There’s been lots of discussion lately on targeted attacks which are, as the name implies, cyberattacks directed at specific individuals, organizations, corporations, or sectors. These targeted attacks, particularly on critical infrastructure, are the focus of our Symantec Intelligence Quarterly Report: October – December 2010.
Attackers are getting smart and researching their target so that the attacks appear legitimate. The customization of targeted attacks can make them more dangerous than non-targeted attacks because they are tailored explicitly to affect a target group. Motivations for such customized attacks can range from stealing confidential information for profit, to interfering with day-to-day operations, to mischief. The most prominent recent targeted attacks are Hydraq, Stuxnet, and Night Dragon.
It has been just one year since Hydraq, a.k.a Aurora, was first discovered and used as part of a targeted attack, likely in an attempt to gain access to a corporate network and steal confidential information. Hydraq entered computers through email attachments or was downloaded by other threats, such as from malicious websites. Once executed, the Trojan installed a backdoor that allowed an attacker to control the computer and perform a variety of compromising actions. These included modifying, executing, and deleting files; executing malicious files; and, most importantly, gaining access to the compromised corporation’s network—which then opened up the target to additional attacks.
Stuxnet, which gained public attention last July, was designed to target its attack on industrial control systems—specifically, programmable logic controllers (PLCs)—and to change code to modify the frequency converter drives of the controller. The worm was the first to simultaneously exploit four zero-day vulnerabilities in its attacks. It also used stolen digital certificates to sign and legitimize the malicious files. This type of attack demonstrated that the authors of Stuxnet had deep knowledge of their targets, and the control systems and processes of those targets. Since the worm did not collect personal information, such as financial information or account logins, nor did it herd infected systems into a botnet, possible motivations for Stuxnet may have been either sabotage or the extortion of a specific target.
Vulnerabilities in SCADA Systems
SCADA (Supervisory Control and Data Acquisition) represents a wide range of protocols and technologies for monitoring and managing equipment and machinery in various sectors of critical infrastructure, such as those used for power generation and distribution. The security of SCADA technologies and protocols is a particular concern of governments because the disruption of related services can result in the failure of infrastructure and the potential loss of life, among other consequences.
Vulnerabilities affecting SCADA systems may present a threat to critical infrastructure that relies on these systems. Due to the potential for disruption of critical services, these vulnerabilities may be associated with politically motivated or state-sponsored attacks. This is a concern for governments and enterprises that are involved in the critical infrastructure sector. In the fourth quarter of 2010, Symantec documented 10 public SCADA vulnerabilities; a total of 15 SCADA vulnerabilities were documented for all of 2010.
Real-World Implications of Targeted Attacks on Critical Infrastructure
Industrial control systems (ICS), such as SCADA, are used by the critical infrastructure sector to control the processes for daily operations. They are essential for gathering and processing information sent by sensors and sending out the appropriate commands that control local operations.
In July 2010, for example, a SCADA system used to monitor water pumps failed to report that water storage levels for a residential water supply were extremely low. This resulted in city residents being unable to access water from their faucets. Although the problem was identified quickly and the supply was replenished after just a few hours, this illustrates how an attacker could hamper basic essential services by attacking these systems.
An important implication of targeted attacks on ICS, specifically Stuxnet, is that the attackers who crafted the malicious code were able to exploit and take advantage of a wide variety of vulnerabilities affecting these systems. The Stuxnet worm developers may have helped to pave the way for others to cultivate more sophisticated attacks or inspire copycat targeted attacks.
Mitigation & Protection
Securing a SCADA environment may present different challenges than those faced when securing an enterprise.
Here are some tips for mitigating and protecting SCADA environments:
· Isolate networks running SCADA protocols and devices
· Don’t connect networks running SCADA protocols and devices to the Internet or other networks, unless strictly required
· Apply passive asset discovery technologies
· Use vulnerability scanning technologies
· Employ endpoint security, antivirus, and intrusion detection/prevention systems
· Continuously update for patches
· Comply with policies
· Conduct regular auditing
You can view the full quarterly report at: http://bit.ly/g8kpvz.