Who would have thought that in 2010 we would have an attack based on—wait for it—sneakernet. The latest high-profile example of this is W32.Stuxnet. In the hoopla over some of the more racier aspects of Stuxnet, this part is being ignored. And I don’t think it should be. We’ve been tracking the growing usage of this attack vector (USB thumb drives and the like being shared between computers) for years. In 2009, 72% of malicious code samples causing potential infections propagated using this mechanism, as discussed in the Symantec Internet Security Threat Report, Vol. XV. Why? Because it works. Nothing proved that more than Conficker. But what really drives my interest and concern is the suspicion that the bad guys learned a valuable lesson from Conficker that can today be used on SCADA systems, no matter how well isolated or protected they seem.
With Conficker, machines with no Internet connectivity were getting infected. It didn’t take long to figure out the reason. Technicians working on the machines were plugging in USB thumb drives to transfer files to these non-networked machines. Infected thumb drives. And the threat easily jumped to these “safely-removed-from-the-network” machines. Of course, what made the news was that all the hospitals were seeing infections on their medical devices. It’s completely horrifying that medical equipment, used to save lives, could be infected with malware. There’s a bit of irony too—malware ain’t called a virus for nothin’. I can’t think of an industry better suited to figure out that you should guard against accidently delivering tainted media from one device to another.
What all these reports of non-networked medical equipment getting infected by Conficker did do was give bad guys an idea of how to get onto machines without network access. Now, we don’t know who is behind the W32.Stuxnet attacks. If history holds true, we may never know for sure. And I can only guess at what the thinking behind these attacks was—I don’t know if they were interested in non-networked SCADA systems. But it seems to me they have a pretty good way to get on these systems. And, of course, that solution is not some mad genius technical hack. It’s social engineering.
So here’s the hackers’ problem: how do they get onto the machines that aren’t on a network? Can’t use a network-based attack. Can’t do a drive-by download. Can’t get them through email, social networking, or the other standard tricks. Unlike Hydraq, they can’t even get to these machines by infecting someone who has access to the targeted machines. The PCs of these users are not connected to the targeted machines. Or are they? Conficker taught us that these machines are networked, via USB drives and sneakernet.
Now, I admit I have no idea how, in this scenario, the attacker would get stolen information off these systems. That would take some really amazing social engineering. But if the purpose of an attack was to cripple one of these systems (which doesn’t seem to be the case here), just getting onto the machine is good enough. And having these systems crippled by cybercriminals has been repeatedly raised as a major national security concern. So, I think we have a problem here. I have no doubt that reports will surface in the next few weeks of systems that were hit with Stuxnet, even though they had no Internet access.
Some things never change. Sneakernet lives. And so do bad or non-existent security policies. Just because your machine is off the network doesn’t mean it’s secure. In medicine, surgical instruments don’t get shared between patients—at least not until they are sterilized. It’s probably not realistic to ban the use of USB keys. There will be times that data needs to be brought to a non-networked machine; I get it. But you better have some procedures in place. A sterilization. Sure, software can help. Put good security on all machines. And we even have some nice technology that can block even an unknown virus from launching off a USB key. But, put a policy in place, too. Make people think about what they are doing, because the bad guys are.