I was doing research not too long ago to talk about the Stuxnet worm as I find it an incredible piece of technology and wanted to pitch my two cents at it (I was writing the now defunct “Sucks to Stux” piece, but don’t cry for me Argentina! This is piece is better, that’s The NuclearFarmboy Guarantee ®.) when I came across a nifty little group called “Equation”. So I thought to myself, “ooh another hacker group! Let’s check it out!” Boy, did I jump down the rabbit hole.
First things first, let’s talk a little about Stuxnet. If you’re thinking that it is the system responsible for this:
Running Windows 1984
(Photo Credit: Wikipedia and Orion Pictures)
Then you are wrong. You are thinking of Skynet, not Stuxnet (as much as we all would love to listen to some 1980s synth music while being chased by a half-naked Austrian robot).
What is Stuxnet and what did it do? Well, I’m not here to point out any fingers to world governments or policies to curb/sabotage a third government’s nuclear program (even with thinly veiled references). That’s just not me. I’m a nerd, I love talking about code, science, and baseball so let’s talk about how Stuxnet does what it does and how it did what it did regardless of who made it. Stuxnet was a computer worm meant for cyber-sabotage (cue the Beastie Boys) by targeting programmable logic controllers, or PLCs.
What is a PLC? Well imagine your computer wants do do something in the real world (because yay automation!) and it wants to open doors, control factory processes, assembly lines, or…uranium enrichment centrifuges. These PLCs are essentially mechanisms that translate the code (011010000110100100100001) to physical movements. Just like a keyboard logs a physical action onto a digital code, these PLCs translate the commands from the CPU to do an action (such as speeding up or slowing down your centrifuges). Isn’t the future neat?
So imagine you have your CPU, running that Windows XP (because you gotta kick it old school) and it is running all the software it needs to keep your PLCs working how and when they’re supposed to. Nothing to see here. Of course you’re a smart cookie and you don’t connect this network to the outside internet world. This is called an air-gap. Essentially you can’t get hacked if there is an actual physical separation of your network and the nasty and hostile internet (seriously, it’s a jungle out there). So everything is operating like normal a-ok! But wait, say one of your employees finds a wild USB flash drive! What does he do? Best cybersecurity practices say you don’t touch it with a 10 foot pole and if you’re really curious open it on a computer that has no sensitive information right? So that’s what your employee does. He goes to his work terminal, boots up Windows XP (because yes, machines like those still exist as seen below) and plugs that puppy in, because hey it’s ok, his computer isn’t directly connected to the sensitive stuff anyway.
This is a computer in the office I am currently in…Yes this is 2015.
Once the USB drive is in, this is what goes through your employee’s mind:
“How boring. It’s just a bunch of folders with text files. A few random pictures. Oooh! A screensaver of my favorite soccer (not football, because America) team! I definitely need that!”
And while all that is going on, Stuxnet has been uploading itself to the computer without anyone being the wiser (it’s sneaky like that).
Congratulations! A computer in your network now has Stuxnet!
The best part about it is that Stuxnet has the even sneakier capability of infecting other computers in your network, without them being directly connected to the internet. Using procedures like remote procedure calls from machine to machine, it spreads faster than glitter in a grade school art project.
From then on out, all Stuxnet had to do find a specific Siemens supervisory control and data acquisition program used to control your centrifuges, and infects the PLCs that control your revolutions. Once here, it systematically varies the rate of revolutions (rpms) putting stress on the motors and other components until they are damaged.
Hasta la vista, baby centrifuges.
Now all that’s good and dandy, and Stuxnet is now wrecking your (very real) shop, but that’s not what’s scaring me.
What scares me is the future. Stuxnet and other cyberattacks up to this point have largely dealt with sabotage or theft. Stealing money a la Office Space (if you don’t know what I’m talking about go watch that movie right now and then continue reading. Not even kidding.) via computer program from an inside threat, an outside threat like Sony’s PSN online service or Target where hundreds of credit card numbers were stolen, or even the case where private celebrity photos got leaked onto the internet are all cyber attacks that are visible and noticeable. These attacks have a perpetrator that uses some software to gain access to privileged information and BOOM! that information is no longer private. Sabotage, theft, and leaks I understand. While they are terrifying (imagine someone pulling a Stuxnet onto the sewage treatment plant in your local neighborhood and literally opening the very smelly flood gates) what I’ve seen from the Equation group is far more complicated and incredibly astute.
Equation has opened the door to what can only be described as complex cyberespionage. The cybersecurity firm Kaspersky Lab, recently discovered this group when they were tracking down some cybersecurity threats and saw some command and control (C&C) servers whose domain had expired and the Lab decided to purchase them. This maneuver, called a “sinkhole” essentially intercepted all communications from the infected machines “reporting back” and traced their behavior (to grossly simplify it).
What Kaspersky managed to identify was 6 surprisingly sophisticated pieces of malware that were communicating with these servers with the following names:
- DoubleFantasy
- GrayFish
- Fanny
- TripleFantasy
- EquationDrug
- EquationLaser
What’s scary about these (and why the first half of this post goes so deeply into Stuxnet) is that some of them have Stuxnet-like characteristics (being able to infect via USB and through networks not connected to the internet) and these modules predate Stuxnet.
