SCADA System attack: should you be concerned?

Here’s a rare chance to get a peek into the future. There is yet another malware attack on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems blogged about by f-secure labs, yesterday (you can find the blog HERE) It’s a growing trend, and a big part of what is referred to in security circles as and ADVANCED PERSISTENT THREAT (APT). Normally, initials like these are only of concern to large corporations, the kind of places we call ENTERPRISE. (insert photo for comic effect)500px-USS_Enterprise_(NCC-1701),_ENT

Let’s get back to the future. We are hearing a lot about the INTERNET OF THINGS (no initials on this one) that means, in the future, most computers won’t look like computers. They will look like telephones, and toasters and Toyotas. (and other things that begin with the letter T 😉 ) Seriously, the computer itself will fade into the background, and you will just have a television, and a DVR, and a tablet, and a refrigerator, and so on. Now embedded computing devices tend to be inexpensive, so as to not drive the manufacturing cost up so much.

They usually do this by using well established already existing circuitry and software. And the best established industrial control circuits are ICS and SCADA.

So, what is used to attack a factory in Belarus today might be targeting your GAS meter (or your Ford Escape) tomorrow. This future is coming, have no doubt. It is part of a trend I refer to as SCIENCE FRICTION (more about this later) So for now I will repost the entire F-secure blog below. (disclaimer: I am employed by F-secure of Helsinki, Finland, one of the best known and best trusted security providers in the world.

———————–taken from the F-secure blog———————–

(incidentally, I had no hand in writing the blog post that follows, by some strange coincidence. It was written by Daavid Hentunen and Antti from F-secure labs–dp)

During the past year, we’ve been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector.

The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name “Havex” is clearly visible in the server source code:

Havex server source code

During the spring of 2014, we noticed that Havex took a specific interest in Industrial Control Systems (ICS) and the group behind it uses an innovative trojan horse approach to compromise victims. The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to.

We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.

The attackers use compromised websites, mainly blogs, as C&C servers. Here are some examples of command and control servers used:

Havex C2 servers

We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us.

Trojanized Software as an Infection Vector

The Havex RAT is distributed at least through following channels:

 

  • Spam email
  • Exploit kits
  • Trojanized installers planted on compromised vendor sites

The spam and exploit kit channels are fairly straightforward distribution mechanisms and we won’t analyze them in more detail here.

Of more interest is the third channel, which could be considered a form of “watering-hole attack”, as the attackers chose to compromise an intermediary target – the ICS vendor site – in order to gain access to the actual targets.

It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers.

Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.

Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.

As an example, we can see the partial results of dynamic analysis for one of the trojanized installers:

Trojanized installer

The normal, clean installer does not include a file called “mbcheck.dll”. This file is actually the Havex malware. The trojanized software installer will drop and execute this file as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer.

Target Organizations

We were able to locate some of the infected systems and identify the organization affected by the samples analyzed in this report by tracing the IP addresses communicating to the C&C servers used by the Havex RAT.

All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering.

ICS/SCADA Sniffer

Our analysis of Havex sample codes also uncovered its “ICS/SCADA sniffing” behavior. The C&C server will instruct infected computers to download and execute further components, and one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers:

Havex scans LAN

We then noticed that it uses Microsoft Component Object Model (COM) interfaces (CoInitializeEx, CoCreateInstanceEx) to connect to specific services:

Havex calls COM

To identify which services the sample is interested in, we can simply search for the identifiers seen above, which tell us what kind of interfaces are being used. A bit of googling gives us these names:

 

  • 9DD0B56C-AD9E-43EE-8305-487F3188BF7A = IID_IOPCServerList2
  • 13486D51-4821-11D2-A494-3CB306C10000 = CLSID_OPCServerList

Note the mention of “OPCServer” in the names. There are more hints pointing in the same direction — the strings found in the executable also make several references to “OPC”:

Havex OPC strings

It turns out that OPC stands for OLE for Process Control, and it’s a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.

Summary

The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.

The method of using compromised servers as C&C’s is typical for this group. The group doesn’t always manage the C&C’s in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.

