Targeted Attacks Make Remote Adversaries Malicious Insiders

“Wow, your tool would be great against malicious insiders!”

This is a common conclusion made by those introduced to the Triumfant solution.  That is because instead of looking for applications or malicious executables, we detect malicious activity through change, whether a threat actor working programmatically creates the change or a malicious insider directly makes the change.

The term “malicious insider” has been gnawing at me since I delivered a short presentation for the Intelligence and National Security Alliance Innovators Showcase last week.  My new slides had several screen shots from the Poison Ivy Remote Administration Tool (RAT) that we use in demos of the Triumfant product.  It was interesting to see the reaction to those screen shots as people grasped in a very graphical way what it meant to “own” a machine.  I realized that perhaps while people have intellectually grasped what a RAT can do, they might not have fully appreciated the term “own” until they actually saw one in action. (More on RAT tools in the previous post)

Today’s attacks are not smash and grab operations – they methodically evade network and endpoint protections to establish a long-term and comprehensive presence on the machine.  These are carefully crafted incursions onto target networks that rely on persistence and stealth.

In short, they turn the outsider into an insider.  This of course is not news to those in infosec, but to the people we serve, this is an idea they are still wrapping their head around these sophisticated targeted attacks.

Once a RAT is in place, the hacker has the same access as if they were looking over the shoulder of the machine’s user.  The user literally guides them through the applications and systems on the network, providing them user IDs and passwords along the way.  This allows the hacker to spread their influence to other places in the network until they are able to access their targets.   Time is on their side, as every statistic says that they will have at least a month and on average six months to identify and exfiltrate the intellectual property or sensitive data they seek.

Attacks rarely start at the machine that holds the targeted information.  Hackers now patiently gain access to the network where they can, and then stealthily move about until they find what they need.  And new Advanced Persistent Threats like Duqu illustrate that hackers are now using sophisticated attacks to gather all manner of information to then plan their payoff attack.  As I said in the previous post, these attacks put the adversary in your boardroom, laboratories, production lines, and CFO’s office.

If six months and virtually unlimited access does not qualify the hacker as an insider, I do not know what does. Recruiting physical insiders is a long and costly process and smacks of too much Mission Impossible.  And even well placed insiders may have trouble moving outside of their areas of responsibility.  Why go through all of that risk and effort when an outsider can easily become an insider.  If the operation is discovered, the outsider simply moves to the next target.

There is another aspect to being an insider: once you are inside, all of the security measures designed to keep you an outsider are now irrelevant.  All of the carefully crafted shields an organization has in place are all pointing outward and are not equipped or designed to catch the work of an insider.  Once these shields are evaded they are no threat to the insider.  Statistics from the 2011 Verizon Business Data Breach Investigations Report say that less than 6% of data breaches are discovered by the organization’s IT shop.  That sound’s like a pretty wide gap that requires some new thinking to me.

The answer to the original question is yes, Triumfant rocks against malicious insiders.  All types.

Water Utility Attacked, Compromised – the Era of SCADA Attacks Arrives

On October 28 I posted a blog entry about the Sayano-Shushenskaya hydroelectric power plant accident being a model for attacks aimed at industrial controllers and SCADA devices.  Last week the model became reality as an attack damaged a pump at a water plant in Illinois (from Krebs on Security).

To recap my post, I told the story of the 2009 Sayano-Shushenskaya plant where a 900-ton turbine unit lifted 50+ feet into the air due in-part to the failure of an anti-vibration program.  Tragically, 75 people lost their life in the accident.  The region lost a 6,500 MW power station through at least 2014, and power outages affected industrial production on a broad scale.  My point was that a hack of industrial control programs and SCADA devices could disrupt critical infrastructure or be used for industrial blackmail.

The post makes a point that hacks need not be complicated – shutting off a vibration control program being a good example.  The post also ties back the recent Duqu and Nitro attacks as a great example of tools being used by adversaries to gather data to pull off such hacks.

Suddenly this dumb country boy looks prophetic.  Stories began to break last week that an Illinois water plant was hacked and a water pump was rendered inoperable (destroyed feels a bit extreme here) through a hack on industrial control systems on November 8.  The sophisticated method used by the hackers to cripple the pump?  They turned the SCADA system on and off repeatedly until the pump burnt itself out.

Those shifty hackers! They managed to subvert the oldest, most tried and true technique for fixing almost anything electronic – turning it off and turning it back on.

