Stuxnet: lessons learned?

It is often admitted that ignorance is bliss. Conversely, another universal truth states that knowledge is power. I guess that we all have to find our place somewhere between both end members to keep our mental stability. However, when it comes to ICS cybersecurity knowledge is a must. The dark side lack of industrial processes know-how is the finger that plugs the hole in the dike, preventing the flood. But, as in the Dutch tale, this won’t last forever.

Security by obscurity paradigm is still firmly attached to many ICS managers’ views. This approach is absolutely unacceptable once you get even the slightest notion of the threat’s nature. Still, it is widely believed that the child will indefinitely keep on plugging the dike with his little finger.

Industrial processes knowledge and Stuxnet

Much has been said and written on Stuxnet, mainly because of its astounding refinement. However (please keep in mind that I’m an electrical engineer), what really shocks me is not its being the first malware specifically designed to attack an ICS, but the high degree of target’s physical processes knowledge involved.

Stuxnet was probably aimed to disrupt Iran’s uranium enrichment program. This material is used as fuel for nuclear power plants and in nuclear weapons construction. Uranium occurs in Nature as a mixture of two isotopes, 235U (lighter) and 238U (heavier). Natural concentration of 235U is under 1% whereas a concentration above 90% is required for military purposes (well over the 20% required for nuclear power plants). Enrichment process is usually performed inside centrifuges, machines that spin uranium gas at high speed. The heavier isotope experiences higher centrifugal acceleration and moves towards the spinning cylinder periphery while the lighter fraction (the useful one) remains by the rotation axis, where it is collected to be sequentially processed over and over again to reach the desired concentration. This is a very slow process because of the isotopes small atomic weight difference (3 atomic weight units to 238). In order to get enough material for the construction of a single device lots of time (or lots of money to provide a larger number of centrifuges) is required. To adjust the centrifuges speed frequency converters are used to drive the electric motors.

From this starting line, Stuxnet designers move on to tailor their strategy to the selected target: Iranian enrichment facilities. They tuned Stuxnet to pray on ICS with Siemens control systems (Simatic PLC and WinCC SCADA software) monitoring frequency inverters manufactured by Vacon (a finnish maker) and Fararo Paya (an iranian one). In addition, a number greater than 33 of this devices should be in place for the facility to qualify as a target. What is more, frequency settings should range from 807 Hz to 1,210 Hz (typical enrichment process settings).

Now comes my favorite part: choosing the attack mechanism. Once Stuxnet gains command and control of the system, it disrupts normal operation by forcing centrifuges spinning frequency (ie speed) to increase up to 1,410 Hz (above the maximum normal operation), then drop sharply to a value as low as 2 Hz (almost a complete halt, although machines rotating speed could depend on other factors), and then accelerate again to 1,064 Hz before returning to the normal operating sequence. This disruption repeats in predetermined cycles that involve, say, running at 1,410 Hz during 27 days, then a good dive down to 2 Hz and then 1,064 Hz again (resulting in good uranium shake) for another 27 days, and so on and on. This behavior does not affect all the devices in the same group, at least not simultaneously, but only a certain subset (to make malfunction detection harder, I guess). The goal is not only to disrupt the process. The goal is not to destroy the computer, or delete the program running on the PLC or any other action apparently definitive but, in practice, easily detected and fixed. These kind of actions would have warned the operator and the outcome would have been much restricted. It is obviously much more effective to cause the facility to produce uranium out of specifications for months for no apparent reason, something much more difficult to fix and therefore more harmful. The malware was intended to hide itself and its effects, so alarms logs and historians didn’t keep record of abnormal operation. Also, Stuxnet was able to reinfect a device in the event of original code being reloaded by the operators.

Lessons learned?

Beyond the initial shock (think of we poor ICS designers and operators and our broken safety feeling), there are some valuable lessons to be learned.

