Replication Through Removable Media
| Replication Through Removable Media | |
|---|---|
| Technique | |
| ID | T0847 |
| Tactic | Initial Access |
| Data Sources | File monitoring, Data loss prevention |
| Asset | Human-Machine Interface, Data Historian, Control Server |
Description
Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.
Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet.12 The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility.345678 The plant has since checked for infection and cleaned up more than 1,000 computers.9 An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution.10
Procedure Examples
- Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network.11 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility.4
- Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.12 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.13
Mitigations
- Disable or Remove Feature or Program - Consider the disabling of features such as AutoRun.
- Limit Hardware Installation - Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.
- Operating System Configuration - Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.
References
- ^ Kernkraftwerk Gundremmingen. (2016, April 25). Detektion von Büro-Schadsoftware an mehreren Rechnern. Retrieved October 14, 2019.
- ^ Trend Micro. (2016, April 27). Malware Discovered in German Nuclear Power Plant. Retrieved October 14, 2019.
- ^ Christoph Steitz, Eric Auchard. (2016, April 26). German nuclear plant infected with computer viruses, operator says. Retrieved October 14, 2019.
- a b Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.
- ^ Peter Dockrill. (2016, April 28). Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant. Retrieved October 14, 2019.
- ^ Lee Mathews. (2016, April 27). German nuclear plant found riddled with Conficker, other viruses. Retrieved October 14, 2019.
- ^ Sean Gallagher. (2016, April 27). German nuclear plant’s fuel rod system swarming with old malware. Retrieved October 14, 2019.
- ^ Dark Reading Staff. (2016, April 28). German Nuclear Power Plant Infected With Malware. Retrieved October 14, 2019.
- ^ BBC. (2016, April 28). German nuclear plant hit by computer viruses. Retrieved October 14, 2019.
- ^ ESET. (2016, April 28). Malware found at a German nuclear power plant. Retrieved October 14, 2019.
- ^ Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.
- ^ Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- ^ Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.
