A comprehensive industrial automation malware suite

If its as good as this whitepaper makes it sound, its a very useful set of tools to explore and exploit a highly diverse and customized target surface. These protocols and systems are highly insecure but often not particularly organized so the value of an attack is as much in inventorying and remotely understanding what the various bits and bobs do as it is controlling them in the actual attack.

Hard to say how good it is from that whitepaper, it’s just a high level glossy overview across the top, but the reality is that it doesn’t have to be very good to do a whole lot of damage to a typical industrial control systems facility. Security is often “literally non-existent,” in the sense of “There are not even passwords on the ethernet to serial bridges used to talk modbus to the devices.” I’ve also known of some equipment that prevents you from properly scanning the network, because they’ll crash from ICMP ping packets…

But the frameworks to attack physical systems are out there, and as we’ve seen a few (and there are certainly others that haven’t been found yet), it’s an area of active R&D for a wide variety of “interested parties.” Particularly scary is the ability to hide bonus functions in device firmware and then (potentially) remove yourself from the control systems entirely. I’m not sure that may attackers would deliberately break their foothold like that, but being able set a time bomb and then leave cleanly would certainly make later analysis a challenge. Though, we’ve already seen techniques to make it a challenge. One of the Stuxnet family (Gauss, I think?) had a nifty “target environment specific” crypto key deriver that, far as I know, hasn’t been cracked - at least not that I can find. It was something like using a combination of a unicode directory name in program files and path variables, you try all the combinations on a test seed value, if you find the target value, run the algorithm again with the “real” seed value and out pops your crypto key to decrypt the payload.

Yes, doing everything with PLCs is fancy and easy and modern, but it’s going to have some really nasty consequences at some point… beyond just the destruction of uranium centrifuges we know about.