Much of the skepticism (real or fake) put up by ICS managers lays on their lack of understanding of the attack vectors and attacker’s goals. As far as they can see, a cyberattack is the digital equivalent of a carpet bombing, a blind and useless act of destruction. However, life ain’t that simple. As we can see from the Stuxnet case is that it is possible, given enough knowledge of an industrial process, to perform very sophisticated attacks aimed to cause much more damage in ways very difficult to fix: wastewater treatment plant discharges out of legal limits. An increase of non-compliant product resulting in economic cost and loss of reputation as it can be associated with missed deadlines or, worse, out-of-specs product reaching customers unnoticed (after all, statistical quality control samplings are designed to fit the ‘natural’ variability of our non disrupted process, so our standard sample size or sampling frequency may be inadequate to detect the situation). Or erroneous billing owing to altered data from meters (obviously up to destroy our reputation). What is worse, when we turn to our ICS it keeps telling that everything’s OK. And, let’s face it, how long will it take until you realize that maybe our control system has been hit by a cyberattack? After all, it is a risk that you have always dismissed…

You might regard yourself as a ‘good guy’.  You have lots of friends, a good reputation and no enemies. But, even if that’s true, in a global market where processes and machinery are increasingly standardized, who can tell for sure that you will not be victim of malware designed to hit a third party who just happens to share equipment or methods with you? Just one example: centrifugal machines originally used in olive oil production are now used to dewater sludges from (waste or fresh) water treatment plants.

Too often I hear arguments like ‘our system is not connected to the Internet’. Aside from the healthy skepticism that such an statement shall raise, we must remember that Stuxnet was designed to copy itself, whenever possible, by means of portable devices such as USB memory sticks or those PC used to load projects to PLC.

What every engineer knows

A short time ago the information used in industrial process engineering was paper-based and access to it was very limited: technical books purchase, suppliers technical data provided by salesmen, documentation gathered in specific technical courses, and so on: photocopies, photocopies, photocopies. The Internet has changed it all. Today we have almost unrestricted access to highly detailed and specific documentation from our very desktop PC. I remember the time when every engineer kept large amounts of information in various media. This personal treasure contained much of our knowledge and ability to design and its loss was a risk we could not afford. Today that is no longer necessary. The Internet is the ultimate file: pdf, pdf, pdf.

It’s amazing how much stuff about the processes and equipment in use in any given company lies out there, waiting to be discovered when appropriately searched. There is much more than technical documentation in the form of catalogs and data sheets. Providers often describe their references and success stories, sometimes in great detail, in multiple places: their websites, technical magazines, at conferences and fairs…The companies themselves sometimes release papers on their own state-of-the-art developments (or anything they are proud of). Constructors companies do just the same. When it comes to public infrastructures, Administrations grant tenders access to lots of detailed stuff. At least in Spain, some public projects are made available to every citizen to allow people to made allegations against the future infrastructure. You can find even undergraduate and post-doc academic works sponsored by companies regarded as critical operators: I have found academic papers describing the protocols and communication networks and control systems in real power grid substations of named companies. Sooner or later all this information makes it to the Internet.

Keeping this in mind, the next question is: do you really want to build your cybersecurity any longer on the idea that no one knows your industrial process?

Final note: specific data on Stuxnet and its performance is taken from the report published by Symantec (authors Nicolas Falliere, Liam O’Murchu, and Eric Chien) available here.

iSOC: A new concept in cibersecurity

I’m sure we all have sketched a smile when seeing photographs or videos of strange artifacts powered by steam or internal combustion engines. Most of these inventions failed because the technology used didn’t fit the purpose they were meant for. Seen with modern eyes it’s just so naïve to try to fly a plane fitted with a steam engine. However, those inventors were not as dumb as their failure suggests. They were intelligent people (or, let’s say, not less intelligent than average) trying to solve the problems of their time with the technology available.

Steam powered the beginning of industrialization, granting people access to energy at a scale never seen before. This brand new technology lead to an engineering and cultural revolution that paved the way to our modern society. The Industrial Revolution beginnings were times of faith in progress, of unleashed collective optimism. Steam-powered machines were regarded as the key to all kind of engineering problems that remained unsolved so far.

[Read more…]

This is not about computers anymore. It’s politics.

A few days ago, following the well-known Mandiant Report “APT1”, we published a small post where we made some assessments about the alleged Chinese attacks on various public and private organizations. We made public a set of Snort rules that could be used to detect —provided that the information from the report Mandiant is true— if an organization had been infected. Obviously, if you receive an alert that should raise some suspicions, but the opposite should not make you assume you are not infected. The resources used for infection are certainly very dynamic and after the report many of them may have been replaced or eliminated.

