Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
Over the weekend a new super worm exploded onto the cyber security landscape.
Known as Flame or sKyWIper, it appears to be targeting sites in the Middle East, just like Stuxnet and Duqu did. But what does it have to do with SCADA or ICS security? At this stage the answer appears to be nothing and — everything.
Let’s start with what Flame is. Rather than just being a typical worm, Flame appears to be a carefully crafted attack toolkit for industrial or political espionage. According to Aleks at Kaspersky Labs “it is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”
Flame: ‘More Powerful than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet
Now the first unusual thing about Flame is that it is massive. While the typical worm is 50 Kbytes in size, Flame weighs in at 20 Mbytes, nearly 400 times larger.
The reason for this large size is Flame is a multi-functional toolkit for information stealing, completely reconfigurable by its masters for new tasks.
According to the crysys report on sKyWIper (aka Flame):
sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.
Flame is a Swiss Army Knife of malware in the sense that it can intercept everything imaginable, but it is not a pile of existing malware code thrown together. It is very cleverly crafted. Like Stuxnet, it has multiple propagation vectors – USB keys, printer sharing, and domain controller rights to name a few.
Its modular architecture allows its creators to massively change functionality and behavior at any time. It also allows its operators to use a sophisticated scripting language called Lua to manage its activities. Plus its code injection techniques are pretty amazing.
Flame is no script kiddy project. It is probably not even an organized crime project. All reports from the anti-virus companies analyzing Flame indicate it was created by a well funded professional team of developers. As Kaspersky Labs put it:
“…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”
What does Flame have to do with SCADA and ICS Security?
On the surface, very little. As currently configured, Flame is clearly an information stealer. There is no evidence that it has SCADA or ICS related modules installed at this time.
That said, Symantec and others report that Flame appears to be the same worm that the Iranian Oil Ministry reported was impacting its facilities at the Kharg Island terminal last month. Iran’s National CERT (MAHER) is also now reporting on the existence of this worm inside Iran.
What does all this mean to the average control engineer? The good news is that like Stuxnet, Flame appears to be highly targeted. Like Duqu, it steals information rather than destroying equipment. But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.
Call it “cyber warfare” or “cyber hype”, the bottom line is that the information/networked world is getting nastier by the day and SCADA and ICS is part of that world.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.