Infrastructure is still being infected with Stuxnet nearly five years after the malware first appeared, according to a report published by a Czech security firm.
Titled “Internet Attacks Against Nuclear Power Plants”, the research by Kleissner & Associates said that the malware, alleged to have been developed by US and Israeli spy organisations to infect Iranian nuclear facilities, could still be found on at least 153 devices around the world in the last couple of years.
While nearly half of these computers were based in Iran, infections could also be traced to India, Indonesia, Saudi Arabia, Kazakhstan and China. At least six of the machines ran SCADA development software, which is used in industrial control of equipment, especially power plants.
The infections have been monitored by the firm's Virus Tracker sinkhole servers. The security firm has managed to gain control of two of the command and control servers and pointed them to Virus Tracker in efforts to keep track of the malware.
Kleissner pointed out that while the malware is still running, it cannot be controlled by the original attackers as the command and control domains are now owned by the infosec firm. But as infections are still ongoing, the firm said this meant that companies weren't doing a good job when it came to cleaning up an outbreak.
“It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system,” said the research paper.
It added that as the firm could control any remaining Stuxnet infected machine, “any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infections.”
Worryingly, Kleissner claimed that many nuclear facilities have administrative systems infected with common malware and in turn these systems could be subverted to attack industrial control systems with terrifying consequences.
Steve Lamb, consultant at Context Information Security told SCMagazineUK.com that it was entirely possible that cyber-criminals or government could still control infected machines.
“Any backdoor as suggested by Kleissner that uses relatively simple encryption would not provide authentication of the entity submitting commands to the infected devices,” he said.
Lamb added that nation states have substantial resources to develop bespoke malware and go to great lengths to remain hidden.
“Detecting these infections will often be the first problem, as traditional anti-virus scans for known signatures are unlikely to find such advanced malware. Intrusion analysis techniques, such as monitoring for outgoing traffic beaconing to command and control servers, or regular auditing of event logs, currently offer the best chance to detect advanced malware infections,” Lamb added.
Lamb said that the best approach to securing control systems is to air-gap them from the industrial facilities' internal corporate network, “thereby significantly reducing the risk of control networks becoming infected. Air-gapping does not offer complete security against such threats – nothing ever does – but it does increase the skills and effort required by potential attackers when attempting to penetrate the control network.”
Gavin Millard, technical director of Tenable Network Security told SCMagazineUK.com that this type of long term infection is not new or limited to Stuxnet.
“In 2001, I found in a supply cupboard a box of OS2 5.25” floppy disks infected with the Michelangelo Boot Sector virus. This is the nature of the beast, once released, no matter how targeted it is, it's out there and will never truly go away,” said Millard. “Many times computer security ‘experts' denounce Anti-Virus Software saying it's dead, or we should slim them down by getting rid of ‘old' viruses, but this is the scenario in which anti-virus software was designed for and is the best tool for the job."
Rafe Pilling, principal security consultant at Dell SecureWorks told SCMagazineUK.com incident response procedures for standard malware breakouts are well understood by practitioners in the field.
“However when you move into the realm of malware developed by or on behalf of foreign nation states the pool of companies with the talent and resources to address this threat is much smaller,” he said.
Security intelligence analyst at SecureData, Adam Shoeman told SCMagazineUK.com that with advanced threats such as Stuxnet, a persistent infection is likely to be rootkit- or Kernel-based and therefore difficult to remediate.
“Simple solutions involve virtualising workstations and recycling VMs daily to essentially provide a ‘new' machine each day. This architecture does run on a persistent virtualised platform, which is now more commonly becoming the target of attackers due to the cloud enabled nature of todays businesses,” he said.
Chris Boyd, malware intelligence analyst at Malwarebytes told SCMagazineUK.com that there is always the possibility with any malware that it could be taken over by a rival group, which may endanger any attempt at covert operations should the new controller decide to be very overt in their actions.
“These breaches are high risk scenarios which can result in major political fallout when they come to light. While ordinary businesses likely have nothing to fear from Stuxnet, there are plenty of other nation state attacks which could be aimed directly at various sectors - for example, financial or medical,” said Boyd.