The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.

SHA-1 hashes of the samples discussed:

7f249736efc0c31c44e96fb72c1efcc028857ac7
1c90ecf995a70af8f1d15e9c355b075b4800b4de
db8ed2922ba5f81a4d25edb7331ea8c0f0f349ae
efe9462bfa3564fe031b5ff0f2e4f8db8ef22882

F-Secure detects this threat as Backdoor:W32/Havex.A.

— Post by Daavid and Antti

9 thoughts on “SCADA System attack: should you be concerned?

    1. everything below the line of dashes is from the original F-secure research blog, and as it is relevant to THEIR audience (being very technical just as you are, Jae) they tend to get right down to the nitty gritty of detection relevance issues like sample hashes. These days the name of a piece of malware is less relevant than the hash. We discover upwards of a million new unique samples of malware each day.

      Like

      1. I’m still Jone, David. I’m Dr. Jone Dae, and research partner with Jae. I’m a mathematician and he is the computer expert. He’s consulted still for hardware and software problems, even though retired. But re/your point, you’re saying that the SHA5 hashes aren’t provided to give security via the encryption-decryption methods, but rather are unique specifiers for each specific virus, as in species, type, variety, and instance of it. -did I understand what you meant?

        Like

      2. Dr Jone,
        My apologies for confusing you (with Jae, the fault was all mine and it was I that was confused). I usually work on this blog late at night. We used to name viruses and other malware, and there were all kinds of contention and confusion caused by that. This is a general interest blog, so I think I will write an entry just about that…
        As you note, the hashes are only used because the volume is so great that no other identifier could handle it. The only function is fingerprinting, so to speak.

        Like

      3. It wasn’t that you confused me, but rather, that you yourself were confused: you were confused whom you were addressing. However, I can’t approve of your disprespectfulness to Jae Kamel, either. If you want to have friends, you will need to learn some manners. Hint? Respect other people online. Frankly, David, you should know by now, that you never know whom you’re talking to online – or offline either. Therefore, courtesy is the approach of the wise woman or man. If you offend people, you will be eventually hurt for it, favor or not. Whether on not you like to be hurt is, of course, your business and not mine. Anyway, just a few hints about Netiquette. People that remember the early years of the Net, later the Web, invented Netiquette; I am such a one, despite the stares a nerdy girl got online at that age, and Jae is another one. It is for this reason, that we tell you that, if you wish to be successful online, you really do need to learn some manners.

        Like

      4. Dr Dae,
        My sincerest apologies. I swear this is a matter of bad eyesight on my part. I am in line for eye laser surgery very soon to correct diabetic retinopathy. They tell me it will greatly help. I am truly sorry if you were offended. Let me know if there is some way I can make it up to you. Apparently I knew Jae personally in high school or college, but cannot place him from his online name. I will apologize to him as well for confusing the both of you, via a private message on FB.
        Sincerely,
        David Perry

        Like

      5. Jae has visual impairments now too, David. He’s waiting to have some new bifocals made. Your polite apology is accepted; IRL I’d offer a hug at that point. 🙂

        Like

  1. Also, I assumed that when you say “C&C” you mean, Command and Control, a military term. You noted that the attacker wants to use compromised servers for C&C, but of what?
    You also noted that this is an uncommon strategy among attackers today, but it did remind me of Stuxnet controlling or sabotaging the Iranian centrifuges and so on, yes?

    Like

    1. C and C is command and control. This is very common in any botnet or other distributed attack. An adversary (good term for generic bad guy) will capture a number of machines with planted BOT software. This basically puts all of the stolen machines under his control. It’s typically safer to use yet another stolen machine to command and control the network of bots (botnet) and direct their efforts. This happens with all manner of malware attacks. The malware under discussion is quite reminiscent of STUXNET, and I should have pointed that out, but I get tired of it being the flag horse for everything big in malware. In the reportage of these things, flashy always leads. The threat remains, just as I stated. I will probably come back from DEFCON with some entirely new material along these lines.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s