Last week I was in the Middle East, speaking at a very interesting security conference attended by management from the region's major energy companies. Today's blog was going to cover what I learned at this event, but that will have to wait. Instead, in an interesting coincidence, a new super worm called Flame (or sKyWIper), has been discovered targeting sites in the Middle East. So today I will explore what impacts (if any) this new worm will have on SCADA or ICS security.
Courtesy: David Ayres
Let's start with what Flame is. Rather than just being a typical worm, Flame appears to be a carefully crafted attack toolkit for industrial or political espionage. According to Aleks at Kaspersky Labs "It is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master."
Now the first unusual thing about Flame is that it is massive. While the typical worm is 50 KBytes in size, Flame weighs in at 20 Mbytes, nearly 400 times larger.
The reason for this large size is that Flame is a multi-functional toolkit for information stealing, completely reconfigurable by its masters for new tasks. According to the crysys report on sKyWIper (aka Flame):
sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers' functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.
Flame is a Swiss Army Knife of malware in the sense that it can intercept everything imaginable, but it is not a pile of existing malware code thrown together. It is very cleverly crafted. Like Stuxnet, it has multiple propagation vectors – USB keys, printer sharing, and domain controller rights to name a few.
Figure 1: Flame Infection Methods. Source: Securelist.com
Its modular architecture allows its creators to massively change functionality and behavior at any time. It also allows its operators to use a sophisticated scripting language called Lua to manage its activities. Plus its code injection techniques are pretty amazing. (If you want to learn more, check out the references at the bottom of this blog).
Flame is no script kiddy project. It is probably not even an organized crime project. All reports from the anti-virus companies analyzing Flame indicate that it was created by a well funded professional team of developers. As Kaspersky Labs put it:
"…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."
Figure 2: The top 7 countries targeted by Flame. Source: Securelist.com
On the surface, very little. As currently configured, Flame is clearly an information stealer. There is no evidence that it has SCADA or ICS related modules installed at this time.
That said, Symantec and others report that Flame appears to be the same worm that the Iranian Oil Ministry reported was impacting its facilities at the Kharg Island terminal last month. Iran's National CERT (MAHER) is also now reporting on the existence of this worm inside Iran.
So what does all this mean to the average control engineer? The good news is that like Stuxnet, Flame appears to be highly targeted. Like Duqu, it steals information rather than destroying equipment. But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.
Call it "cyber warfare" or "cyber hype", the bottom line is that the information / networked world is getting nastier by the day and SCADA and ICS is part of that world.
What are your thoughts on this latest super worm? Does its discovery impact your security strategy?
1Remote Access Technology http://www.rat.ca/
© Byres Security Inc. 2012 | All Rights Reserved | Byres Security is part of Hirschmann, a Belden brand