Handout B: USB Device Installation Log

Windows device installation event log from Siemens Step 7 engineering workstations. Stuxnet spread via infected USB drives targeting the programming software used to configure centrifuge control systems.

Device Installation Event Log

Windows System Log Dump - USB Device Installations
Workstation: ENGINEERING-WKS-07
Log Period: April 2010 - June 2010
Filtered Events: USB Device Installation

[2010-04-11 09:15:32] EVENT: USB Device Connected
  Serial Number: BD8F-4C21
  Device Type: Mass Storage Device (Removable Media)
  Manufacturer: Generic
  Status: Device Driver Installed Successfully
  Driver: usbstor.sys (Windows native)

[2010-04-11 09:16:04] EVENT: Executable File Executed
  Path: E:\siemens_s7_update.exe
  User: CONTRENG\behnam
  Status: EXECUTED - No digital signature validation
  Process: explorer.exe spawned rundll32.exe

[2010-04-11 09:45:22] EVENT: USB Device Disconnected
  Serial Number: BD8F-4C21
  Status: Safely Removed

================================================================================

[2010-05-19 14:23:11] EVENT: USB Device Connected
  Serial Number: BD8F-4C21  [SAME DEVICE - DIFFERENT WORKSTATION]
  Device Type: Mass Storage Device (Removable Media)
  Manufacturer: Generic
  Status: Device Driver Installed Successfully

[2010-05-19 14:24:17] EVENT: Executable File Executed
  Path: E:\siemens_s7_update.exe
  User: CONTRENG\reza
  Status: EXECUTED - No digital signature validation
  Process: explorer.exe spawned rundll32.exe

[2010-05-19 15:12:33] EVENT: Suspicious Process Activity
  Parent Process: rundll32.exe
  Child Process: lsass.exe (Local Security Authority)
  Action: Code injection detected - privilege escalation
  Status: ALLOWED (unsigned code)

[2010-05-19 15:13:45] EVENT: USB Device Disconnected
  Serial Number: BD8F-4C21
  Status: Safely Removed

================================================================================

[2010-06-02 07:41:09] EVENT: USB Device Connected
  Serial Number: BD8F-4C21  [SAME DEVICE - THIRD WORKSTATION]
  Device Type: Mass Storage Device (Removable Media)
  Manufacturer: Generic
  Status: Device Driver Installed Successfully

[2010-06-02 07:42:33] EVENT: Executable File Executed
  Path: E:\siemens_s7_update.exe
  User: CONTRENG\kaveh
  Status: EXECUTED

[2010-06-02 08:09:17] EVENT: USB Device Disconnected
  Serial Number: BD8F-4C21
  Status: Safely Removed

================================================================================

SUMMARY: Same USB Device (Serial: BD8F-4C21) Detected on Multiple Workstations
  - Installation 1 (April 11): ENGINEERING-WKS-07 (behnam - Engineer)
  - Installation 2 (May 19): ENGINEERING-WKS-12 (reza - Senior Engineer)
  - Installation 3 (June 2): ENGINEERING-WKS-03 (kaveh - Safety Director)

Pattern Analysis: Device appears to propagate between air-gapped Step 7 programming systems

IM NOTES (Do Not Show to Players): Key historical details:

  1. USB as attack vector: Stuxnet targeted air-gapped networks. USB was the primary bridge because contractor personnel move between different facilities, taking USB drives with them.

  2. LNK exploit vulnerability: The file β€œsiemens_s7_update.exe” is actually a Windows LNK file exploit (CVE-2010-2568) that allows code execution without user interaction. When explorer.exe shows the drive contents, the malicious LNK file executes automatically.

  3. Targeted infection: Stuxnet specifically targeted computers with Step 7 engineering software installed. It had code to specifically look for Siemens PLC configuration files.

  4. Zero-interaction propagation: The attacker didn’t need users to execute anything. Simply plugging in the USB drive would trigger the LNK exploit through Windows autorun functionality.

  5. Air-gap jumping: This is the documented method Stuxnet used to jump air-gapped networks. Each infected workstation could infect a USB drive, which would then spread to the next isolated network.

The same USB device appearing on 3 different workstations belonging to key personnel (engineer, senior engineer, safety director) suggests either:

  • Intentional distribution by insider
  • Or: A single compromised contractor who moved between facilities with an infected USB drive

Key Discovery Questions

  • Why would the same USB device appear on three different engineering workstations?

The most likely explanation is that it’s a shared contractor USB drive, or that one of these personnel plugged an infected drive into multiple machines. In air-gapped environments, the only way to move files between isolated networks is physical media.

  • What is the significance of the β€œsiemens_s7_update.exe” file appearing on the same USB device each time?

This is the attack vector. Legitimate Siemens updates are genuine installer packages. An impostor β€œupdate” would look legitimate to engineers. The malware likely self-propagates to the USB drive after infection, so the same USB carries the malware and automatically infects the next workstation.

  • How would traditional antivirus have detected this attack?

Stuxnet used signed device drivers (stolen legitimate certificates from Realtek and JMicron) to bypass driver signature verification. Traditional AV looking for unsigned code would miss it. This is why zero-days were necessary – the attackers used vulnerabilities that AV didn’t know about yet.

IM Facilitation Notes

This handout helps players understand:

  1. Air-gap jumping mechanisms: Physical media is the bridge
  2. Social engineering in technical contexts: A fake β€œupdate” from a trusted vendor
  3. Multi-stage compromise: USB spreads the worm; worm compromises Step 7; Step 7 compromise reaches PLCs
  4. Persistence across isolation: Once on the network, the malware can survive on USB drives and propagate to other air-gapped systems