Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský
•Descargar como PPTX, PDF•
2 recomendaciones•1,321 vistas
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols. In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years. As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems. Anton Cherepanov Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation. Róbert Lipovský Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský
Similar a Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský (20)
Más de CODE BLUE
Más de CODE BLUE (20)
Último
Último (20)
Industroyer: biggest threat to industrial control systems since Stuxnet by Anton Cherepanon, Róbert Lipovský
- 1. INDUSTROYER Anton Cherepanov / @cherepanov74 Robert Lipovsky / @Robert_Lipovsky
- 2. Robert Lipovsky Senior Malware Researcher @Robert_Lipovsky Anton Cherepanov Senior Malware Researcher @cherepanov74
- 4. ICS-targeting malware The story of INDUSTROYER: Ukrainian blackout INDUSTROYER analysis Potential impact AGENDA
- 6. ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
- 7. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 8. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 9. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 10. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 11. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 23 Dec 2015
- 12. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 C&C Network Scanner File Stealer Password Stealer Keylogger Screenshots Network Discovery BlackEnergy CORE
- 13. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 14. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 15. Blackout in Ukraine ESET begins analysis Initial report finished Further research Industroyer report goes public 17 Dec 2016 A few days later 12 Jun 201718 Jan 2017 STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 INDUSTROYER
- 16. Main Backdoor ICS INDUSTROYER MALWARE OPERATOR INDUSTRIAL SITEINTERNET POWER DISTRIBUTION COMPANY Industroyer
- 17. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service
- 18. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Copy & upload file
- 19. MAIN BACKDOOR -> VBS -> MS SQL -> CSCRIPT -> VBS
- 21. Set cmd = CreateObject("ADODB.Command") cmd.ActiveConnection = mConnection cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE; END;" cmd.Execute cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; END;" cmd.Execute
- 22. Main Backdoor Main Backdoor Main backdoor – List of commands Execute process Execute process using specified user account Download file from C&C server Copy & upload file Execute shell command Execute shell command using specified user account Quit Stop service Stop service using specified user account Start service using specified user account Replace "Image path" registry value for specified service Replace "Image path" registry value for specified service
- 23. Main Backdoor Main Backdoor DOS TOOL Port ScannerPort Scanner Additional Backdoor EXEC xp_cmdshell 'C:intelport.exe -ip=%IP_ADDRESS% -ports= 2404, 21845, 445, 135'; 135 - RPC Locator service 445 – SMB 2404 - IEC 60870-5-104 21845 - webphone 700 – Extensible Provisioning Protocol over TCP 701 – Link Management Protocol 1433 – MS SQL Server default port 1521 – nCube License Manager / Oracle dB
- 24. DOS TOOL Main Backdoor Main Backdoor Port ScannerPort Scanner Additional Backdoor Launcher
- 29. DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner 17 Dec 2016 - 22:27 (UTC) Launcher Additional Backdoor
- 30. 101 Payload 104 Payload 61850 Payload • Serial • IOA (Information Object Address) ranges • single command (C_SC_NA_1) • double command (C_DC_NA_1) • OFF -> ON -> OFF OPC DA Payload
- 31. • TCP/IP • Modes: • Range • Shift • Sequence 101 Payload 104 Payload 61850 Payload OPC DA Payload
- 32. 101 Payload 104 Payload 61850 Payload OPC DA Payload
- 33. 101 Payload 104 Payload 61850 Payload OPC DA Payload
- 34. 101 Payload 104 Payload 61850 Payload OPC DA Payload
- 35. 101 Payload 104 Payload 61850 Payload OPC DA Payload • Auto-discovery • CSW, CF, Pos, and Model • CSW, ST, Pos, and stVal • CSW, CO, Pos, Oper, but not $T • CSW, CO, Pos, SBO, but not $T
