Stuxnet trail continues to grow

London – The recent Stuxnet virus attack on process control and SCADA systems was most likely developed by a nation state or a major organisation. It may also have been developed with the specific intention of disrupting nuclear and other important industrial facilities in Iran.

According to a number of IT security experts quoted by the BBC, infections by the virus have predominantly shown up in Iran, with power plants, water stations and industrial facilities among the main targets.

The complexity of the virus, which emerged in June, was such that its development would have required the resources of a nation state, the experts also claimed.

While the Stuxnet virus had been known about for some time, the new variant was a worrying development in that it specifically targeted the database files of Siemens WINCC and PCS7 systems.

The USB-borne worm was tailored to trawl for data associated with production processes and allow people outside the facility to access potentially sensitive information.

The virus was particularly advanced and could infect a computer as soon as a USB was plugged in to it. The malware was designed to bypass the autorun and other security elements of the Microsoft operating system to become part of the links in the system.

Microsoft has developed an out-of-cycle patch to protect against the new virus, which exploited a previously unknown vulnerability in its operating systems, from XP onwards.

The theory regarding the origin of the virus also appears to be supported by investigations at Siemens.

In a 17 Sept update, the company said that analysed properties and the behaviour of the virus suggest that we are dealing with the product of a team of experts. They, it added, must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge.

This followed a 7 Sept announcement in which the company said it knew of 15 systems - reportedly mainly chemical plants – infected worldwide. It said that in none of these cases did the infection cause an adverse impact to the automation system.

“As far as we know at the moment, industrial controls from Siemens are affected. The Trojan is activated whenever WinCC or PCS7 software from Siemens is installed,” the latter statement said.

According to Siemens, the virus can theoretically influence specific processes and operations in specific automation environments or plant configurations, as well as passing on data.

The malware could, therefore, under certain boundary conditions, to influence the processing of operations in the control system . However, Siemens said there was no evidence of this having happened, to date.

The Stuxnet virus is apparently only activated in plants with a specific configuration, the company noted. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process.

“This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications.

The malware carries its own blocks (for example, DB890, FC1865,1874) and tries to load them into the CPU and integrate them into the program sequence. If the above-mentioned blocks are already present, the malware does not infiltrate the user program.

If the above-mentioned blocks were not present in the original program and are now detected, the virus has infected the system. In this case Siemens urgently recommends restoring the plant control system to its original state.