Duqu 2.0, Lead Actor on Electric Cyber-attacks Against Venezuela
By Alfredo Hurtado
CYBERWAR AGAINST IRAN
In 2010, a computer attack succeeded in delaying Iran’s peaceful nuclear program for two years. A virus called Stuxnet took control of 1,000 centrifuges needed to purify and enrich uranium to turn it into nuclear fuel. It managed to completely destroy 20% of them. For the first time, a virus achieved a real and far-reaching impact on a strategic industrial infrastructure.
When the manifestations of the computer attack appeared, the Iranian specialists could not even suspect it. It was logical, the Natanz nuclear power plant is located 250 kilometers south of Tehran, isolated, with restricted access and with some of its facilities designed to withstand possible military attacks.
At first the centrifuges were replaced after checking their control systems. There was total uncertainty and actions were taken by a process of eliminatio. Stuxnet was so new that it was programmed to make punctual and sporadic attacks, all this to eliminate any possibility of suspicion. Only five months after the first attack, was it possible to find the real cause.
Stuxnet was conceived under precepts of war, developed by cyberwar experts in Israel and the United States, obvious enemies of Iran. The intelligence work of these two countries could determine that the Programmable Logic Controllers (PLC) used to monitor and manage the centrifuges in Natanz were from the German manufacturer Siemens. What would come next would be a profound damage to the pride of German engineering.
A PLC is a programmable industrial computer to automate industrial processes. Its architecture has similarities to computers that are at the hands of anyone: power source, CPU (Central Processing Unit), communication modules and inputs / outputs. The control programming that is designed for these devices will be done according to the process or processes that are intended to be controlled. To achieve the control of variables (temperature, pressure, flow, level, revolutions per minute, among others) the PLC must have a set of field instruments (analog and / or digital), which will be responsible for a census. These signals will be interpreted by the PLC and this will execute the respective control actions to keep the processes in desired values and safe operation practically without human intervention. Likewise, they fulfill security functions, that is, if some variable can not be controlled, actions are carried out on final control elements (for example valves) to return them to safe operation limits, or protection shots to avoid human catastrophes and / or damage to industrial equipment.
The exact models of PLC victims of the cyber attack at the Natanz nuclear power plant were the Siemens S7-315 and S7-417. According to the experts, there were two variants of the Stuxnet virus, one in the form of a configuration file for Siemens software, and another, exploiting vulnerabilities in the Windows operating system. For the two variants, the voluntary cooperation or involuntary help of people linked to work in Natanz was necessary, taking into account that said nuclear plant is made up of an industrial network totally isolated from external networks. The two versions basically acted in the same way, although the second was more aggressive.
PLCs send industrial network communication protocols all information to a monitoring and control center, which is shown to the plant operators who constantly monitor the processes. These systems are called SCADA (Supervision, Control and Data Acquisition).
Stuxnet managed to get the Siemens PLCs to send false data from the systems inherent to the centrifuges, that is, the operators visualized in the SCADA ideal operating parameters, but the reality was different. Meanwhile, the centrifuges ranged from 120 rpm to 63,000 rpm in a matter of minutes (and vice versa), causing fatigue and permanent damage to their components by reaching their nominal operating value (63,000 rpm) in such a short time. Coupled with this, the steam systems that powered the rotors of the centrifuges compromised the safety valves that relieved pressure if the levels were critical. The overpressures had a mechanical impact on the centrifuges.
After a few months, the specialists were able to detect the Stuxnet virus as the one responsible for the industrial catastrophe in Natanz. It was officially the first cyberwar event in history.
DUQU 2.0 VARIANT: VENEZUELA PHASE
According to communities of specialists in the area of cyber security, Duqu 2.0 was probably identified as responsible for the current blackouts in Venezuela thanks to the collaboration of Russian specialists who arrived in the country recently. It is not official information yet.
RELATED CONTENT: US-Canada and Venezuela’s Bay of Pigs
Duqu 2.0 is a derivative of Stuxnet virus. In 2015, Kaspersky Lab, an international Russian company dedicated to computer security based in Moscow, discovered unusual activities in the company’s networks, characteristics of a massive cyber attack. It was the Duqu 2.0 virus.
If we start from the fact that Duqu 2.0 is an improved variant of Stuxnet, it is very easy to assume that the way to propagate it in our generation control, transmission and distribution control systems was novel.
This type of virus is already disseminated through any computer connected to a computer network, including USB memories, computers, PLCs, printers, among other devices. One infiltration would suffice to achieve, for example, the electronic brain of the systems that control, coordinate and synchronize the turbines of the Guri Hydroelectric Complex.
The late journalist Ricardo Durán warned in 2011, when through a series of journalistic works, he left in evidence a set of situations that should have set off the alarms: former PDVSA coup workers became part of CORPOELEC and the systems of control, supervision and security of our national electrical system were invoiced by the West, designed and implemented by companies of the United States and Canada.
Taking these discoveries into account, it was not at all difficult for our enemies to unravel our electronic systems. They quickly knew where and how to hit us.
The numerous attacks on our National Electrical System (SEN) indicate that they have maintained the same philosophy in the design of the different variants of the virus: they do not seek to destroy an industrial facility at once, rather they do it in phases to cause greater damage and shock, avoiding in this way that specialists have time to focus on the causes of failures. An infected system may be operating optimally, fail, and then return to “normal” with resultant consequences. Meanwhile, the SCADAs show totally different information to reality.
So far there are no details of the mechanism of attack to our SEN, but the generation stage is the most critical and probably the worst hit. The control of a turbine involves governing a set of critical systems and variables: lubrication systems, revolutions per minute, temperature, vibration, pressure, power generated.
It must have been dramatic for our SEN operators to visualize on their screens a situation different from what was happening in reality. Worse still, it is likely that Duqu 2.0 had the same feature as Stuxnet as regards the shutdown of machines from the control room: the virus makes it impossible.
The attack against our SEN without a doubt was one of the highest stages of a major plan for the overthrow of the Venezuelan government. Faced with the failure of previous strategies such as the criminal economic war, diplomatic siege, threats of invasion, attempts to violate our borders, street disorders and international financial pillage, activated the cyberwar card.
Unlike Iran, the attack on Venezuela has far greater repercussions. The population of an entire country has been affected by the denial of the right to constant and reliable electric service. If the first cyberwar event in history occurred in Iran, Venezuela suffered the first act of cyberwar against a national electrical system with an impact on millions of human beings.
WILL WE LEARN THE LESSON?
What happened in Iran in 2010 was not enough for our country to prepare to face computer attacks on our strategic industrial infrastructures. Not only our electrical industry is threatened. Venezuela still has a highly technified, complex and large-scale oil industry. Our oil plants, in their vast majority, were designed by western companies.
Some of them are very vulnerable to being in the technological obsolescence phase, operating under outdated operating systems, firmware and / or hardware and without any support from manufacturers, all this in consequence of the economic situation to which they have subjected us. For example, the WINDOWS XP operating system continues to be the most used in PDVSA, which no longer has any support from Microsoft to solve security vulnerabilities.
Our IT security policy regarding our industries and strategic companies must be reformulated. A cybersecurity unit must be created under the command and control of our executive branch, once again promoting the development of our own operating systems as a first step to ambitious software development programs.
Developing a “national invoice” for SCADA will not be an easy task, it will take time and a lot of investment in the preparation of human resources. The segmentation of our industrial networks under strict management policies according to their level of criticality is vital. Kaspersky Lab can be our best ally to start taking the first steps in implementing cybersecurity policies.
They hit us very hard, but our enemies are not yet aware of our capacity for resistance. We will win again.
Translated by JRE\EF