But this is not what I wanted to talk about. The truth is that I wrote the post with some urgency because we wanted to publish the rules the same day, and I didn’t had the time to think about the complexity of the Chinese attack, its implications, origins and specificities. So I was surprised that none of our readers (you) pointed to some obvious errors in the post that I thought after a while, but I resisted to correct. The entry stated:

[…] there is no doubt that China has cyber espionage programs via the Internet. Does that surprise you? Just as no one should be surprised […] that other militar powers such as Israel and U.S. have in place cyber espionage programs.

The question here is, as pointed accurately by Securosis in their blog, that the difference is not that China has a cyber espionage program, but that its objectives and beneficiaries are both the public and private sectors. From an economic standpoint it makes sense. In an economy largely state-operated and conducted as China, it seems normal that such government “initiatives” benefit economic areas that are in many cases and at least partially, also state. At the end everything remains at home.

The fact is that this is not cyber espionage is not in the sense in which we are accustomed to think about it. This is “something else” and the reason why many people should start to be concerned. Not “classic” or industrial espionage. There is no one to prosecute or to send to the WTO. This is not a criminal action as we understand it. Because it’s more than “simple” military information or technology what is at stake. Is the entire Western economic and social model. It is said that China is a giant that is waking up, but in the light of such reports, may be the Western powers who are sleeping.

One last note. It is true that there is something called Echelon and occasionally this or that power get into suspicious activity (industrial espionage, bribery, etc.) through which they try to favor their national companies in contracts worth millions (see eg , vs. Boeing case. Airbus), but it is conceivable that the volume and size of these bad practices is not even remotely the same as the Chinese (although that is something that we really do not know). There isn’t, to our knowledge, anything like a program of intellectual property stealing coordinated and led by the states (in the political sense, not the U.S.). Such practices belong, in any case, to the private sector, which is subject to the laws and legislations of such states.

This is an approach somewhat underdeveloped and certainly simplistic, but the actions contained in the Mandiant report are not actions of espionage or data theft. These are actions of a political nature that are part of a much broader geopolitical strategy. Carl Von Clausewitz said that war is the continuation of politics by other means. The updated version of the XXI century is clear: cyberwar is nothing more than a tool of politics, with the difference that while the war is legally illegal, there is no such consideration for cyberwar.

Summarizing. This is not about computers anymore. It’s politics. We can “play” hackers meanwhile.

Snort: “byte_test” for dummies

Recently a blog user asked why in in the Snort malware detection rules, when you want to detect the DNS query to certain suspicious domains, certain characters such as “byte_test:1, !&, 0xF8, 2;” are used as testing conditions. To explain let’s take as an example the following VRT rule for Gauss malware detection:

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; 
content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,; reference:url,

[Read more…]

JavaSnoop – Debugging Java applications

(Please note this post was published last 12th sept. 2012 in the Spanish version of this blog)

Recently we used a very interesting tool to analyze Java applets: JavaSnoop, developed for BlackHat USA 2010 by Arshan Dabirsiaghi. Broadly speaking, the tool allows us to adhere (attach) to a Java process or start it and intercept the calls made. In addition to intercept these calls and view its contents, we can change the arguments of the methods we are intercepting and modify the return value of the function.

Let’s see how to intercept a Java applet method:

1. Download the latest version of the application:

Note: It is recommended to install the application in a directory that does not contain spaces on Windows (eg C:\JavaSnoop).

2. Download the latest version of Java SDK (requires restart after installation).

3. Set the location of the JAD binary in ““Settings > Manage JAD > Set jad path””. Download from the author website. This will allow us to decompile the classes.

4. We make sure that the JAVA_HOME environment variable for our user is set.

5. To avoid problems with permissions when injecting, JavaSnoop contains in the Resources folder the file unsafe.policy. We copy this file to %USERPROFILE%\.java.policy. This directory should contain a file .java.policy. After our analysis is recommended to restore the initial configuration.

6. It is advisable to activate the Debug Console in Java and keep it active for messages.

7. It is very important the order in which JavaSnoop and the java application are started. With some applets is strictly necessary that JavaSnoop is running before launching the browser.

