Jumping the Airgap Redux: Human Incompetence is not a Viable Strategy
Last week, I reported that bored engineers at a nuclear power plant in Ukraine hooked up an air-gapped system to the internet to mine cryptocurrency. An air-gapped network by design should never be connected to the internet because it contains highly sensitive information or systems and connecting to the internet makes them more vulnerable to attack. These engineers wanted to steal electricity from their employers to make some extra cash. What they did not realize is that they put the entire power plant and Ukrainian power grid at risk for attack. Systems hosted inside a nuclear power plant and connected to the internet must pass a strict security review to ensure they do not create any additional risk. It is highly likely that the cryptocurrency miners the nuclear plant workers were not vetted through this process.
An explosive revelation posted in a Yahoo news this week outlines how the US and Israel got the Stuxnet malware into the Natanz nuclear enrichment facility in 2007. While the US and Israel have never confirmed they authored or delivered the Stuxnet malware, most people in the security and intelligence communities attribute its creation and release to the two allied nations. Iran built the nuclear enrichment facility near the town of Natanz intending to enrich uranium to a level where it could be used as fuel in a nuclear power plant or a nuclear weapon. Iran insisted it was the former and Western nations believed it was the latter. Not wishing to take any chances to see how the nuclear fuel enrichment would pan out and with the United States already embroiled in a conflict in the Middle East under the pretense of a regime stockpiling weapons of mass destruction, an alternative solution was required to stall or derail the enrichment process. Developing a piece of malware to do just this would be simple in comparison to unleashing the malware onto the air-gapped network at the Natanz enrichment facility.
The Natanz facility was built hundreds of feet underground to withstand an aerial bombardment. The entrance of the facility required employees to walk back and forth through switchbacks, so there were no long tunnels where a missile could fly in and destroy the facility. Natanz fit the definition of a physically impenetrable fortress. Its network was equally inaccessible from the outside world, or so the Iranians thought. In 2004, the US and Israeli intelligence agencies approached the Dutch intelligence organization AIVD to help recruit an asset to perform reconnaissance at the Natanz facility. Three years later in 2007 with the help of the Dutch asset, the US and Israel compiled the first version of the Stuxnet worm. Through careful planning and preparation, the Dutch asset managed to get the worm into the Natanz facility by walking in through the front door. Is if believed the Dutch asset posed as a mechanic to work on equipment in the facility and planted the malware on a computer that would eventually connect to the air-gapped network. The report that Dutch intelligence recruited or turned an asset within Iran to deliver the first version of the worm is one of the last pieces in the puzzle of the Stuxnet story. It was previously unknown how the first version of the malware made its way into the Iranian facility.
The first version of Stuxnet targeted the many centrifuges that Natanz used to enrich uranium gas. These centrifuges spun so fast, they operated within rigorous temperatures and tolerances or risked destruction. The implanted malware effectively shut the exit valves on the centrifuges while displaying standard messages to the centrifuge operators. With the valves stuck in the closed position, it would raise the pressure inside the centrifuges to unsafe levels and waste precious uranium gas. Iran was already under strict sanction for importing uranium and uranium gas, so they needed to make every gram count. Iran was also under embargo for importing parts used to make the centrifuges so damaging and destroying the centrifuges further delayed the republic’s nuclear ambitions. Once the Dutch asset got Stuxnet onto the Natanz air-gapped network, it would spread itself through USB flash drive. Industrial equipment operators would often compile instructions on their machine then load them onto the Programmable Logic Controller (PLC) via USB flash drive.
Several years later, the US and Israel changed their strategy to get the next generation of Stuxnet into the nuclear enrichment facilities.
Using a human asset to perform reconnaissance and walk the malware into Natanz was becoming too risky. A new spreading mechanism would be required to infect the air-gapped network. The US and Israel used four unique zero-day vulnerabilities to make the malware spread like wildfire. Though the surveillance performed by the Dutch asset, Stuxnet could be coded only to take action when it was present on a system connected to a particular PLC and centrifuge layout. That way, when the malware landed on a computer that was not the intended target, the malware would stand down and remain undetected. The US and Israel targeted five industrial contractors in Iran and infected them with the next generation of Stuxnet. These contractors would eventually deliver the updated code to Natanz via infected USB flash drive. This spreading mechanism had its drawbacks, though. Spreading too far and wide increased its publicity and its discovery became imminent. Due to a glitch or a coding error, this new version of Stuxnet was causing machines to act erratically and randomly shut down even if they were not the intended target. A security researcher responding to claims that dozens of machines were misbehaving in Iran led to the discovery and public release of Stuxnet and effectively ended the operation.
There is a section of information security that covers insider threats who unwittingly put organizations at risk, as covered in my previous article, and there are insider threats who wish to compromise internal systems on purpose, as was the case with Stuxnet. In either case, organizations can learn a great deal from these two examples of how attackers jumped the air gap. Defense-in-depth is key. Running the world’s most enormous security cloud has taught many lessons. The vast majority of threats come from the internet and securing an internet connection goes a long way in protecting an organization. For threats that do not originate from the internet, endpoint security, end-user behavior analytics, identity and access management, red teaming, out-of-band access, and security awareness training help complete the defense-in-depth model to make organizations more secure.
The significant difference between the Ukrainian nuclear power plant and the Natanz enrichment facility was that the Ukrainian power grid was put at risk accidentally while the attack against Natanz was deliberate. Attackers looking to attack the nuclear plant or the power grid in Ukraine would have to be monitoring their target, looking for vulnerabilities, or getting very lucky with a search on Shodan showing an exposed system. With a targeted attack like Stuxnet, it goes to show that no system no matter how secure and air-gapped can be infiltrated with enough time and resources. If a nation-state has targeted an organization, it is not a matter of if they are infiltrated, it’s a matter of when. Nation-states do not rely on human incompetence or dumb luck. Implementing proper security controls and practicing defense-in-depth makes it much more difficult for a nation-state attacker to break into the network, as long as employees are not connecting air-gapped systems to the internet for mining cryptocurrency.