Whoa…
(Picture Credit: “Bill and Ted’s Excellent Adventure” and replygif.net)
And in the immortal words of Billy Hayes, “Wait! There’s more!”
One of these, namely Fanny, is able to be concealed in a USB stick and execute automatically when the USB is connected to a computer. This spreads the malware throughout the network effectively bridging the air-gap (much like the example shown above). What’s crazy about it is that this malware is dated to 2008 and has a lot of similarity with Stuxnet. Clearly Equation is operating on the next level, and that is pretty scary. Some reports and labs say it’s an NSA group, while others say it’s a group of killer robots from the future (that latter report is mostly me), but regardless I’m not here to get into the politics of it. I’m here to try and talk and explain just what is going on technical-wise and pitch my two cents of cybersecurity insight.
Equation not only has predated one of the most complicated and well known pieces of code, but it also has done something that has not been seen before and which in Kaspersky’s opinion (and mine) is Equation’s greatest achievement: it’s been able to attack firmware. While incredibly rare with only 5 confirmed cases of the 500 studied by Kaspersky’s lab, it is still an incredible achievement. You’re probably asking yourself, “what’s firmware?”, “is it the opposite of software?”, and “can I put it in some tupperware?” Thankfully I’m here to answer those questions!
Firmware is essentially the basic source code that tells, say your hard drive, how to run. It’s stored in a non-volatile form of computer storage, and by that we mean something solid state like your USB as opposed to your hard drive that literally spins at several thousand RPMs and has the information written onto not quite unlike a record player, and most importantly it is a “read-only” set of instructions for the hard drive. How does it differ from software though? Well, lets say software like your trusty Microsoft Word ® is the code that runs off your hard drive. It is the program that you are storing in the “record” part of the spinny hard drive, to continue the analogy. The firmware on the other hand is the instructions that help the you find where the arm and needle of the record player must be placed to play the Microsoft Word track and at what speed it has to be played. The firmware can’t typically be modified under normal operations, and more importantly it simply provides the fundamental operating instructions on the hardware. While (as we all have probably found out some way or another) software can be erased, firmware cannot. You can’t just open up your windows explorer, find your hard drive and start modifying the firmware code.
Now let’s tie it all together!
The Equation group’s cyber infiltration (much more apt word than “attack”) consists of using a computer worm (which is software) to leave your computer vulnerable to attack or to carry out a specific command much like Stuxnet. Now what happens if you do a scan of your computer and find some of the malware (worm/software) in your system? Well you simply patch the vulnerability of your machine and reinstall your operating system and congrats! Your machine is now Equation proof and Equation free (Sucks to Stux!) and you can keep spinnin’ your centrifuges (treat yoself!). But wait, what if the group attacking you (for the sake of simulation let’s pretend it’s Equation) doesn’t want to sabotage your centrifuges and instead just wants to steal critical data and passwords? Well that’s where you’d be one of the unfortunate 5 that got infiltrated by GrayFish module. What happens with this piece of code, is that it tricks your hard-drive into reflashing it’s firmware and implanting itself into the firmware. Hard drives manufactured by companies that include Seagate, Western Digital, and Toshiba are among the vulnerable hard drives, and GrayFish effectively tricks your computer into not reading part of the memory of the hard drive and creating these “secret” memory partitions that your computer can’t detect and storing information on it that will later be sent out to specific servers. And the worst part? You can reformat your drive, reinstall the operating system, and run all the antivirus you want but this code is there to stay. You simply can’t get rid of it short of taking a baseball bat to your hard drive.
Seriously, How great was “Office Space”?
(Photo Source: “Office Space” and giphy.com)
The reason is that firmware was never designed with security in mind. Sure, some firmware updates reflash and replace parts of your firmware code to make your hard drive operate smoother or you can always try reformatting the firmware, but doing this to get rid of GrayFish is unfeasible as you never know where the module is or you can’t reformat that section of firmware.
What does it all boil down to?
The cybersecurity game just got a lot harder. Groups, Equation in this case example, has for the past decade or so been systematically developing tools to infiltrate computers and information technology at increasingly complex levels. Malware like Stuxnet that could penetrate air-gapped systems shows the increasing challenges in maintaining cybersecurity standards at their highest to prevent systems from being compromised. The expansion from software to firmware attacks by cyber-actors is a call for governments, organizations, and especially individuals to strengthen their security infrastructure and practices. Regardless of who Equation is and who they’re working with/for, cybersecurity is a growing concern for all developed countries. Information is our most valuable and most vulnerable possession, is the currency of the 21st century, and it is the identity of individuals, organizations, and states; without proper security practices the confidentiality, integrity, and accessibility of it become compromised and potentially harmful. As the threats grow bigger and more serious, so must our way of defending and protecting ourselves against them.
-Cervando Banuelos is currently interning at the Verification Research, Training and Information Centre in London and is pursuing a master’s of arts in nonproliferation and terrorism studies at the Middlebury Institute of International Studies at Monterey, and holds a bachelor’s of science degree in nuclear engineering, with a minor in radiological health engineering, from Texas A&M University. His interests include passive cooling systems in boiling water reactors, nuclear forensics, arms control treaties, treaty verification, cybersecurity issues, and oatmeal raisin cookies without the raisins. He hopes to some day work for the IAEA, a national laboratory, or the CTBTO.
Follow: @nuclearfarmboy
nuclearfarmboy.com 
