Pay attention to the P in Advanced Persistent Threat [APT]. Most of the attention paid to the trojan with a payload targeting Siemens control system applications has been on the Advanced nature of this malware. And that attention is warranted because there has not been a public example of malware targeting control systems prior to this.
But now that we have had a few days to chew over that, I’d like to pose the question of how do we know the threat has been removed from any targeted control systems and organizations? There has been much buzz on APT recently, including in the control system community after S4. A lot of the buzz has been to sell products and services, but let’s look at that persistent nature that really is the distinguishing feature of APT.
A company finds that it has been the victim of the attack. They investigate; find the exploit; figure out how to clean it out; and hopefully find a way to prevent it from repeating. However, a few days, weeks, months later a different exploit is found. And this happens again and again. There are a wide variety of exploits, in different systems, that wake up at different times, because the attacker had a strong desire to maintain a presence on your network once they had breached it. Maybe the attacker plants a logic bomb in case they are unable to contact one or more of their connections for a period of time.
This attacker directed their attacks on a specific target because that target had something of great interest or value to the attacker.
Based on the available information, the trojan was passed by USB which can indicate it was a directed attack, and the trojan was gathering project information. Perhaps this information gathering is only the first stage of an attack. If your control system was compromised, how do you determine if you have eradicated the attacker’s presence and capabilities on your system?
Cleaning out and preventing the reappearance of the trojan is necessary but maybe not sufficient. I would be very worried where else the attacker is lurking in the system. We know that many control systems today have little patching, minimal security configuration, shared and default user accounts, … So it is likely that the attacker has compromised multiple systems in multiple ways if they wanted persistence.
PS – The Siemens press release on the trojan conveniently puts all of the blame on Microsoft and does not mention their password issue. This is disappointing, but all too common reaction the first time the control system group gets hit with an issue like this. Better to just be straightforward, take the hit, solve the problem and move ahead. It gives all involved some sense of comfort that a strong security group is on the case.