8. Once started JavaSnoop we use the feature “An existing process“. In this case we see the PID 184 which is an applet that we started in Internet Explorer. Then hit the Attach button to adhere to process 184:

9. Once we have adhered to the process, we will set a “New hook“. To do so, click on the “Add new hook“. If you still do not know what class and method you want to hook, go to Browse, what will open a new window where you can select the class you want.

Now we select the method we are interested in:

Once selected the class and the method, we go back to the main window:

In this window, if we have selected the method (point 1) we will be able to set the actions to be undertaken by JavaSnoop: print the parameters when the method is invoked, print the contents of the stack, modify the parameters that are passed to the function and the return values​​. (points 2 and 3).

10. We can also see features of the process that we have attached to in the Actions menu.

With these steps, you are ready to intercept any Java application in a simple and fast way.

Are you being spied by the chinese government?

(Update 20/feb/2013: New signatures added)

As many of you probably know, Mandiant has issued a report accusing the Chinese People’s Liberation Army of being behind the attacks that different companies, both American and other nationalities, have been suffering in recent years.

The report, which is accessible from its website, provides a variety of technical details and the body of evidence supporting the theory that the Chinese government is actually behind the attacks, as has been advocating for the past years. Although some security experts point to analytical flaws in the study by Mandiant (Mandiant APT1 Report Has Critical Analytic Flaws), I think that there is no doubt that China has cyber espionage programs via the Internet. Does that surprise you? Just as no one should be surprised, as pointed out by @antoniosanzalc on Twitter, that other militar powers such as Israel and U.S. have in place cyber espionage programs. Indeed, one might almost say that it would be unwise not to.

Returning to Mandiant report, annexes show information that could help identify infected systems or organizations, either by connecting to DNS systems, use of SSL certificates or other. Although it is possible that after the publication of the report —provided that the information and conclusions of Mandiant are true— the systems and resources used in the attacks are reduced drastically, based on the information of the annexes we have created a set of Snort signatures that can help identify circumstances and suspicious connection destinations, which can be downloaded from the link below.

Snort signatures from the Mandiant report: apt1-unit68398.rar

The signatures are based in the Mandiant Report annexes, and have been developed by S2 Grupo Security Area and more specifically by Roberto Amado and Raúl Rodriguez. To send any comments, questions, information or requests, use the comments or contact us at

Please note that we are not responsible for any undesirable consequences (increased alerts, etc.) that may cause the signatures provided. Your use of the signatures is at your sole risk.

Challenge: Where will the meeting take place? – Solution

A few days ago we published a new challenge in this blog. We need to get the exact point where the gang was going to meet, using one file that had been sent by one of the gang’s member and two SMS saved in the mobile phone of another gangster recently arrested. In this post we are going to explain the solution :)

If we analyse the captured file, we can see it is an encoded text in base64, but if we do the decoding, we get a new encoded file in base64. To solve this, we have to focus on the first SMS, that said: “Recuerda, la quinta es la importante.”, that translates to: “Remember, the fifth is the important.”, what means we have to decode five times to get the original file. So, the only thing we have to do is decode the files until the fifth decoding.

With previous steps we get the following GIF image: a Barcelona street map (city what can be easily identified because of the “Sagrada Familia”).

Now, if we try “Barcelona” in the first validator we see that we open the file and get the solution for the first part of the challenge.

If we analyse a little bit more this image, the only thing we can find is a comment what says there is nothing more around here, what means we have to keep searching in other place ;)

The next part of the challenge focuses in the content of the second SMS. It said: “Te esperamos en:uÖ%äFeM!”, that translates to: “We will wait you in:uÖ%äFeM!”. It seems to point us to the exact address of the meeting. The problem lies in the text “uÖ%äFeM!”, because it does not look like a usual codification.

The clue in this case is the fact that we are working with an SMS text message. This messages use the GSM 3.40 specification, that establishes that the text messages will be encoded using PDU format.

Studying this format, we see the text characters are encoded with 7 bits instead of 8 in order to send longer messages. In the next image we can see how this codification works.

