産業制御システムに対するStuxnet以来最大の脅威 by Anton Cherepanov, Róbert Lipovský
•Download as PPTX, PDF•
2 likes•1,293 views
Industroyerは電力系統に対する攻撃に特化した史上初のマルウェアである。このユニークで非常に危険なマルウェアフレームワークは、2016年12月にウクライナで停電を引き起こした。 BlackEnergy (a.k.a. SandWorm) などの重要インフラを攻撃対象にした他のマルウェアとIndustroyerの違いは、4種類の産業用通信プロトコルを使用して直接コントロールスイッチやブレーカーを操作する能力にある。 本講演では、Industroyerが悪名高いStuxnetワーム以来産業制御システムに対する最大の脅威であると考えられる理由の解説に加え、2016年の停電を近年のウクライナの重要インフラに対する他の多くのサイバー攻撃と比較して解説する。 Industroyerが攻撃するプロトコルやハードウェアはウクライナに限らず世界的に電力系統や交通網、そして水道やガスといった重要なインフラにおいて使われているため、このマルウェアは他国の重要なサービスへの攻撃にも転用することができる。この発見は、このような重要なシステムのセキュリティを担う者達に警鐘を鳴らすはずだ。 アントン・チェレパノフ- Anton Cherepanov - アントン・チェレパノフはESETのシニアマルウェアリサーチャーであり、複雑な脅威の分析などを担当している。彼はウクライナにおけるサイバー攻撃を広く研究しており、その内容はVirus Bulletin、CARO Workshop、PHDays、ZeroNightsなど数多くのカンファレンスにおいて発表されている。彼はリバースエンジニアリングとマルウェア分析の自動化に特に興味を持っている。 ロバート・リポヴスキー - Róbert Lipovský - ロバート・リポヴスキーは、10年間のマルウェア研究経験を有するESET Security Research Laboratoryのシニアマルウェアリサーチャーである。彼はマルウェアの調査と分析を担当しており、ブラチスラヴァのESET本部にてマルウェア研究のチームを率いている。彼はBlack Hat、Virus Bulletin、CAROといったセキュリティカンファレンスにて定期的に登壇する人物である。彼はコメンスキー大学および母校のスロバキア工科大学においてリバースエンジニアリングの課程を開設している。キーボードに触れていない間、彼はスポーツやギター、飛行機を飛ばすことを楽しんでいる。
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to 産業制御システムに対するStuxnet以来最大の脅威 by Anton Cherepanov, Róbert Lipovský
Similar to 産業制御システムに対するStuxnet以来最大の脅威 by Anton Cherepanov, Róbert Lipovský (20)
More from CODE BLUE
More from CODE BLUE (20)
産業制御システムに対するStuxnet以来最大の脅威 by Anton Cherepanov, Róbert Lipovský
- 1. INDUSTROYER Anton Cherepanov / @cherepanov74 Robert Lipovsky / @Robert_Lipovsky
- 7. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 8. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 9. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 10. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 11. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 23 Dec 2015
- 12. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 C&C ネットワークスキャナ ファイル窃取 パスワード窃取 キーロガー スクリーンショット ネットワーク探索 BlackEnergy CORE
- 13. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 14. STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016
- 15. ウクライナ での被害 ESETが解析を開始 最初の報告が 完了 追加調査 Industroyerに関する 報告が公開 17 Dec 2016 A few days later 12 Jun 201718 Jan 2017 STUXNET HAVEX BLACKENERGY INDUSTROYER 2010 2014 2015 2016 INDUSTROYER
- 16. メインの バックドア ICS INDUSTROYER マルウェア 操作者 INDUSTRIAL SITEインターネット 電力供給会社 Industroyer
- 17. Main Backdoor Main Backdoor メインのバックドア – コマンド集 プロセスの実行 特定のユーザーアカウントを用いたプロセスの実行 C&Cサーバーからのダウンロード ファイルの複製とアップロード シェルコマンドの実行 特定のユーザーアカウントを用いたシェルコマンドの実行 停止 サービスの停止 特定のユーザーアカウントを用いたサービスの停止 特定のユーザーアカウントを用いたサービスの開始 特定のサービスに対する“Image path”レジストリ値の書き換え
- 18. Main Backdoor Main Backdoor メインのバックドア – コマンド集 プロセスの実行 特定のユーザーアカウントを用いたプロセスの実行 C&Cサーバーからのダウンロード ファイルの複製とアップロード シェルコマンドの実行 特定のユーザーアカウントを用いたシェルコマンドの実行 停止 サービスの停止 特定のユーザーアカウントを用いたサービスの停止 特定のユーザーアカウントを用いたサービスの開始 特定のサービスに対する“Image path”レジストリ値の書き換え ファイルの複製とアップロード