Seriously, this is the first attack (we know about at least) on a SCADA/industrial control system since the story broke about Stuxnet.  Given how quickly DHS stepped in to deny it was a hack, I think it is safe to assume there have been others.  Not quite as dramatic as a 900-ton turbine unit destroying a hydroelectric plant, but no less effective in disrupting infrastructure.  Regardless, I think we are seeing the adversary try new tradecraft on smaller utilities that are less heavily protected than their brethren serving large populations.  The proverbial velociraptors systematically testing the fences.

My next prediction? You will see more such stories in the near term as the exploration process continues and the tradecraft is refined.  Some industry analysts, pundits and experts will call concerns about such attacks marketing FUD and over reaction.  As the stories grow more frequent, people will get numb to the warnings.

Until something happens that is truly disruptive.  My last prediction: it is not “if” but “when”.

Update 12/1/2011:

Wired Magazine has confirmed that there was actually no hack per the official stance of the FBI and DHS.  This article contains a summary of the circumstances behind the reported hack. I stand corrected.

It should be noted that an article in Information Age actually used an FBI source to report that SCADA systems had been compromised elsewhere.

Nitro, Duqu, Poison Ivy, Video Proof, and the Advanced Persistent Threat as Industrial Espionage

In a recent post, Duqu Enables Stuxnet Level Complexity Against Commercial Targets, I made the case about the advanced persistent threat in the context of commercial targets and industrial espionage, specifically in the wake of the Duqu attacks.  I also went on record as saying that Triumfant will detect the Duqu attack, but, in fairness, I offered no real proof of that claim.

Then along came news about Nitro.

On October 31, Symantec release a whitepaper about a new attack called Nitro that initially focused on human rights organizations and then moved on to the auto industry and then to the chemical industry.   According to a story about Nitro on “At least 48 companies are believed to have been targeted across various industry verticals, including 29 companies involved in research and development of chemical compounds and companies that develop materials for military vehicles. The other 19 were in other sectors, including defense.”

Symantec reports that the purpose of Nitro was to collect information, specifically intellectual property that could be used for competitive advantage.  That would certainly seem to fit under the definition of industrial espionage.   The attacks collected user IDs and passwords to sensitive systems so they could be accessed for later attacks and exfiltrations.  Which is exactly the case I made about the significance of the Duqu discovery.

The Symantec report also stated that Poison Ivy, a product available off the shelf to create Trojans and other malware, was used to created Nitro.  Which leads me back to the claim that Triumfant could see Duqu.  I made the assertion that Triumfant would see Duqu based on a study of the analysis provided about the attack.  I am quite confident, and other technical people in our organization are quite confident, that Triumfant would detect Duqu, but I had no proof as I do not have the attack to test.

In the case of Nitro, I know for certain that Triumfant has successfully detected malware created by Poison Ivy.  Third party testers have used Poison Ivy to validate the efficacy of Triumfant and we passed when other tools failed.  We use Poison Ivy to test internally.  And I can offer proof – a video demonstration where we infect a machine with Poison Ivy we created and show Triumfant detecting and repairing the attack. You can watch the video here.

Obviously I take no satisfaction in hearing about a successful attack like Nitro.  I do think that Nitro reinforces my position that the advanced persistent threat can no longer be treated as a problem for the NSA, CIA, and the DoD.  Commercial organizations ate at risk and must take stapes to put solutions in place that will provide rapid detection and response to these threats.

I will be shamelessly opportunistic to leverage the fact that Nitro used Poison Ivy to add credibility to the ability of Triumfant to see the attacks that evade other defenses.  This time I have video proof.

Sayano-Shushenskaya Accident A Model for What a Duqu/Stuxnet Combo Could Mean

On August 17, 2009, a 900 ton hydroelectric turbine was torn from its moorings at the Sayano-Shushenskaya hydroelectric power plant and dam in Russia.   The 900-ton unit actually lifted high enough (40-50 feet) to crash into the ceiling of the turbine facility.  The accident ultimately cost 75 people their lives.  Every one of the ten power generation units in the plant was damaged, some irreparably.  The 6,500 MW power station will not return to full capacity until 2014.  40 tons of transformer oil was released into the surrounding ecosystem, killing an estimated 400 tons of trout in two fisheries.  Untold hours of production capacity of surrounding businesses were lost due to the interruption of power to the area.  You can get a full picture of the event from a DOE presentation.

Before picture of the turbine generator hall of the Syano-Shusenskaya Plant

Before picture of the turbine generator hall of the Syano-Shusenskaya Plant

In my last post I defined how Duqu is a notable shift in the malware game, most notably as a precursor to carrying out Stuxnet level complexity attacks without the need for human intelligence gathering.   The ability to potentially affect and disrupt industrial controls in turn creates the potential for industrial blackmail and potentially cyber-terrorism.

