By Heather MacKenzie
A previously identified malware, named Duqu, re-emerged in a very surprising way. It was detected attacking the systems of Kaspersky Lab, one of the leading cyber security firms in the world. And, it wasn’t just that it went after the experts’ systems that is amazing, what is also amazing is how it did it.
Kaspersky researchers said “The philosophy and way of thinking of the ’Duqu 2.0’ group is a generation ahead of anything seen in the APT world.” (APT stands for Advanced Persistent Threat.)
What is this new malware and how does it relate to ICS security? The original Duqu worm, exposed in September 2011, attacked industrial control systems for the purposes of information stealing, including surveying control systems. This new version seems focused on espionage, particularly stealing information on cyber security technologies.
While not a threat to ICS as far as we know today, it is a reminder that APTs are a type of risk that industrial operators should be evaluating on an ongoing basis. The goal here is to inform you, not alarm you, about this unique threat.
Then we’ll revisit the best practices for defending industrial systems against APTs.
Used 3 New Vulnerabilities
Greg Hale at ISSSource wrote a good article summarizing information about Duqu 2.0. With permission, I am republishing some of his article here:
“Duqu 2.0 appears to be back and continuing where it left off with intellectual property theft, but no additional indicators of malicious activity,” said researchers at Kaspersky Lab. Their analysis found the top goal of the attackers was to spy on technologies, ongoing research and internal processes, with no interference with processes or systems.
Kaspersky Lab believes the attackers were confident it was impossible to discover the cyberattack. The attack included some unique and unseen features and almost didn’t leave traces. The attack exploited Zero Day vulnerabilities and after elevating privileges to domain administrator, the malware spread in the network through MSI (Microsoft Software Installer) files. These files are commonly used by system administrators to deploy software on remote Windows computers.
The cyberattack didn’t leave behind any disk files or change system settings, making detection extremely difficult.
“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Costin Raiu, director of Kaspersky Lab’s Global Research & Analysis Team. “This highly sophisticated attack used up to three Zero Day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it.”
Kaspersky Lab researchers discovered the company wasn’t the only target of this powerful threat actor. Other victims were in Western countries, as well as in countries in the Middle East and Asia. Most notably, some of the new 2014-2015 infections link to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The Duqu team appears to have launched attacks at the venues where the high level talks took place.
Technical details about Duqu 2.0 are available on the Kaspersky blog: via Securelist.
The following are preliminary conclusions:
• The attack ended up carefully planned and carried out by the same group behind the 2011 Duqu APT attack. Kaspersky Lab believes this is a nation-state sponsored campaign.
• Kaspersky Lab strongly believes the primary goal of the attack was to acquire information on the company’s newest technologies.
• The attackers seem to have exploited up to three Zero Day vulnerabilities. Microsoft patched the remaining Zero Day (CVE-2015-2360) June 9 (MS15-061).
• The malicious program used an advanced method to hide its presence in the system: The code of Duqu 2.0 exists only in a computer’s memory and tries to delete all traces on the hard drive.”
ICS Security Best Practices for APTs
If APTs are new to you, I suggest you read our earlier foundational blogs on the topic. The first one defines APTs, gives examples of them and explains best practice number one: Focus on the crown jewels.
What are your crown jewels? Think of the systems that would cause a complete disaster for your network if they were shut down (either unintentionally or maliciously). Examples are:
• The safety integrated system (SIS) in a refinery
• The PLC controlling chlorine levels in a water filtration plant
• The RTU in an electrical substation
Control systems have become complex and difficult to protect at all times. Thus, use the method smart IT teams are using and focus resources on securing those assets that really matter to the survival of the company.
In our second best practices article we discuss additional APT containment strategies:
• Focus on detection, not protection. You need to know what sort of traffic is travelling over the control network and when someone connects an unauthorized laptop to the network.
• Change your perspective from perimeter centric to “process-centric” or “asset-centric”. Make sure that specific high value processes continue to function reliably regardless of what is happening around them.
• Log for threat detection, not just compliance. Compliance logging generates massive amounts of data that is often only analyzed after a cyber-incident occurs. Your goal should be to optimize your information so dangerous anomalies stand out, rather than get buried in the noise.
Focus is the Key to Defending against APTs
The best practices described above are highly related to the concept of focused effort. For example, effective threat detection is only possible if you focus your controls on detection and focus your coverage on what matters. Unfocused approaches to security that try to protect everything inside a perimeter are too complex and too expensive.
By moving your security approach from scattered to focused you will save time, money and effort … you just might save your company from the next APT.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to view Heather’s blog.