- 19. メインのバックドア -> VBS -> MS SQL -> CSCRIPT -> VBS
- 21. Set cmd = CreateObject("ADODB.Command") cmd.ActiveConnection = mConnection cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE; END;" cmd.Execute cmd.CommandText = "BEGIN EXEC sp_configure 'show advanced options', 1;RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; END;" cmd.Execute
- 22. メインの バックドア メインの バックドア メインのバックドア – コマンド集 プロセスの実行 特定のユーザーアカウントを用いたプロセスの実行 C&Cサーバーからのダウンロード ファイルの複製とアップロード シェルコマンドの実行 特定のユーザーアカウントを用いたシェルコマンドの実行 停止 サービスの停止 特定のユーザーアカウントを用いたサービスの停止 特定のユーザーアカウントを用いたサービスの開始 特定のサービスに対する“Image path”レジストリ値の書き換え 特定のサービスに対する“Image path”レジストリ値の書き換え
- 23. メインの バックドア メインの バックドア DOSツール Port Scanner ポート スキャナー 追加の バックドア EXEC xp_cmdshell 'C:intelport.exe -ip=%IP_ADDRESS% -ports= 2404, 21845, 445, 135'; 135 - RPC Locator service 445 – SMB 2404 - IEC 60870-5-104 21845 - webphone 700 – Extensible Provisioning Protocol over TCP 701 – Link Management Protocol 1433 – MS SQL Server default port 1521 – nCube License Manager / Oracle dB
- 29. DOSツール 101 ペイロード 104ペイロード 61850 ペイロード OPC DA ペイロード メインの バックドア メインの バックドア ポート スキャナー 17 Dec 2016 - 22:27 (UTC) ランチャー 追加の バックドア
- 30. 101ペイロード 104 ペイロード 61850 ペイロード • シリアル番号 • IOA (Information Object Address) の範囲 • 単発コマンド (C_SC_NA_1) • 二発コマンド (C_DC_NA_1) • OFF -> ON -> OFF OPC DA ペイロード
- 31. • TCP/IP • モード: • 範囲 • 遷移 • シーケンス 101ペイロード 104ペイロード 61850 ペイロード OPC DA ペイロード
- 35. 101ペイロード 104ペイロード 61850 ペイロード OPC DA ペイロード • Auto-discovery • CSW, CF, Pos, and Model • CSW, ST, Pos, and stVal • CSW, CO, Pos, Oper, but not $T • CSW, CO, Pos, SBO, but not $T
- 36. 101ペイロード 104ペイロード 61850 ペイロード OPC DA ペイロード • OPCサーバーを発見 • COMインターフェース: • IOPCServer • IOPCBrowseServerAddressSpace • IOPCSyncIO • ctlSelOn (オンコマンドを選択) • ctlSelOff (オフコマンドを選択) • ctlOperOn (オンコマンドを実行) • ctlOperOff (オフコマンドを実行) • Pos and stVal (位置、状態の切り替え)
- 38. Github: https://github.com/eset/malware-research/tree/master/industroyer • バイナリ中のOPC Data Access LIBIDs, CLSIDs, IIDsを特定 • IDA ProでOPC DA構造を作成し列挙 • 一般的なリバースエンジニアリングの用途で使用可能 101ペイロード 104ペイロード 61850 ペイロード OPC DA ペイロード
- 46. ABB PCM600 ABB MicroScada Signal Cross References Substation Configuration Language Substation Configuration Description Configured IED Description
- 48. ! 世界的な脅威 ! 危険な攻撃者 ! まだ見ぬ潜在能力 見えないもの
Editor's Notes
- It’s good to see all of you here today… Literally. Meaning the lights are on. Because today we’re speaking about Industroyer – malware capable of causing a blackout. In fact, it caused one…in Ukraine last December. Now, that’s big, but there’s more – Industroyer is the 1st ever malware designed to attack power grids automatically, and we consider it to be the biggest threat to Industrial Control Systems since Stuxnet.
