Forget Stuxnet: Banking Trojans Attacking Power Plants

New submitter PLAR writes: Everyone's worried about the next Stuxnet sabotaging the power grid, but a security researcher says there's been a spike in traditional banking Trojan attacks against plant floor networks. The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech. Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.

pure cybercrime, not nation-state

[fustakrakich]

How do you distinguish the two?

Re:pure cybercrime, not nation-state

[fustakrakich]

Never mind, I forgot... One uses a computer

Re:pure cybercrime, not nation-state

The cybercriminals target your wallet, while the nation-state targets you.

Re:pure cybercrime, not nation-state

[technology_dude]

Nation states don't want a measly item such as taking money to risk their operations.

Re:pure cybercrime, not nation-state

[ColdWetDog]

The cybercriminals target your wallet, while the nation-state targets you.

I am my wallet, you insensitive clod.

Re:pure cybercrime, not nation-state

[gmhowell]

The cybercriminals target your wallet, while the nation-state targets you.

And in Soviet Russia????

Re:pure cybercrime, not nation-state

And in Soviet Russia????

Your wallet targets you

and

Cybercriminals target nation states

I guess Putin is doing a good job restoring the 1980s then.

Re:pure cybercrime, not nation-state

Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.

what a dummy. That's exactly how I'd disguise my advances.

Re:pure cybercrime, not nation-state

[Pseudonym]

Well, that difference would make it patentable...

Are they after Diebold?

[140Mandak262Jamuna]

Diebold is the ATM maker with near monopoly marketshare. They also make voting machines. There were lots of conspiracy theories from the left that there are backdoors and secret keys that could be used to remotely steal an election. Mostly based on tenuous facts, like the top managers of Diebold donated (caution pun ahead) liberally to conservatives. So they might believe there are secret backdoors to all Diebold machines, including ATMs.

There are lots of stories of how bad Diebold is in upgrades and that most ATMs are running on WinXP and how they can be made to dispense cash with remote exploits. Though it all requires physical access to the usb ports inside the machine first.

Re:Are they after Diebold?

[Firethorn]

Though it all requires physical access to the usb ports inside the machine first.

The ones protected by armor plate? That's a bit like complaining that safes aren't safe because they can be drilled.

Not only do you need to know how to do the hack, you have to know where to drill and how far.

If they're showing up with that much invested in it they're getting the money out of the ATM/Safe no matter what.

Re:Are they after Diebold?

Actually, the money is in a safe behind a combination lock. The computery bits are often behind a single, 4 pin tumbler lock. If you're ballsy to take the time to pick a lock in a high traffic area with 2-3 cameras pointed at you, then you could easily pull this off. If you're in a hurry, I bet you could find a bump key that would work too.

Re:Are they after Diebold?

Oh, and you're probably going to set off the alarm while you're at it.

Re:Are they after Diebold?

[140Mandak262Jamuna]

Bribe the low paid worker who services the machine to plug in a usb fob for a few minutes, unplug the device and walk away. There were some ATM machines where if you use a coat hanger to snag the edge of the plastic cover and pull, you could expose a usb port under the screen. Once the malware is uploaded into the machine, then it can be made to remotely dispense cash. Again they recruit low paid mules to actually pick the cash.

Re:Are they after Diebold?

Or you bring it back to your house and break it open with a sledgehammer. If all else fails, try to find the weak spot on the bottom; just don't call your girlfriend a skank while you're under there looking for it.

Re:Are they after Diebold?

[hitmark]

Complete with giving said mules a one time code over the phone before the cash comes out.

This way they don't get any fancy ideas.

Why aren't these networks air gapped?

[ErichTheRed]

SCADA and the like are the worst things to have available on an accessible network. Vendors never update their software, everything's insecure by default, etc.

I've worked in environments like this, and some of the equipment is just not possible to secure without leaving it on its own network. It makes maintenance a nightmare -- sneakernetting patches, software updates, AV signatures, etc. I know an air gap isn't a guarantee of security, but it at least prevents dumb things like drive by downloads on someone's computer affecting production equipment.

Working with vendors of some of this stuff is equally bad...most of them deny a problem exists. And even if they acknowledge a problem, they won't lift a finger to fix it because they just have to say it's secure if installed as per our instructions. I've seen lots of software for control systems, etc. with 15 or 20 year old software libraries gluing everything together. (Using the 15 year old version now, I mean.) The vendor knows they're one of a handful of firms providing stuff like this, and they know that companies don't care about information security anyway. (One example of this from outside of the manufacturing industry -- I was integrating a very specific peripheral for a customer, and the vendor absolutely refused to digitally sign the Windows drivers, rendering it nearly impossible to install on 64-bit Windows. A lot of people might say "that's what you get with closed source," but open source libraries and other code have their problems as well.

Re:Why aren't these networks air gapped?

[AHuxley]

Support and a lack of on site skilled staff? Some companies, countries, mil and govs are just buying up dual use heavy equipment globally for local prototyping and limited mil grade production runs.
A company sends out staff to help install a system and then offers ongoing help for educational engineering courses. As soon as the expert company staff are gone its back to a secret mil or gov project.
Networking might allow work on some very exotic materials :)
The vendors staff know that are not at a new educational institution but everybody plays along and the cash flows.
Everybody wins, experts are up, jobs are secure, a nation gets to build its mil up and and issues can be fixed.
The only problem is the same kit also gets installed in very open factory sites and its seems anyone networked can have a go.
The vendors know who they have to look after and its not just some local manufacturing industry.

