2

I'm a bit confused about the Stuxnet S7-417 attack. I believe Stuxnet performed a man-in-the-middle attack on the PLC, closing various valves in the background while it spoofed the values in the input image of the PLC, left the original logic running to write to the output image, and disassociated the input and output images from the sensors and actuators 2. However, I don't understand how this could work if the logic on the PLC wasn't changed (which I assume it wasn't, as the original program continued to run), but I doubt that it was a firmware change as I've read that changing the firmware on PLCs is very difficult due to digital signatures 3. So where actually was the modification made?

[I have never actually played around with PLCs - only read about them - which may be why I can't see how this works]

2 www.langner.com/2010/11/417-attack-code-doing-the-man-in-the-middle-on-the-plc/

3 Section 2.3, https://arxiv.org/pdf/1702.05241.pdf

schroeder
  • 123,438
  • 55
  • 284
  • 319
Stuxnewt
  • 151
  • 3
  • [Wired has a pretty decent article on what they know on Stuxnet](https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/) – RoraΖ Apr 27 '17 at 11:57

2 Answers2

1

According to Lagner:

Immediately after infection the payload of this early Stuxnet variant takes over control completely. Legitimate control logic is executed only as long as malicious code permits it to do so; it gets completely de-coupled from electrical input and output signals. The attack code makes sure that when the attack is not activated, legitimate code has access to the signals; in fact it is replicating a function of the controller’s operating system that would normally do this automatically but was disabled during infection. In what is known as a man-in-the-middle scenario in cyber security, the input and output signals are passed from the electrical peripherals to the legitimate program logic and vice versa by attack code that has positioned itself “in the middle”. [Page 8]

That seems to suggest that logic flow was changed at the software level.

[Side note] It appears the original Lagner article has been moved. The PacketStorm link works.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

What I have heard Stuxnet searched for computers running the programming software for the PLCs, it then "infected" the programming software allowing it to change the programs being created for the PLCs that was then loaded to a memory card that was inserted in the PLC. The changes to the programs for the PLCs was to spin up and fake the output displayed to the operators.

The S7 PLCs where never connected to the computers or the internet in any way and the creators of Stuxnet must have known that.

But this is only things that I have heard at a security meetup.

esrange
  • 1
  • 2