- My name is Robert Lipovsky, and together with my collegue Anton Cherepanov, we analyze malware and investigate cyberattacks on a daily basis, in fact, both of us have been doing it for 10 years now… but when we discovered Industroyer last December, frankly, we were blown away…
- We’re based in Slovakia, EU, we work as malware researchers for ESET – the company that pioneered antimalware heuristics and has been innovating antimalware solutions for 30 years.
- First, we’ll put Industroyer into context of other malware that targeted ICS in the past Then we’ll explain how Industroyer works
- First, let’s take a look at how ICS-targeting malware works… We have an industrial site, which can be anything, from a uranium enrichment plant to an automobile factory, with its specialized industrial hardware. These devices are controlled and configured by human operators from workstations [click], typically running Windows, and that was the point of infiltration for all the known ICS-targeting malware families.[click] Where the malware families differ, is in their capability – and methods – of controlling/disrupting the industrial process.
- Industroyer was specifically designed to attack electricity distribution substations. There’s a timer [click], in the analyzed samples set to the time of the blackout in Kiev, Ukraine last December… …that triggers Industroyer’s unique payload: controlling circuit breakers automatically through industrial communication protocols [click] in order to cut the power.
- Industroyer joined this “elite” club of only 3 malware families known to be used in attacks against ICS
- Stuxnet, which needs no introduction, was able to reprogram PLCs to change the rotation speed of centrifuges.
- Havex – DragonFly – Energetic Bear which infected many industrial sites Used OPC DA protocol – also used by Industroyer – but unlike Industroyer, Havex only for espionage
- BlackEnergy is a bit different from the other 3 families We’ve been tracking it since 2011…and there we’re many campaigns over the years – mostly spearphishing – and we even discovered they used a Powerpoint 0-day: CVE-2014-4114…
- … and many targets – many high value targets, including government, media, transportation… But what’s relevant to our topic today are the campaigns against the Ukrainian power grid. They started in March 2015… [click] And on December 23rd, culminated in the first known malware-enabled blackout that affected several regions in the country and left around 230000 people in the dark for several hours.
