Symantec quarterly report on targeted attacks
CNET summarizes the Q4 2010 Quarterly Report by Symantec (PDF), which focuses on targeted attacks on critical infrastructure, and in particular, the Hydraq Trojan and the Stuxnet Worm. “The customization of targeted attacks can make them more dangerous than non-targeted attacks because they are tailored explicitly to affect a target group, ” according to Symantec.
The Hydraq Trojan, first discovered in January 2010, was involved in the cyberattack on Google, Adobe, and 32 other “less-forthcoming” Silicon Valley companies. Wikileaks has released information tying the attack to the Chinese Politburo. According to Symantec’s page linked above, the incidence of infection was low (why tip off everyone?), and the infection was easy to manage, once detected. The cyberattack gained a lot of publicity because most of the companies that were attacked “stonewalled” about it, pretending to be more secure and competent than they really are. 
Stuxnet (1, 2, 3, 4), which exploited/exploits SEVERAL zero-day vulnerabilities in Windows, and which is famous for targeting a particular configuration of gaseous centrifuges used in a uranium-enrichment facility in Natanz, Iran, infected an estimated 100,000 hosts through September, almost 60% or which are in Iran, as reported to CNET by Symantec today. Symantec released a report, entitled W32.Stuxnet Dossier (PDF), late last week that said FIVE different organizations were targeted by variants of Stuxnet, as early as June 2009. Several of the organizations were targeted MORE THAN ONCE. Symantec did not identify the organizations.
Symantec researchers wrote in a blog post that they “…have a total of 3,280 samples representing approximately 12,000 infections.” The researchers wre able to learn how Stuxnet spread and where it was targeted.
An interesting section of the blog post describes TWO different sabotage strategies of Stuxnet (the “315 code” and the “417 code”). The 417 code was disabled. The intended behavior of the 417 code is described in the Symantec dossier and summarized in the blog entry. Since the 417 code is incomplete and was disabled, the researchers cannot state with certainty the exact behavior or intended purpose, but:
- The code expects six groups of 164 peripherals.
- The sum of activity for all groups must be 297 days or for a single group greater than 35 days before the sabotage routine begins.
- A semi-random 110 out of 164 peripherals will be sabotaged.
- The sabotage routine lasts for approximately seven minutes.
Symantec’s quarterly report gives Stuxnet as a prime example that targeted attacks on control systems, including “power generation and distribution,” known as supervisory control and data acquisition (SCADA), can often be “politically motivated or state-sponsored.” Elimination of, or only controlled access to, the Internet was recommended by Symantec as an important step in protecting against such targeted attacks.
-Bill at
Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”
You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. The Cheshire Cat Photo Store on Zazzle contains a wide variety of apparel and gifts decorated with our images of California. Framed prints and prints on canvas can be ordered from our galleries on redbubble®. All locations are accessible from here. Be a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would be on our email list for updates, send us an email at info@cheshirecatphoto.com.