Re:Why aren't these networks air gapped?

[Fire_Wraith]

You hit the nail on the head. The vendors don't care because their customers don't care. Security is an added cost, and even to the degree they take it seriously, my experience has been that the moment security runs into anything else - cost, ease of use, etc - it's security that gets cut. When their customers start demanding secure ICS/SCADA (actually reasonably secure, not just slapping AV onto it or something), only then will you see the vendor market respond to it. Unfortunately I don't think the customers will start doing that until they're forced to.

I don't think increased compliance standards are the solution. They're not necessarily a bad thing, but compliance isn't security, it's setting a minimum standard that tends to be way too low and too general, with a 'check the box' mentality.

Unfortunately, I think it won't be before a lot more high profile breaches occur, and companies start going bankrupt because of the losses. When CEOs start getting fired, their counterparts will start taking security seriously.

valid software updates?

[Virtucon]

The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech.

Okay, but considering we're dealing with control systems, why the hell isn't somebody verifying the updates are valid? The distribution channel and validation apparently is the cause here. I still advocate air gaps between Intranet and Internet connectivity in SCADA environments and the controls on updates of any software should be verified as to authenticity prior to deployment. It should be easy for somebody to contact GE and ask for the MD5 for the update or check it out on their portal first.

Re:valid software updates?

> I still advocate air gaps between Intranet and Internet connectivity in SCADA environments

That's all nice and dandy in theory, but how do you enforce it? One problem is operators connecting their smart phones to control system computers (running Windows) in order to e.g. listen to Spotify. They don't understand they're actually connecting the control Intranet to the Internet. Not to mention management likes statistics from everywhere, often requiring networking internal control systems.

Not surprised

[Ravaldy]

SCADA was rarely required to run outside the building. Most SCADA systems I've seen are isolated just because there's no need for them to be given access to anything else than the content it will run. For this reason SCADA systems have not been exposed and their team most probably lacks the security experience. MS, Apple and Linux all suffered when they first got hooked up to the internet. Today these company have tones of experience and react fairly quickly to security holes.

As for power plants, most of them (if not all) are still operated manually using hard buttons. The only connection there is to the plant is connection to the monitoring of sensors.

Re:Not surprised

[nurbles]

As for power plants, most of them (if not all) are still operated manually using hard buttons. The only connection there is to the plant is connection to the monitoring of sensors.

That is becoming less and less true as hardware and software evolves and possibly as industry's comfort level increases. I'm not sure that is a good thing, but I've worked with some systems that have software that could potentially trigger plant trip if the software determines that a dangerous enough condition exists. That is probably a good thing -- unless someone is dumb enough to connect that software to a network and allow it to automatically update.

After all, none of us have ever has an operating system update cause any troubles at all, right? ;-)

Re:Not surprised

[Ravaldy]

I have a family member that works high up at the biggest electricity provider in Canada and he told me when I had the same argument with him that there is no plan to automate this. It will remain hard buttons for a long time.

Tommy Westphall says "hi"

[Thud457]

Patty the daytime hooker FTW!

Inconceivable!

[nurbles]

Any company that has a SCADA system that is allowed to automatically install any sort of update needs new management. I write software for industrial SCADA systems (many of them nuclear, but some not) and absolutely NONE of them have any form of automatic update enabled. That goes for the operating system platform, even anti-virus packages (when they are used) must be manually updated after the update has been tested in a sandbox lab system. Even a well intentioned update may disrupt a SCADA system's operation, so why would anyone in their right mind allow a SCADA system or the operating system it runs on, or any other software running on the same machine automatically update itself? Sorry, but that's just insane.. At best, SCADA systems should have a one-way data flow (preferably on a serial link with the receive line physically CUT) but none of them should accept input from outside their physically controlled environments.

Except for toys and things like that.

Re:Inconceivable!

Why are SCADA systems connected to the Internet? The entire industry is a scam along with the anti-virus & anti-malware industry since both exist to generate a perpetual revenue stream for their vendors. Unplug the damn SCADA system from the Internet and walk your lazy ass over to the internal network.

Re:Inconceivable!

Two reasons off the top of my head: Operators connecting them to the Internet by mistake (e.g. connecting their smart phones to their workstation to listen to Spotify), and the business logic and control systems being interconnected to better supply management with an idea of what's going on. There's likely more.

Re:Inconceivable!

[spacepimp]

Not everyone who uses a SCADA/Siemens system has internal staff to maintain the system levels. I was asked this week to connect a SIEMENS /SCADA system for Rail delivery to be connected for remote access for support/trouble shooting. The saddest part was the lack of network and security knowledge that the deploying entity had in their possession. It was uncomfortable to discuss networking with them. We were paying them to listen to why their solution was insecure, and would not be set up in the manner they wanted. They got it eventually. But I'll say this..There are many many many SCADA systems which are online for no reason other than simplicity's sake. Don't get me started about the ones left with default settings by the VAR during deployments. Scary world.

Inconceivable!

Please, if anyone speaks of "cutting the transmit/receive wire" and "air gaps" assuming that all things will work out are being extremely naive. Those concepts worked in the late 80's and 90's; they do not now and lead many to false and erroneous assumptions.

Accept the fact that interconnectedness is the norm and change your conventions accordingly.

SCADA is a good attack vector?

[lippydude]

Just who in their right mind connects a ICS/SCADA unit directly to the Internet. Go and read up on VPN – virtual private network.