For the record, I abhor peddling fear and in my time in the IT security space I have never used that tactic, and I am not using it now.  I do think what I described is a very real threat that is at our doorstep right now.  Duqu rang the doorbell.

I spent Wednesday at the SINET 2011 Showcase put on by the Security Innovation Network.  Triumfant was honored to be recognized as a SINET 2011 Innovator at the event, and General Keith Alexander, the Commander of the U.S. Cyber Command gave the closing keynote.   General Alexander used the Sayano-Shushenskaya accident in his talk, and it immediately struck me that the General had provided me with the example I needed for this conversation.

Post-event view of the turbine generator hall.

The Sayano-Shushenskaya plant had been a place of historical operational problems, and the specific turbine (Turbine 2) at ground zero of the accident was particularly problematic.  The turbine had a history of vibration issues that kept it from safely operating at capacity, and a new vibration controller had been installed in 2009.  This controller was offline on the fateful day when another plant experienced problems and Sayano-Shushenskaya was asked to raise capacity to make up for the shortfall.  When the load on Turbine 2 was increased, vibrations steadily increased to over 5 times the load limit, and the structural integrity of the unit ultimately failed.

Back to Duqu.  Introduction of Duqu into the Sayano-Shushenskaya would gather the data needed on not only how to infiltrate the plant systems, but where the plant was most easily compromised.  Hacking into maintenance records would readily pinpoint Turbine 2 as the weakest physical link.  The keylogging capabilities could gather the necessary access to the industrial controls of the plant, including the vibration control process.  The bad guys do not need human intelligence from the plant – Duqu provides all the data they need.

The information to disable energy production in hand, a Stuxnet level attack can be written to infiltrate the industrial control systems of the plant.   The low effort approach would be to disable the vibration control system for Turbine 2 at a time when peak capacity was required and wait for the failure.  A more aggressive approach could actually manipulate the demand on Turbine 2 to force it to run beyond established limits and, with the disabling of the vibration control system, guarantee an event on demand.  This is no different than what Stuxnet did to the centrifuges in the Iranian nuclear sites – it made them spin beyond operational tolerances and destroyed the devices.  The difference is that this attack sends a 900-ton turbine structure 50 feet into the air.

NOTE added 11/18/2011:  Since this post went public on 10/28/2011, it was reported that a water plant in Springfield, Illinois was impaired when the SCADA industrial controller from a water pump was hacked and manipulated to damage the pump and render it operational.  The hackers simply turned the system on and off until the pump overheated and burnt itself out.  Details can be found at Krebs on Security and on Wired.

Too much physical destruction for you to consider?  How about infiltrating the industrial controls of a pharmaceutical company and changing the machines that control the flow of ingredients.  No explosions, no floods, no fires.  But a disturbing bit of potential terrorism.  And not just an Advanced Persistent Threat stealing intellectual property.

Now do you see the connection? Was that the doorbell?

(Triumfant has gone on record as saying we would detect Duqu and would be able to stop the attack before it collected the data it seeks.)


Duqu Enables Stuxnet Level Complexity Against Commercial Targets

In my opinion, the recently discovered Duqu attack is more significant on a broad scale than the discovery of its predecessor, Stuxnet.  I think Duqu will force a much broader re-examination of IT security philosophies, particularly those commercial organizations that felt removed from Stuxnet grade attacks.  Duqu is the clear wake-up call that no one should feel immune from the Advanced Persistent Threat or well-crafted, targeted attacks.

Those who have investigated Stuxnet have noted that there was a tremendous amount of intelligence required to make Stuxnet so effective in disabling the Iranian nuclear program. The nature of this intelligence led investigators to conclude that humans were the source for this intelligence.  This finding was significant because the need for human intelligence gathering was obviously a limiting factor for even the best organized and well-funded cyber criminals to successfully launch an attack of that level of complexity and reach.

Duqu is evidence that the adversary is developing tools to automate the intelligence gathering process.  Duqu is designed to infiltrate the same industrial control systems as Stuxnet, gather information for 36 days, exfiltrate the gathered data, and then destroy itself.  One of the programs eventually activated by Duqu is an infostealer that is used by the adversary for “enumerating the network, recording keystrokes, and gathering system information” (according to the Symantec analysis). Even the 36-day window is designed to bridge the 30-day password change requirements in place for many organizations.

All of this information is collected and sent to the command and control site before the attack destroys itself.  The collected data provides the adversary the information needed to penetrate the intended victim’s network and the insight needed to build the malware to perform the intended purpose. It demonstrates a patient, deliberate, and calculating adversary that is willing to write a sophisticated piece of code to gather information to maximize the second wave of the attack to reach the attacker’s ultimate end game.