On the Internet, there are some sites which allow encode/decode PDU messages, thus using one of these (for example and getting the PDU codification of the second message, we get the hexadecimal chain “756E696F2C3743” (extracting the parts we don’t need: SMSC number, receiver’s number, length message, etc.). Decoding it to ASCII we get “unio,7C”. Now trying this result as a password in the second validator we can open it and check out the name of the address and the number where the meeting will be, getting the challenge solution :D

In this point concludes the solution for the challenge. Like always, congratulations to those people who solved the challenge and those who did not, I hope you have had a great time trying it ;)

Nmap –script http-joomla-brute. Where THC-Hydra doesn’t fit.

During a recent audit I wanted to try the strongness of the passwords used and I tried a simple dictionary attack against the login form of Joomla! just in case there was any account with one of those weak passwords. The form was as follows:

The method pointed by Rafa in is post: THC-Hydra: Obtaining user credentials by brute-force is fully valid for simple forms but in this case we can’t use it. If you look at the form HTML code we see that in addition to the parameters username and passwd, it has a hidden field that changes in each session. Let’s see the code:

We can see that the last field, which has a value of 1, consists of 32 hexadecimal digits that are generated every time, so we can not know a priori its value and include it the request for THC-Hydra. The petition using the above tool would be something (security parameter remarked in bold):

$ hydra -l admin -p admin1234 <server> http-post-form "/index.php:username=^USER^&

However, it will not work because the generated code is different every time, so the result will be a message “Invalid Token“. Because of this, and after several unsuccessful attempts trying to retrieve and include unsuccessfully that value in the THC-Hydra request, I jumped to nmap to see if there was any script that could help me in this situation.

Indeed, after searching for information on Google I found a script that seemed to do what I wanted: http-joomla-brute. I checked código“>the code and I saw that it was using the parameter “security token” to build the request, so I figured it would work in this situation.

if response.body then 
	_, _, security_token = string.find(response.body, '<input type="hidden" 
                                           name="(%w+)" value="1" />') 
if security_token then 
	stdnse.print_debug(2, "Security Token found:%s", security_token) 
	stdnse.print_debug(2, "The security token was not found.") 
	return false 

The above code searches the token in the form returned by the server and stores it in security_token, that will be used later to send the POST. Therefore, in case that the form includes this kind of safety mechanism we could use nmap as follows:

$ nmap -p80 --script http-joomla-brute --script-args 'userdb=user.txt,passdb=~/john-1.7.9/run/
brute.firstonly=true' <server>

Starting Nmap 6.00 ( ) at 2013-01-30 14:49 CET 
Stats: 0:07:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Stats: 0:09:06 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Nmap scan report for <server> (192.168.XXX.XXX) 
Host is up (0.0038s latency). 
80/tcp open  http 
| http-joomla-brute: 
|   Accounts 
|     No valid accounts found 
|   Statistics 
|_    Performed 3546 guesses in 605 seconds, average tps: 5 

Nmap done: 1 IP address (1 host up) scanned in 604.97 seconds 

I hope it helps you and saves some time since I spent some time with THC-Hydra trying the tool to take that parameter automatically. However, if anyone knows another way to do this please say it in the comments.

Challenge: Where will the meeting take place?

After a while without proposing any challenge, we return with our research team, which believes to be really close to know the next gang’s meeting point that they have been investigating for the last few months.

Thanks to the last actions performed, our team got the following file: captured_file, which despite being coded, seems to provide the location about the place where the next exchange will be carried. In addition, in the arrest of one of the members who was going to participate in the exchange, the team got a mobile phone that had only two SMS in its memory.

[Read more…]

THC-Hydra: Obtaining user credentials by brute-force

(Please note this post was published last 4th february 2013 in the Spanish version of Security Art Work. See original post: THC-Hydra: Obtener credenciales de usuario por fuerza bruta)

THC-Hydra is a software used to crack login systems of different services such as HTTP, FTP, TELNET, IMAP, SMB, SSH, etc. in a very easy and fast way. Its latest version (7.4.2) was released last 7th January.

This tool has earned a great reputation thanks to its console mode both in Linux and Windows systems (also offering Linux users the option to use a graphical interface) and the possibility to execute the attacks using threads, giving the user the option to choose the number of threads used to perform the attack.

[Read more…]