Tuesday, January 27, 2015

North Korea, SONY and SCADA Flaws

In these couple of months I have found some patterns and anomalies in the news as well as the not so traditional ones about the North Korea, SONY and SCADA insecurity. How does all relate to each other? Is it really North Korea's fault? Was this already planned to have justified means to attack North Korea or all of this happened to boost viewers on the not-so-cool movie: The Interview? What about the new Hollywood movie: Blackhat which is about SCADA attacks to North Korea? Well, here are some facts:

On November 24, 2014 a mystical image appeared on every SONY employee's computer at the same time warning them of an imminent demise.

The bad news appeared on the media by 10:50 AM, after SONY's phone systems, workstations, and e-mail servers were paralyzed across SONY's headquarters including all locations.  The attackers threatened SONY by saying it is "only the beginning" and that they also have compromised their network and will release "internal data" they gathered.  They also blackmailed them by releasing their "top secrets" if they do not "obey" with their demands.  Whether these statements are true or not, it  was released to the mass media. By obtaining 100 TB of information, the "Guardians of Peace" (as they called themselves) got some pre-released movies which they were going to be aired by early next month. I am not going further with the description of this attack but you can find more information here:


On November 27, 2014, as SONY systems were still inaccessible, five movies were released to the public from these cyber criminals. One that caught the mass media's eyes and people's attention was "The Interview".  This movie in which the dictator of North Korea: Kim Jong-un is killed by some U.S. unofficial agents. This, caused a plethora of commotions, catastrophic and suspicious events unleashed to North Korea. A North Korean website called this movie a "provocative evil act."

Suspiciously, by the next day: November 28, 2014, North Korea already got the blamed for SONY's breach by the FBI which started conducting an in-depth research on the breach on December 1, 2015. After that week, the Associated Press blames North Korea for the attack just because some "cyber-security experts" stated that they have found “striking similarities" between the code used in the hack of Sony Pictures Entertainment and the one on South Korean companies and government agencies last year. Even though this seems like a blatant accusation, it wasn't until Thursday December 18 that the U.S. government publicly accused North Korea for such attacks.  By this time, huge amount of critical sensitive and private data have being pulled from Sony Entertainment; including but not limited to future and past movie scripts and personal e-mail messages putting in hot water various Sony's personnel involving Angelina Jolie, journalists (blamed for aiding the cyber-criminals) and U.S. President Barack Obama who were all key ingredients to a very horrifying and unpredictable turmoil.

After a series of threats from the cyber-criminals stating they were going to blow up theaters and the white-house, President Obama stepped up for Sony and gave a speech about the consequences for "not stepping up" on this threat. President Obama also said he was going to take a "proportional response". Days after his speech, SONY complied and they aired the movie. The funny thing is that mysteriously, on late December (December 22, 2014) , North Korea suffered a severe Internet outage which lasted nearly 10 hours and a 24 hour sustained instability on their networks. Not only that, North Korea had a blackout (yes, a power outage) after the Internet outage and yesterday (January 26, 2015), North Korea's power lines are starting to have problems again.

Picture from: Dyn Research
Whether this is a government to government attack or not, let's take a little look at SCADA systems.  SCADA (Supervisory Control and Data Acquisition) are systems which operates through an operational channel through a series of commands to a centralized control panel. These systems include (but are not limited to) water purifiers, oil refineries, nuclear plants, laboratory gadgets, traffic lights, PLC (Programmable Logic Circuits) peripherals and devices, backbone infrastructure of continents. The very bad idea of this is that all of these critical infrastructure components can be accessed and managed from the Internet.  Even though SCADA systems have been around for longer than the Israeli and CIA's creation of the worm Stuxnet (2004), it got really popular after Stuxnet's attack on Iran's nuclear plant.

