by RSS Ruchna Nigam  |  Feb 12, 2015  |  Filed in: Security Research

After having spent the past few months trying to get myself acquainted with the world of SCADA, it was time to look into the history of attacks it has been subject to.

For the uninitiated, SCADA (Supervisory Control And Data Acquisition) is the term used for systems that are used to control physical equipment - such as in industries like power plants, oil and gas pipelines; at public facilities like metal detectors at airports; and even in private facilities e.g. to control/monitor processes like heating, ventilation, energy consumption etc.

The fact that an attack on such a system can produce (often significant) physical effects/damage makes a vulnerable SCADA system a particularly interesting target for an enemy.

This post looks at some significant (known) attacks targeted at SCADA over the years.

Unconfirmed Attacks

1982 : It is possible that the first SCADA attack took place as early as 1982. According to a collection of documents called the "Farewell Dossier", the CIA was involved in the sale of 'altered' products and equipment to the Soviet Union. To quote

"Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory."

If the account of a staff member of the National Security Council(NSC) is to be believed, a Trojan Horse was added to equipment that was sold to the Soviet. This equipment was deployed on the Trans-Siberian gas pipeline, and eventually led to an explosion. In his book he mentions

"The pipeline software that was to run the pumps, turbines and valves was programmed to go haywire, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds. The result was the most monumental non-nuclear explosion and fire ever seen from space."

This account was never officially confirmed in the Farewell Dossier, that only mentioned the installation of flawed turbines but not the accident.

1999 : There were reports of an attack on Gazprom, the Russian oil corporation, where a Trojan horse was installed on their pipeline system, with the help of an insider. The attack is reported to have disrupted the control of gas flows for a few hours but this was never confirmed by Gazprom.

Unintentional Targets

Several SCADA systems have come under attack by viruses that weren't specifically looking for them but happened to find them. The table below recaps only a few.

When Organization Under Attack Virus Name Virus Functionality Physical Impact
2003 Davis-Besse Nuclear Power Station,
USA
Slammer Slows down the network.
Motive : Denial of Service, Propagation
None.
Although, Slammer downed the SCADA network on another utility (undisclosed). (Source)
2003 CSX Corporation,
USA
Sobig

Sends out Spam via e-mail.
Motive : Spam, Propagation

The virus infected a computer system in the company's headquarters, shutting down signalling, dispatching and other systems. Train Delays were caused as a result of this. (Source)
2004 British Airways, Railcorp, Delta Airlines Sasser Exploits a buffer overflow vulnerability to propagate to other vulnerable systems. Some aggressive variants can cause network congestion.
Motive : Propagation
Train and flight delays and flight cancellations in some cases. (Source)
2009 French Navy Conficker Exploits a Windows vulnerability, or performs dictionary attacks for administrator passwords to install itself. It propagates to other vulnerable machines, self-updates and downloads & installs further malware.
Motive : Propagation, Installation of other malware.
Failure to download flight plans leading to grounded aircrafts. (Source)

Seen in the figure below is an example of a Security compromised SCADA Network.

Example of a Security compromised SCADA Network

Confirmed Targeted Attacks

This section discusses attacks that were specifically designed for and targeted at SCADA systems.

When Organization(s) Under Attack Virus Name Virus Functionality Physical Impact
2009 Exxon, Shell, BP, among others Night Dragon Remote Access Trojans (RATs) distributed using spearphishing. (Source)
Motive : Data stealing/spying, Propagation
None.
(Although, it is reported that attackers exfiltrated operational blueprints for SCADA systems and even collected data from them.)
2010 Iran's Natanz nuclear facility Stuxnet

Intercepts and makes changes to data read from and writen to a PLC. (Source)
Motive : Destruction

Destroyed a fifth of Iran's nuclear centrifuges.
2014 No reported cases Havex Distributed as Trojanized ICS/SCADA software downloads from compromised vendor websites, it scans the LAN for OPC servers and sends collected data to a Command and Control (C&C) server. (Source)
Motive : Data stealing/Spying
None
2014 No reported cases Blacken Found on a C&C server for an existing botnet of the Sandworm Team, it targets users of the SCADA software, GE Cimplicity, and installs executables to the software's home directory. Some of these executables are bots that can be commanded remotely. It also references Cimatics design files but their exact use is not yet understood. (Source) Unknown
(due to missing files on the C&C)
2014 No reported cases (Unconfirmed) Disguised as Trojanized SCADA/ICS software updates (e.g. Siemens Simatic WinCC, GE Cimplicity, and Advantech) , these files are basically traditional Banking Trojans. (Source)
Motive : Spying/Data stealing
None

Finally, since no post talking about SCADA attacks is complete without an emphasis on Stuxnet, it needs to be said that the Trojan was extremely sophisticated and designed with a very specific target in mind. Its successors Duqu, Flame and Gauss also shared some of its code/design sophistication but neither were reported to have an impact on physical equipment, like Stuxnet did. 

Another conclusion that is evident from the table above is that despite the lucrative target SCADA provides and all the listed attacks, Stuxnet is the only (known) targeted malware that succeeded in causing physical damage to industrial systems. All the other attacks are, however, a strong indicator of the growing interest in SCADA systems as a target.

UPDATE : 19/02/2015
Thanks to a comment on this post, it was brought to my attention that 2014 saw a targeted attack on the computer network of a German steel mill that resulted in massive damage, according to
this report by the german Federal Office of Information Security (BSI), adding it to the list of malware that succeeded in causing physical damage to Industrial Control Systems(ICS), along with Stuxnet.

Although, details regarding the malware itself are vague, the report states that it led to the breakdown of individual control components, that "led to the uncontrolled shutdown of a blast furnace, leaving it in an undefined state and resulting in massive damage."

The attackers used spear phishing e-mails and sophisticated social engineering to gain access to the steel mill's office network, leading them to the production network. The report describes their technical skills as 'very advanced', with an expertise not only in classical IT security but also extending to detailed technical knowledge of the ICS and production processes being used.

Thanks to Axelle Apvrille and Guillaume Lovet for their feedback.

by RSS Ruchna Nigam  |  Feb 12, 2015  |  Filed in: Security Research

comments powered by Disqus