Revisiting copycats and Stuxnet

As I read Kim Zetter’s “Countdown to Zero Day” I was reminded of the copycat discussions that seemed sparked by Ralph Langner’s warnings (see pp. 182-183).

“Langner suspected it would tie just six months for the first copycat attacks to appear. They wouldn’t be exact replicas of Stuxnet, or as sophisticated in design… but they wouldn’t need to be.”

“[Melissa] Hathaway, the former nationals cuber security coordinator for the White House… told the New York Times, ‘We have about 90 days to fix this before some hacker begins using it’.”

Did we have copycats? Do we have copycats?

Off the top of my head, I can’t think of any I would call a close copy cat. That doesn’t mean there aren’t any, but if there are, they are still virtually unknown.

However, we should recognize that some threat actors seem to have learned what I consider the most valuable lesson from Stuxnet: Engineering firms, ICS integrators and ICS software vendors are high value targets.

Stuxnet attackers apparently went after after the computers at NEDA and other ICS integrators to get access to Natanz. This means the attackers had access to engineering details necessary to create highly-specific and customized attacks. It also means that the attackers had access to the ICS networks themselves (via engineering lap tops at a minimum).

When we think of Stuxnet, we think of Natanz — but broaden your view. What other projects had NEDA and the other targeted ICS integrators worked on? Stuxnet and its cousin code (Duqu etc.) was/is all over Iranian (critical) infrastructure.

Back to the copycats thread. Look at Havex. The parties behind Havex certainly targeted ICS integrators and support providers ( via Trojanized software from eWon and MBConnectLine). So in 2014 we saw a copycat of a key concept. And I would fully expect to see more ICS vendors, integrators, and engineering firms targeted by ICS-seeking malware in the near future.

So, if you operate critical infrastructure, consider the following questions:

  • Who are your ICS integrators?
  • Who is providing maintenance to your ICS?
  • What security policies and procedures are you requiring of those parties?

If the answer to these questions is buried in layers of subcontracts, and all you know is “that your control systems work” chances are there’s not a lot of security oversight going on. Good luck when the next copycats arrive.

Warning Intelligence and Critical Infrastructure

If you are a security professional looking for a fantastic read… something foundational that you might have overlooked, I suggest Cynthia Grabo’s “Anticipating Surprise: Analysis for Strategic Warning”

Grabo book

Grabo reportedly wrote the book in the early 70s, but it remained classified until 2002. There are some fantastic concepts that help the security professional get out of the techno-centric run-the-software mindset and into a “think ahead” approach. (It is amusing that I am saying its useful to look back in time in order to alter perspective for effectively moving ahead.)

Here’s a great quote:

The philosophy behind indicator lists is that [an adversary] in preparation for [an attack] will or may undertake certain [activities], and that it is useful for analysts and collectors to determine in advance what these are or might be, and to identify them as specifically as possible.

At the risk of oversimplification, this means that if you are defending critical infrastructure, you would think through what an adversary may attack, and how that attack might come — getting into the specifics.

For example:

What facilities are the most important (to you, to the country, to specific customers)? What equipment is used at those facilities? How is that equipment connected to a network? Who has access to that equipment? What known vulnerabilities affect that equipment? and so forth.

In my experience, few defenders are systematically thinking in this way… have a read.