Nowadays, people can benefit from SCADA beautifulness (and abused by cyber-criminals) by using a very popular search engine called SHODAN (www.shodanhq.com which retrieves, scans, indexes and displays the login banner of the hosts through results via services (TELNET, FTP, SMB, HTTP, HTTPS, etc) for any device connected to the Internet. This not only includes SCADA infrastructure devices, but also a plethora of other devices; such as baby monitors, CCTVs, digital refrigerators and toasters, backbone routers, gas stations and anything that contains a silicon-based micro-chip connected to the Internet.

Despite the protocol, a user is able to see the banner information which might prompt credential information, which increases the odds of a curious or malicious user by at least 50% of brute-forcing and get into the system.  This is a serious risk. So serious, one member of the U.S. Homeland Security described SHODAN as a national threat.

Whether it is a threat or not, I strongly believe the people who has to take the blame are the ones who "secure" these so critical systems so poorly and making them accessible in the Internet for all praying eyes. By making it easy for attackers by using default passwords, for example, anyone researching that manufacturer's or simply by looking at the user guide, can have instantly access and actually has the control of an entire city or continent. Also, there are weak passwords implemented to these systems which is based on lazy and ignorant system administrators. A very good example on this is the product manufacturer's flaw on SIEMENS products.

SIEMENS provide an autonomic way of managing electrical, medical, energy, financial, consumer, etc.  Some of their products are very critical to global infrastructure, so they play a big role to SCADA systems.  In 2011, during the BlackHat - Las Vegas event, a security researcher showed the highly critical flaw in SIEMENS control systems. The flaw: hard-coded administrator password in the firmware. Login information could be obtained by reverse engineering the code of their software which could be available anywhere on the net. It is highly hard to believe that a company with such reputation and responsibility makes a mistake of this high degree.  Not only the attacker could exploit this vulnerability, but also could lock down the administrator having total access to the system and prevent anyone from interfering with his evil plans and actions.

Siemens PLC hidden Easter egg in the firmware from Germany hackers. (Courtesy NSS Labs)
Above, it is a message left by some German "hackers" just to prove that their system could be exploited.

So, where is all this heading to? Are SCADA systems really that insecure? How can they avoid getting their products compromised? Are they liable if a city "goes down"? Is a hack able to actually kill city's residents by infecting the water or make a thermonuclear plant?

This is where the new movie, Blackhat (http://www.imdb.com/title/tt2717822) comes into place. We all know Hollywood for being very involved with everyone's lives because the most of us love movies. Also, we all know the impact Hollywood has in our lives. For one thing we know, that Hollywood has "predicted" so many events with hidden messages, symbolisms and even movie scripts. It might seem like they have the "magical crystal ball" in their hands. Even though Hollywood recreates an imminent dystopia for all of us to see and wonder about our future, their movies are a little far from reality. Though, the concept we have to really look at. They are always right about the main point and theme of their movies. Disseminating the facts from fiction and you will notice that one of Hollywood's new movies: Blackhat is not very far from the truth. This movie is about a hacker being hired by the U.S. government to defeat a black hat hacker (cracker or bad hacker) from causing a lot of chaos by affecting SCADA critical infrastructure points of North Korea and the WHOLE WORLD!  

Apart of Stuxnet, nothing like this has ever been done, which proves that it can be possible and it is an option. Also there exist SCADA Trojans who are right now being improved to affect SCADA's systems.  But whatever we have looked at might have been limited to the audience eyes. Whatever we see and hear is already being filtered. There is, in fact, a cyber war going on right now and I would like to share this link with you. http://map.ipviking.com/

It shows (in real time) which country is attacking who, their IP addresses (real or spoofed), destination, number of hits taken, etc.  It is not a simulation, nor a game. It is taken from the Norse Live Attack Intelligence database.

With this graph in mind, North Korea's situation, knowing about SCADA and the movie Blackhat, I should ask these questions:  Are we all heading to an imminent disaster? Will it be a dystopian future as shown as in Hollywood movies? What about war involving citizens? Will wars be fought with guns, drones and tanks or by attacking critical SCADA infrastructures?  Will only governments do this or hacktivists will step up too to show their point of view?  I guess, the future is very near and the only way of knowing is giving it time.  Only time will tell...

Please, feel free to post your responses in the comments section below.