infrastructure protection (CIIP) at Qatar Computer Emergency Response Team (Q-CERT), an ictQATAR initiative. In this role he participates in technically assessing critical infrastructure, drafting guidelines such as the Qatari National ICS Security Standard, and conducting Qatar’s national cybersecurity drills. He is also an international partner of the Industrial Control Systems Joint Working Group (ICSJWC) and a certified business continuity professional, certified ethical hacker, and ISO 27001 lead auditor. He has more than 11 years of professional experience in information security and resiliency, and has worked for several multinational firms in the oil and gas sector.