- 36. 101 Payload 104 Payload 61850 Payload OPC DA Payload • Discovers OPC servers • COM interfaces: • IOPCServer • IOPCBrowseServerAddressSpace • IOPCSyncIO • ctlSelOn (Select on command) • ctlSelOff (Select off command) • ctlOperOn (Operate on command) • ctlOperOff (Operate off command) • Pos and stVal (Switch position status)
- 37. 101 Payload 104 Payload 61850 Payload OPC DA Payload
- 38. 101 Payload 104 Payload 61850 Payload OPC DA Payload Github: https://github.com/eset/malware-research/tree/master/industroyer • Identifies OPC Data Access LIBIDs, CLSIDs, IIDs in binary • Creates OPC DA structures and enums in IDA Pro • Can be used for general purpose reverse engineering
- 39. 101 Payload 104 Payload 61850 Payload OPC DA Payload Before
- 40. 101 Payload 104 Payload 61850 Payload OPC DA Payload After
- 41. Malware impact: DENIAL OF SERVICE
- 44. Malware impact: DATA WIPER
- 45. DOS TOOL 101 Payload 104 Payload 61850 Payload OPC DA Payload Main Backdoor Main Backdoor Port Scanner Launcher Additional Backdoor Data Wiper
- 46. ABB PCM600 ABB MicroScada Signal Cross References Substation Configuration Language Substation Configuration Description Configured IED Description
- 48. ! Global Threat ! Dangerous Attacker ! Unfulfilled potential TAKE AWAYS
Notas del editor
- It’s good to see all of you here today… Literally. Meaning the lights are on. Because today we’re speaking about Industroyer – malware capable of causing a blackout. In fact, it caused one…in Ukraine last December. Now, that’s big, but there’s more – Industroyer is the 1st ever malware designed to attack power grids automatically, and we consider it to be the biggest threat to Industrial Control Systems since Stuxnet.
- My name is Robert Lipovsky, and together with my collegue Anton Cherepanov, we analyze malware and investigate cyberattacks on a daily basis, in fact, both of us have been doing it for 10 years now… but when we discovered Industroyer last December, frankly, we were blown away…
- We’re based in Slovakia, EU, we work as malware researchers for ESET – the company that pioneered antimalware heuristics and has been innovating antimalware solutions for 30 years.
- First, we’ll put Industroyer into context of other malware that targeted ICS in the past Then we’ll explain how Industroyer works
- First, let’s take a look at how ICS-targeting malware works… We have an industrial site, which can be anything, from a uranium enrichment plant to an automobile factory, with its specialized industrial hardware. These devices are controlled and configured by human operators from workstations [click], typically running Windows, and that was the point of infiltration for all the known ICS-targeting malware families.[click] Where the malware families differ, is in their capability – and methods – of controlling/disrupting the industrial process.
- Industroyer was specifically designed to attack electricity distribution substations. There’s a timer [click], in the analyzed samples set to the time of the blackout in Kiev, Ukraine last December… …that triggers Industroyer’s unique payload: controlling circuit breakers automatically through industrial communication protocols [click] in order to cut the power.
- Industroyer joined this “elite” club of only 3 malware families known to be used in attacks against ICS
- Stuxnet, which needs no introduction, was able to reprogram PLCs to change the rotation speed of centrifuges.
- Havex – DragonFly – Energetic Bear which infected many industrial sites Used OPC DA protocol – also used by Industroyer – but unlike Industroyer, Havex only for espionage
- BlackEnergy is a bit different from the other 3 families We’ve been tracking it since 2011…and there we’re many campaigns over the years – mostly spearphishing – and we even discovered they used a Powerpoint 0-day: CVE-2014-4114…
- … and many targets – many high value targets, including government, media, transportation… But what’s relevant to our topic today are the campaigns against the Ukrainian power grid. They started in March 2015… [click] And on December 23rd, culminated in the first known malware-enabled blackout that affected several regions in the country and left around 230000 people in the dark for several hours.
