A worm that targets critical infrastructure companies doesn't just steal data, it leaves a back door that could be used to remotely and secretly control plant operations, a Symantec researcher said on Thursday.
The Stuxnet worm infected industrial control system companies around the world, particularly in Iran and India but also companies in the U.S. energy industry, Liam O'Murchu, manager of operations for Symantec Security Response, told CNET. He declined to say how may companies may have been infected or to identify any of them.
"This is quite a serious development in the threat landscape," he said. "It's essentially giving an attacker control of the physical system in an industrial control environment."
The malware, which made headlines in July, is written to steal code and design projects from databases inside systems found to be running Siemens Simatic WinCC software used to control systems such as industrial manufacturing and utilities. The Stuxnet software also
has been found to upload its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs. It's unclear at this point what the code does, O'Murchu said.
An attacker could use the back door to remotely do any number of things on the computer, like download files, execute processes, and delete files, but an attacker could also conceivably interfere with critical operations of a plant to do things like close valves and shut off output systems, according to O'Murchu.
"For example, at an energy production plant, the attacker would be able to download the plans for how the physical machinery in the plant is operated and analyze them to see how they want to change how the plant operates, and then they could inject their own code into the machinery to change how it works," he said.
The Stuxnet worm propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files ending in ".lnk." It infects machines via USB drives but can also be embedded in a Web site, remote network share, or Microsoft Word document, Microsoft said.
Microsoft issued an emergency patch for the Windows Shortcut hole last week, but just installing the patch is not enough to protect systems running the Siemens program because the malware is capable of hiding code in the system that could allow a remote attacker to interfere with plant operations without anyone at the company knowing, according to O'Murchu.
"There may be additional functionality introduced into how a pipeline or energy plant works that the company may or may not be aware of," he said. "So, they need to go back and audit their code to make sure the plant is working the way they had intended, which is not a simple task."
Symantec researchers know what the malware is capable of but not what it does exactly because they are not done analyzing the code. For instance, "we know it checks the data and depending on the date it will take different actions, but we don't know what the actions are yet," O'Murchu said.
This new information about the threat prompted Joe Weiss, an expert in industrial control security, to send an e-mail on Wednesday to dozens of members of Congress and U.S. government officials asking them to give the Federal Energy Regulatory Commission (FERC) emergency powers to require that utilities and others involved in providing critical infrastructure take extra precautions to secure their systems. The emergency action is needed because PLCs are outside the normal scope of the North American Electric Reliability Corp.'s Critical Infrastructure Protection standards, he said.
"The Grid Security Act provides emergency powers to FERC in emergency situations. We have one now," he wrote. "This is essentially a weaponized hardware Trojan" affecting PLCs used inside power plants, off-shore oil rigs (including Deepwater Horizon), the U.S. Navy's facilities on ships and in shore and centrifuges in Iran, he wrote.
"We don't know what a control system cyberattack would look like, but this could be it," he said in an interview.
The situation indicates a problem not just with one worm, but major security issues across the industry, he added. People fail to realize you can't just apply security solutions used in the information technology world to protect data to the industrial control world, he said. For example, Department of Energy intrusion detection testing didn't and would not have found this particular threat and anti-virus didn't and wouldn't protect against it, Weiss said.
"Antivirus provides a false sense of security because they buried this stuff in the firmware," he said.
Last week, a Department of Energy report concluded that the U.S. is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices. Researchers worry about security problems in smart meters being deployed in homes around the world, while problems with the electrical grid in general have been discussed for decades. One researchers at the Defcon hacker conference in late July described security problems in the industry as a "ticking time bomb."
Asked to comment on Weiss' action, O'Murchu said it was a good move. "I do think this is a very serious threat," he said. "I don't think the appropriate people have realized yet the seriousness of the threat."
Symantec has been getting information about computers infected by the worm, which appears to date back
at least to June 2009, by observing connections the victim computers have made to the Stuxnet command-and-control server.
"We're trying to contact infected companies and inform them and working with authorities," O'Murchu said. "We're not able to tell remotely if (any foreign attack) code was injected or not. We can just tell that a certain company was infected and certain computers within that company had the Siemens software installed."
O'Murchu speculated that a large company interested in industrial espionage or someone working on behalf of a nation-state could be behind the attack because of its complexity, including the high cost of acquiring a zero-day exploit for an unpatched Windows hole, the programming skills and knowledge of industrial control systems that would be necessary and the fact that the attacker tricks victim computers into accepting the malware by using counterfeit digital signatures.
"There is a lot of code in the threat. It's a large project," he said. "Who would be motivated to create a threat like this? You can draw your own conclusions based on the countries targeted. There is no evidence to indicate who exactly could be behind it."