If attacks like Duqu succeed in eliminating the need for human intelligence gathering activity, then the game changes.   While Stuxnet was a leap forward in malware technology, you essentially had to be a nation state with human intelligence operations or at least an organization capable of somehow accessing such information to implement the attack.  If attacks like Duqu can gather that intelligence through automated processes, then the barrier for entry (human intelligence gathering) is greatly reduced or eliminated, allowing a lot more bad guys into the game.

I don’t deal in fear – never have.  But with a Duqu to gather intelligence, it is conceivable that cyber criminals could gather the information necessary to blackmail industrial organizations by building attacks aimed at the industrial controllers at the core of their operations or production. Remember that Stuxnet caused industrial devices to operate in a way that was destructive to those devices.  The physical destruction set back the Iranian nuclear program three to five years by most assessments.  It is therefore conceivable that similar damage could be wrought at assembly plants and operational locations, impairing the ability of companies to do business.

With the discovery of Duqu, commercial organizations no longer have the luxury of viewing Stuxnet as an aberration played out on the world political stage by nation states.   Duqu brings Stuxnet to their back door.  The Advanced Persistent Threat is no longer about the loss of confidential information or intellectual property, but about actual interruption of operations.  And I can assure you these businesses can put a hard dollar figure to interruptions of operation.

Organizations that were slow to adopt the assumption of breach doctrine and put tools in place for rapid detection and response, must now rethink their approach.  Organization will need to detect attacks that get through their defenses and be able to rapidly respond to address those attacks.  I think we will look back in several years and see the discovery of Duqu as a significant milestone when attacks like Stuxnet stopped being the concern of the NSA or the DoD and became a threat to the broader commercial realm.

(Triumfant has gone on record as saying we would detect Duqu and would be able to stop the attack before it collected the data it seeks.)

Yes, Triumfant Will Detect Duqu

The Duqu attack has been gaining a lot of attention this week, and when an Advanced Persistent Threat like Duqu is announced, I get the inevitable questions of “Would Triumfant detect this Advanced Persistent Threat?”  Based on a review of the research presented by Symantec, the answer would be yes.

For those not familiar, Symantec researchers discovered the Duqu attack and released the details in a bulletin “Symantec Security Response: W32.Duqu“.  Duqu is being called a precursor attack for Stuxnet, because it was written to gather information about the applications and networks of an organization to provide the data necessary to execute a future attack on an industrial control facility.  The report notes that Duqu uses much of the same logic as Stuxnet without the destructive capabilities.  The attack exists for 36 days and then destroys itself.

In the Symantec Security Response is the following description of how Duqu infiltrates the targeted machine:

“Duqu consists of a driver file, a DLL (that contains many embedded files), and a configuration file. These files must be installed by another executable (the installer), which has not yet been recovered. The installer registers the driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe. From here, the main DLL begins extracting other components and these components are injected into other processes.”

After reviewing this with Dave Hooks, our CTO, I can tell you that Triumfant will detect this attack and present it to the attention of the administrators as an anomalous event.  There are several triggers that will initiate the Triumfant analysis process, but I will use the one we can present with the most certainty based on the information available.

The Symantec report cites that  “The installer registers the driver file as a service so it starts at system initialization”.  A new service will be detected by the Triumfant agent running on the attacked machine the next time the machine is restarted, and detection of this service will trigger Triumfant’s real-time analysis.  When the agent contacts the Triumfant server to begin the real-time analysis, the Triumfant’s server will in turn initiate probe requests to the agent on the attacked machine.  These probes are sophisticated algorithms designed to correlate changes to the infected machine for the purposes of identifying all of the damage from the attack.  These probes would identify the injection of the main DLL into services .exe, and the other DLLs injected into the other processes.  Triumfant would also correlate the internet traffic tied to the attack with any affected ports and IP addresses.

Triumfant will perform this analysis and return a comprehensive report that shows an anomalous application with the new service and the related services that had been corrupted.  We also suspect that the installer would likely have been an autostart mechanism which would trigger the same analysis, but since the report gave no details about the installer we can not make that claim with certainty.

In summary, based on the Symantec analysis we believe that Triumfant will see Duqu and will build a remediation to stop the attack and repair all of the associated damage to the affected machine.  We think this is notable given that most articles I have encountered about Duqu say that there is no tool that will detect and/or stop the attack.  The ability to detect and remediate Duqu is also a great example of what we call Rapid Detection and Response.

Will Triumfant detect Duqu? Yes.