- As I said, BlackEnergy is different from these other malware toolsets. It wasn’t designed to target ICS specifically, but is a more “general purpose” cyberweapon. Through its network traversal and espionage modules, it paved the way for attackers Who then used Radmin …
- …legitimate remote access software installed at the power distribution companies to manually “pull the plug” [click] And this is an actual video taken by an operator while the attackers were remotely accessing their system
- …legitimate remote access software installed at the power distribution companies to manually “pull the plug” [click] And this is an actual video taken by an operator while the attackers were remotely accessing their system
- And now onto the main topic… On December 17, 2016, almost exactly one year after the previous blackout, we we’re struck with a sense of deja-vu There was another blackout and we started analyzing samples of malware, which became the main suspect – Industroyer We sent our analysis to Ukraine, and then waited, not to interfere with ongoing investigations… And then received the green light to publish in June
- We already mentioned what Industroyer can do…and did, (or “Industroyer’s principal functionality) Now let’s look under the hood It starts with the main backdoor, which takes care of C&C communication and launches other components
- It’s not super interesting, typical malware, the kind we analyze thousands of every day. Here’s the list of commands it supports. We while Industroyer doesn’t focus on espionage functionality like BlackEnergy, it does provide attackers the capability of downloading and executing additional modules…
- as well as to exfiltrate files off the infected machine. Output produced by this command also gave us a glimpse into the command execution chain and lateral movement during the attack
- Multiple stages – staying under the radar SQL DB
- /not published/ Got hold of in-house custom application that stores environment layouts, ICS process logs & telemetry RE’d it, discovered that data stored in MSSQL server, hardcoded credentials. (Shows skill of attackers) Abused the DB to execute a number of shell commands during the reconnaissance phase of attack
- In order to do that, they 1st enabled the DB’s capability to execute these commands through xp_cmdshell
- Here are a few commands executed from that machine Benefit – stealth – shell commands executing from context of DB, also DB stored malicious binaries – measure to avoid AV detection
- The last command in the list is used for persistence, to ensure the malware survives a reboot. It does that by pointing the Image Path Registry value of a chosen existing Windows service to a more obfuscated version of itself.
- There’s also a secondary backoor, used as a backup mechanism, in case the main backdoor gets detected or disabled. It’s interesting because it masquerades as a trojanized (and otherwise fully functional) version of Windows Notepad, which it replaces in the system. SIMILAR TECHNIQUE USED BY DRAGONFLY 2017 There are a few additional tools – noteworthy is a custom port scanner which the attackers chose instead of nmap, for example, And DoS tool, which actually impacts the ICS, and I’ll talk about it later.
- And now we’re getting to the interesting part…
- We identified 3 distinct ways Industroyer attacks the electricity substation. Firstly, and most importantly, it can directly control the industrial hardware on site… So what is this “hardware”? They’re called Remote Terminal Units, commonly protection relays – on these photos you can see them from 2 vendors – Siemens and ABB. There are many types but basically their function is to open and close circuit breakers – for the purposes of protection, balancing the power grid, and so on…
- These devices are configured and monitored via specialized SCADA software on regular workstations, typically running Windows
- And the communication happens through one of several industrial communication protocols….there are several, some are regionally specific, some operate over a serial connection, others over TCP/IP but overall idea is the same… It’s important to note that Industroyer “abuses” them… there are no “exploits”, no software vulnerabilities, it uses the protocols in the way they were designed to be used…decades ago, without security in mind.