- As I said, BlackEnergy is different from these other malware toolsets. It wasn’t designed to target ICS specifically, but is a more “general purpose” cyberweapon. Through its network traversal and espionage modules, it paved the way for attackers Who then used Radmin …
- …legitimate remote access software installed at the power distribution companies to manually “pull the plug” [click] And this is an actual video taken by an operator while the attackers were remotely accessing their system
- …legitimate remote access software installed at the power distribution companies to manually “pull the plug” [click] And this is an actual video taken by an operator while the attackers were remotely accessing their system
- And now onto the main topic… On December 17, 2016, almost exactly one year after the previous blackout, we we’re struck with a sense of deja-vu There was another blackout and we started analyzing samples of malware, which became the main suspect – Industroyer We sent our analysis to Ukraine, and then waited, not to interfere with ongoing investigations… And then received the green light to publish in June
- We already mentioned what Industroyer can do…and did, (or “Industroyer’s principal functionality) Now let’s look under the hood It starts with the main backdoor, which takes care of C&C communication and launches other components
- It’s not super interesting, typical malware, the kind we analyze thousands of every day. Here’s the list of commands it supports. We while Industroyer doesn’t focus on espionage functionality like BlackEnergy, it does provide attackers the capability of downloading and executing additional modules…
- as well as to exfiltrate files off the infected machine. Output produced by this command also gave us a glimpse into the command execution chain and lateral movement during the attack
- Multiple stages – staying under the radar SQL DB
- /not published/ Got hold of in-house custom application that stores environment layouts, ICS process logs & telemetry RE’d it, discovered that data stored in MSSQL server, hardcoded credentials. (Shows skill of attackers) Abused the DB to execute a number of shell commands during the reconnaissance phase of attack
- In order to do that, they 1st enabled the DB’s capability to execute these commands through xp_cmdshell
- Here are a few commands executed from that machine Benefit – stealth – shell commands executing from context of DB, also DB stored malicious binaries – measure to avoid AV detection
- The last command in the list is used for persistence, to ensure the malware survives a reboot. It does that by pointing the Image Path Registry value of a chosen existing Windows service to a more obfuscated version of itself.
- There’s also a secondary backoor, used as a backup mechanism, in case the main backdoor gets detected or disabled. It’s interesting because it masquerades as a trojanized (and otherwise fully functional) version of Windows Notepad, which it replaces in the system. SIMILAR TECHNIQUE USED BY DRAGONFLY 2017 There are a few additional tools – noteworthy is a custom port scanner which the attackers chose instead of nmap, for example, And DoS tool, which actually impacts the ICS, and I’ll talk about it later.
- And now we’re getting to the interesting part…
- We identified 3 distinct ways Industroyer attacks the electricity substation. Firstly, and most importantly, it can directly control the industrial hardware on site… So what is this “hardware”? They’re called Remote Terminal Units, commonly protection relays – on these photos you can see them from 2 vendors – Siemens and ABB. There are many types but basically their function is to open and close circuit breakers – for the purposes of protection, balancing the power grid, and so on…
- These devices are configured and monitored via specialized SCADA software on regular workstations, typically running Windows
- And the communication happens through one of several industrial communication protocols….there are several, some are regionally specific, some operate over a serial connection, others over TCP/IP but overall idea is the same… It’s important to note that Industroyer “abuses” them… there are no “exploits”, no software vulnerabilities, it uses the protocols in the way they were designed to be used…decades ago, without security in mind.
- Now I pass the microphone to Anton, the lead in the Industroyer analysis, to walk you through the payloads…
- Robert mentioned the exact timing of an Industroyer attack. That’s the job of the {click} launcher component The launcher samples we analyzed would launch the individual payload modules on {click} December 17, 2016 – shortly before the power outage. We identified modules capable of controlling devices through 4 communication protocols: IEC 101, IEC 104, 61850, OPC DA. Most of them are DLLs, with their own configuration files
- Requires a configuration file – here’s an example 101 communicates over a serial connection – the COM ports to use are specified in config 1st thing it does – kills legitimate process on the workstation responsible for controlling the devices and takes over The devices operate on something called IOA – Information Object Address – think of them as network ports, or… registers There are several different IOA types, but the payload is only interested in two specific ones, which can accept commands. It goes over a range of IOAs, defined in the config, and sends the command sequence “OFF -> ON -> OFF”
- The idea in the 104 payload is very similar to 101, in that it sends ON or OFF commands to the devices But there are a few differences: - Works over TCP/IP instead of serial Many more configuration options As you can see here, possible to specify multiple STATION entries work in parallel threads 3 modes of operation – range / shift / sequence Both for 101 and 104, attackers don’t know the types of IOAs, so they have to do a kind of “bruteforce” to find out which will accept commands – “trial & error” Range & shift used to discover the right IOAs, Sequence used once they’re known
- Payload constructs packets on the fly Thankfully, WireShark can dissect them As you can see, this example is a “single command type” on IOA #10
- The payload can also write to the console – here’s an example
- It supports not only console output but also logging This example demonstrates the capability of the payload – it tries to switch circuit breakers to ON or OFF in an infinite loop The exact logic depends on the config: either ON, or OFF, continuously or flipping back & forth between iterations
- 61850 is a bit different, and a bit more advanced. Like 104, it operates over TCP/IP but it can function even if IP addresses are not specified in the configuration - it can auto-discover devices on the network Doesn’t operate on IOAs but named elements. It looks for these hardcoded names – they correspond to circuit breakers and switches. So it’s a different approach but, again, same purpose - to OPEN or CLOSE circuit breakers.
