Tuesday, November 1, 2011

Nitro Follow-up

There was an interesting fire storm of articles about the ‘Nitro Attacks’ report from Symantec yesterday, most of them focusing on the nature of the Chinese threat (See WaPo, or PCPro as just two examples). Interestingly Symantec hasn’t yet made a big thing about this report (it still isn’t listed on their White Papers page); only mentioning it in passing in a press release about global infrastructure cyber security awareness.

A cyber security reader of this blog Tweeted me yesterday (tweet since deleted so he’ll remain nameless) to be careful in my initial analysis of this report as additional information may result in substantial changes in what we think about it. In a way he was certainly correct, as with any fresh intelligence (or counter-intelligence in this case) report, new information may change the importance or slant of the report. But every military commander (and intelligence analysts) is trained to remember that no single intelligence report should totally guide their actions, because short of actually being able to sit in on the enemy’s planning process, intelligence and counter intelligence is nothing more than an educated guess (hopefully a sophisticated educated guess) about what the enemy is doing.

Having said that, there are some important points that we should take away from the Symantec report.

Chinese Attack


Much of the media fire storm has been focused on the ‘Chinese’ nature of the threat. First off, Symantec makes it clear that the source of the attack was a virtual private server (VPS) located in the United States. By the way the press has been jumping on this series of attacks that location must mean that the attacks originated with the US Government (obviously not, I’m just making a point about jumping to conclusions).

The Symantec report ascribes responsibility for the mechanics of the attack to a specific Chinese individual they call ‘Covert Grove’. Their description of him (see page 4 of their report) make it seem unlikely (certainly not impossible, just unlikely) that this person is the agent of a major Chinese government operation.

 Since Symantec does not make clear how they identified the individual (not likely to occur; that would disclose ‘intelligence means and methods’) we must take them at their word that they are unable to “definitively determine if he is hacking these targets on behalf of another party or multiple parties”; much less determine who is ultimately responsible for the attacks.

Targeted Information


Throughout most of the report Symantec was careful to describe the targeted information as ‘intellectual property’, a rather vague term meaning any unique information produced by the organization that provides some sort of value to the organization. I suspect that this term is used because it is probably impossible to determine exactly what information was exfiltrated from the affected systems.

The information that I picked up on in my comments on the possible additional future threat to control systems at the affected organizations (and I carefully attributed that ‘threat’ to my mind not the Symantec report) came from the closing sentence in the summary of the document (page 6);

“This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as pro­prietary designs, formulas, and manufacturing processes.”

While Symantec can probably tell us the approximate file sizes exfiltrated, I really suspect that they cannot (and certainly would not publicly) tell us what was taken, unless they were able to monitor a specific attack in real time.

The Real Importance of the Nitro Attacks Report


Most of the news reports have overlooked the real import of the Nitro Attacks report. That these specific attacks have happened is old news; nothing can be done about that now. What is important is that someone took the time and effort to execute a series of attacks on a wide array of chemical facilities across the globe. More importantly, the attacks used old tools in a well understood and written about attack methodology. The fact that they were successful points out how poorly the chemical industry is protecting their computer systems and intellectual property.

For those in the control system community, we need to make sure that a similar attack would not be able to gain the necessary process information and control system information necessary to execute a targeted son-of-Stuxnet attack.

More importantly we need to make sure that at those organizations that were successfully attacked by the Nitro Attacks that there were not back door access points established behind the corporate firewalls that would allow an SOS attacker access to our control systems.

No comments:

 
/* Use this with templates/template-twocol.html */