- Now I pass the microphone to Anton, the lead in the Industroyer analysis, to walk you through the payloads…
- Robert mentioned the exact timing of an Industroyer attack. That’s the job of the {click} launcher component The launcher samples we analyzed would launch the individual payload modules on {click} December 17, 2016 – shortly before the power outage. We identified modules capable of controlling devices through 4 communication protocols: IEC 101, IEC 104, 61850, OPC DA. Most of them are DLLs, with their own configuration files
- Requires a configuration file – here’s an example 101 communicates over a serial connection – the COM ports to use are specified in config 1st thing it does – kills legitimate process on the workstation responsible for controlling the devices and takes over The devices operate on something called IOA – Information Object Address – think of them as network ports, or… registers There are several different IOA types, but the payload is only interested in two specific ones, which can accept commands. It goes over a range of IOAs, defined in the config, and sends the command sequence “OFF -> ON -> OFF”
- The idea in the 104 payload is very similar to 101, in that it sends ON or OFF commands to the devices But there are a few differences: - Works over TCP/IP instead of serial Many more configuration options As you can see here, possible to specify multiple STATION entries work in parallel threads 3 modes of operation – range / shift / sequence Both for 101 and 104, attackers don’t know the types of IOAs, so they have to do a kind of “bruteforce” to find out which will accept commands – “trial & error” Range & shift used to discover the right IOAs, Sequence used once they’re known
- Payload constructs packets on the fly Thankfully, WireShark can dissect them As you can see, this example is a “single command type” on IOA #10
- The payload can also write to the console – here’s an example
- It supports not only console output but also logging This example demonstrates the capability of the payload – it tries to switch circuit breakers to ON or OFF in an infinite loop The exact logic depends on the config: either ON, or OFF, continuously or flipping back & forth between iterations
- 61850 is a bit different, and a bit more advanced. Like 104, it operates over TCP/IP but it can function even if IP addresses are not specified in the configuration - it can auto-discover devices on the network Doesn’t operate on IOAs but named elements. It looks for these hardcoded names – they correspond to circuit breakers and switches. So it’s a different approach but, again, same purpose - to OPEN or CLOSE circuit breakers.
- The last payload is a step above the rest. Not that it’s more advanced but it operates on a higher software abstraction level. Technically, OPC Data Access can be built on top of 101, 104, or 61850. It uses Distributed COM to discover all OPC servers running in the network. Obtains all their named items, searching for these specific tags Then it addresses the byte value 1 to items with these tags. But what does that mean? Let’s take a look in the documentation.
- Those tags are associated with ABB. Their type is ABBCommandBitmask…
- And writing the value 1 on bit position 0, results in normal execution of that command
- And this OPC Process Object Lists Tool by ABB helps us translate the commands into a better human-readable form… So again, the purpose is the same – opening circuit breakers.
- Analyzing the Industroyer payloads are a piece of cake for a skilled reverse-engineer, because they’re not obfuscated in any way. The only thing that can…and will slow you down…is this annoying COM stuff So to help analyze any future malware that would use OPC DA, we’re releasing this IDA Python script
- This is what the code looks like before the script
- Robert: Well, that looks much better. Thank you Anton. All 4 payloads serve a similar purpose – to open and close circuit breakers. De-energizing a substation is the most obvious one. But there are other theoretical possibilities and the 2007 Aurora generator test demonstrated how out-of-sync closing of protective relays can lead to physical hardware destruction.
- The second type of functionality we found in the Industroyer framework, is rendering protection relays irresponsive. This is done by the Denial of Service tool…
- And it does it by exploiting the vulnerability in Siemens SIPROTEC devices described in this Advisory.
- The module sends specially crafted UDP packets to port 50000. ”Knocking these devices out” serves to amplify the impact of the payloads Anton talked about. Siemens did patch the vulnerability in a firmware update, but you can imagine how regularly these devices are updated
- The third and final type of payload functionality in the Industroyer samples we analysed is the Data Wiper module – [click] its purpose is to make recovery from the attack harder - goes not after the RTUs but after the workstations used to configure them
- it’s executed by the launcher module - either 1-2 hours after the ICS-payload modules
- Remember the configuration software we showed you earlier? This module wipes files belonging to SCADA software, as you can see on the screen… Furthermore, it renders the machine unbootable by corrupting the Registry and finally crashes it by killing all, including system processes. Substation operator…circuit breakers being reopened, protection relays irresponsive, when you sit down to fix the problem, SCADA SW gone Another demonstration of the importance of backups
- Some modules Vendor-agnostic others specific to Siemens/ABB… also discovered GE firmware
- As you’ve seen, Industroyer’s capabilities are rather versatile. It was malware that caused the Ukraine blackout – but it’s also configurable, and can be re-purposed to attack power grids around the {click} world. It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet. But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.
- configurable, and can be re-purposed to attack power grids around the {click} world. It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet. But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.