- The last payload is a step above the rest. Not that it’s more advanced but it operates on a higher software abstraction level. Technically, OPC Data Access can be built on top of 101, 104, or 61850. It uses Distributed COM to discover all OPC servers running in the network. Obtains all their named items, searching for these specific tags Then it addresses the byte value 1 to items with these tags. But what does that mean? Let’s take a look in the documentation.
- Those tags are associated with ABB. Their type is ABBCommandBitmask…
- And writing the value 1 on bit position 0, results in normal execution of that command
- And this OPC Process Object Lists Tool by ABB helps us translate the commands into a better human-readable form… So again, the purpose is the same – opening circuit breakers.
- Analyzing the Industroyer payloads are a piece of cake for a skilled reverse-engineer, because they’re not obfuscated in any way. The only thing that can…and will slow you down…is this annoying COM stuff So to help analyze any future malware that would use OPC DA, we’re releasing this IDA Python script
- This is what the code looks like before the script
- Robert: Well, that looks much better. Thank you Anton. All 4 payloads serve a similar purpose – to open and close circuit breakers. De-energizing a substation is the most obvious one. But there are other theoretical possibilities and the 2007 Aurora generator test demonstrated how out-of-sync closing of protective relays can lead to physical hardware destruction.
- The second type of functionality we found in the Industroyer framework, is rendering protection relays irresponsive. This is done by the Denial of Service tool…
- And it does it by exploiting the vulnerability in Siemens SIPROTEC devices described in this Advisory.
- The module sends specially crafted UDP packets to port 50000. ”Knocking these devices out” serves to amplify the impact of the payloads Anton talked about. Siemens did patch the vulnerability in a firmware update, but you can imagine how regularly these devices are updated
- The third and final type of payload functionality in the Industroyer samples we analysed is the Data Wiper module – [click] its purpose is to make recovery from the attack harder - goes not after the RTUs but after the workstations used to configure them
- it’s executed by the launcher module - either 1-2 hours after the ICS-payload modules
- Remember the configuration software we showed you earlier? This module wipes files belonging to SCADA software, as you can see on the screen… Furthermore, it renders the machine unbootable by corrupting the Registry and finally crashes it by killing all, including system processes. Substation operator…circuit breakers being reopened, protection relays irresponsive, when you sit down to fix the problem, SCADA SW gone Another demonstration of the importance of backups
- Some modules Vendor-agnostic others specific to Siemens/ABB… also discovered GE firmware
- As you’ve seen, Industroyer’s capabilities are rather versatile. It was malware that caused the Ukraine blackout – but it’s also configurable, and can be re-purposed to attack power grids around the {click} world. It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet. But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.
- configurable, and can be re-purposed to attack power grids around the {click} world. It’s a scalable and dangerous weapon against ICS – as we’ve said, the biggest since Stuxnet. But the gist of the threat is in the skillset and dedication of the {click} malware operators. It’s not about being able to code the malware but their ability (which they demonstrated in Ukraine) to become familiar with the architecture of industrial site they want to target – what devices there are, what commands to send them, and what will happen as a result.