Insights > Network Visibility + Security

Stuxnet, Sunburst, and Covid-19

2021-04-16  |  6 min read 

While Sunburst was stealthily spreading pandemic-style, in IT/OT networks around the world, all eyeballs were focused on Covid-19, a coronavirus that was spreading pandemic-style around the world, in a most incredible art-imitates-life-imitates-art kind of way.

 

Space Travel. Time travel. Teleportation.

Made popular in the great classics. Jules Verne showed us space travel in, From the Earth to the Moon. H.G Wells explored time travel in, The Time Machine. And of course, the most necessary transportation of particle matter was witnessed in Gene Roddenberry’s, Star Trek. But I suspect the greatest of classic authors of the past failed to anticipate a relatively new form of travel: that is, travel from the digital world into the physical world. Which makes sense, because who in the digital world could possibly instigate a desire to travel to the physical world? Kevin Flynn from Steven Lisberger's 1982, Tron?

Yes, but also Stuxnet.

Stuxnet

Stuxnet is a self-replicating digital worm with instructions to seek and destroy specific objects in the physical world. First seen in Microsoft Windows computers in 2010, Stuxnet became a digital pandemic, spreading quickly to more than 110 countries, 200,000 computers, and 30,000 organizations. Infected computers were reprogrammed to seek out one specific manufacturer’s Supervisory Control and Data Acquisition (‘SCADA’) system. From the SCADA system, managed Windows-based computers known as, Programmable Logic Controllers (‘PLC’), were identified, accessed, and reprogrammed to send damage inducing instructions to physical plant equipment. Which they did, and extensive damage occurred.

Stuxnet was the first known malware to jump from the digital world into the physical world and blow stuff up. But it did more than blow up uranium centrifuges in Iran. Stuxnet also blew up the notion that Industrial Control Systems, air gapped and physically isolated from the internet, were mostly immune from attack. And then came Sunburst, the next game-changing worm to travel from the digital world to the physical world and give hackers access to Industrial Control Systems.

When experts in the industry get hacked, it gets everyone’s attention. First detected as a breach at cybersecurity firm, FireEye, Sunburst was ultimately traced back to a breach in September 2019 at IT/OT network management company, SolarWinds.

Sunburst

SolarWinds Orion software is used by telecommunications companies, the US military, US Federal agencies, colleges and universities, the Fortune 500, and more than a dozen critical infrastructure companies in electric, oil and manufacturing. SolarWinds is also embedded into electronic equipment by original equipment manufacturers (‘OEM’) which could affect any number of unsuspecting companies.

Sunburst has been called the most sophisticated attack ever seen. It’s been detected in computers in North America, Europe, Asia, and the Middle East. Interestingly, while Sunburst was stealthily spreading pandemic-style, in IT/OT networks around the world, all eyeballs were focused on Covid-19, a coronavirus that was spreading pandemic-style around the world, in a most incredible art-imitates-life-imitates-art kind of way.

According to SolarWinds, customers first downloaded the malicious software update in March 2020, launching the first known, but not unexpected, software supply chain attack— perpetrated by an infected, digitally-signed Windows installer patch. Which means that 18,000 customers installed Sunburst onto their own networks, behind the firewall, where it remained hidden in SolarWinds executables. Once in, the hackers took advantage of the Orion Platform, which gave them access to privileged users, SCADA systems, and PLCs controlling physical plant equipment.

Note that the World Health Organization declared COVID-19 a pandemic in March 2020. Where were you in March 2020? I was physical air gapped from our corporate offices, in a working from home…er, in a living at work, kind of way.

Zero Trust

While the SolarWinds hack might not be front page news anymore, it is far from over. Hackers hack. It’s what they do best. And this one will hit the history books as a wildly successful supply chain hack that gave hackers the ability to blow up critical infrastructure. It will be shared, and copied, refined and improved. And like any good virus/malware, variants have already begun to appear.

‘Trust but verify’ is no longer just an oft quoted platitude. The new normal in IT/OT networks means you can no longer trust that what’s behind the firewall is good. Because it’s not.

Trust Nothing. Verify All.

And when the difficulties of this coronavirus pandemic are documented into the history books, I’m going to go to the beach, kick off my shoes, and break open the cover of Twelve Monkeys, by Bruce Willis and Brad Pitt. Oh, wait. That was a movie.

What will you do?