Siemens: Stuxnet worm hit industrial systems

Siemens confirms that 14 plant systems have been infected; some of them could have been reprogrammed

A sophisticated worm designed to steal industrial secrets and disrupt operations has infected at least 14 plants, according to Siemens.

Called Stuxnet, the worm was discovered in July when researchers at VirusBlokAda found it on computers in Iran. It is one of the most sophisticated and unusual pieces of malicious software ever created -- the worm leveraged a previously unknown Windows vulnerability (now patched) that allowed it to spread from computer to computer, typically via USB sticks.

The worm, designed to attack Siemens industrial control systems, has not spread widely. However, it has affected a number of Siemens plants, according to company spokesman Simon Wieland. "We detected the virus in the SCADA [supervisory control and data acquisition] systems of 14 plants in operation but without any malfunction of process and production and without any damage," he said in an e-mail message.

This is worrisome news because according to a new paper on the worm, set to be delivered at this month's Virus Bulletin conference in Vancouver, Stuxnet could be used to cause a significant amount of damage if it is not properly removed.

Researchers at Symantec have cracked Stuxnet's cryptographic system, and they say it is the first worm built not only to spy on industrial systems, but also to reprogram them.

Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs -- so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.

The software operates in two stages following infection, according to Symantec Security Response Supervisor Liam O'Murchu. First it uploads configuration information about the Siemens system to a command-and-control server. Then the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs to work for them, and then they send code to the infected machines that will change how the PLCs work," O'Murchu said.

As Wieland noted, there are no known cases of plant operations actually being affected.

However, that's certainly a possibility, according to O'Murchu. Stuxnet comes with a rootkit, deigned to hide any commands it downloads from operators of the Siemens systems. Because of that, Symantec warns that even if the worm's Windows components are removed, the Siemens software might still contain hidden commands. Symantec advises companies that have been infected to thoroughly audit the code on their PLCs or restore the system from a secure backup, in order to be safe.

Stuxnet has infected systems in the U.K., North America and Korea, however the largest number of infections, by far, have been in Iran.

The first samples of the Stuxnet code date back to June of 2009, but security experts believe that it probably did not start infecting systems until earlier this year.

Defense contractors and companies with valuable intellectual property have been hit with targeted attacks for years now -- in January Google said it was the target of a sophisticated data-stealing effort known as operation Aurora. But Stuxnet marks the first time that someone has targeted the factory floor.

And if the worm were to be used to mess up systems at a chemical or power plant, the results could be devastating.

"We've definitely never seen anything like this before," O'Murchu said. "The fact that it can control the way physical machines work is quite disturbing."

It's unlikely that Stuxnet could take over new systems at this point, however. Symantec gained control of the domain used to send commands to infected machines shortly after Stuxnet was discovered, meaning that the hackers behind it no longer have a way to send new commands to infected systems.

Nobody knows who's behind Stuxnet, but recently Kaspersky Lab researcher Roel Schouwenberg said that it was most likely a nation state.

Symantec's O'Murchu agrees that the worm was done by particularly sophisticated attackers. "This is definitely not your typical operation," he said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitymalwareenergyManufacturingsymantecindustry verticalssiemens

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?