Terrorist in Malaysia holds U.S. power grid hostage

Scezda 2.0 worm exploits flaw in SCADA software for encabulators

The Department of Homeland Security is treating it as an act of terrorism.

The virus writer, who goes by the handle Melhacker and is believed to have the real name of Vladimor Chamlkovic, is thought to have written or been involved in the development of the VBS.OsamaLaden@mm, Melhack, Kamil, BleBla.J and Nedal worms.

In an exclusive interview with Computerworld reporter Dan Verton, Melhacker confirmed earlier reports by Chantilly, Va.-based iDefense Inc. that he had deployed "version 2.0" of his "three-in-one" megaworm, code-named Scezda, that combines features from the well-known SirCam, Klez and Nimda worms.

"This is a next-generation Internet computer worm," Melhacker said in the exclusive interview. "It exploits a flaw in Rockwell Automation's SCADA software written for the Retro Encabulator^® product line." He claimed that his new worm can also infect other manufacturers' encabulators if they use Rockwell's SCADA software.

Verton described SCADA (Supervisory Control and Data Acquisition) as "the systems, including real-time programmable logic controllers, that manage the actual flow of electricity and natural gas and perform other critical functions in various industrial control settings, such as chemical processing plants, water purification and delivery systems, wastewater management facilities and a host of manufacturing firms."

The U.S. and Canadian electric power industries rely heavily on Rockwell encabulators (video) to provide inverse reactive current for use in unilateral phase detractors. The failure of a single encabulator in 1996 at a critical power junction in the Pacific Northwest led to a blackout in nine western states that affected four million people.

"Control, disruption or alteration of critical commands, instructions and monitoring functions performed by these systems can be an issue of regional and possibly national security," Verton insisted.

Department of Homeland Security Secretary Tom Ridge spoke briefly to reporters when the attack came to light. "Terrorists can sit at one computer connected to one network and can create worldwide havoc," he admitted. "[They] don't necessarily need a bomb or explosives to cripple a sector of the economy, or shut down a power grid," he said.

"We will continue to monitor the Internet for signs of potential terrorist attack, cyber terrorism, hacking and state-sponsored information warfare," Ridge concluded. An aide shuttled him away from the microphone after he suggested Americans should purchase batteries. He left without taking questions from reporters.

The U.S. Air Force has raised its "Infocon" threat level to "Charlie" from "Alpha." A Defense Department spokeswoman refused to comment on rumors that Pentagon officials were planning a covert operation in Malaysia to "neutralize" Melhacker.

A spokesman at Rockwell Automation's world headquarters refused to discuss technical details of how the Scezda 2.0 worm infects an encabulator, saying that "only appropriate law enforcement agencies and cyberspace security teams have a need to know." A 1997 Rockwell Automation video on encabulators offers little insight, and telephone calls to parent company Rockwell International were not returned.

Melhacker claimed his Scezda 2.0 worm has infected enough encabulators that he has "taken over control" of the U.S. electric power grid. In the exclusive interview with Computerworld, he threatened to plunge the country into darkness until all "invasion troops" are withdrawn from Iraq.

Melhacker gave the U.S. "until the presidential elections in November" to comply with his ultimatum, after which he would "throw the switch."

Melhacker also confirmed earlier intelligence reports that he has ties to both Russian hackers and Pakistani virus writers.

Ken Dunham, the director of malicious code at iDefense, said that although Melhacker hasn't proved adept at seeding new worms in the wild, Scezda 2.0 could be difficult to stop.

IDefense quietly warned its clients last week about the potential for Scezda 2.0 to take down the North American power grid, saying that companies should move to a heightened state of alert and watch their encabulators for suspicious Internet traffic.

"If he (Melhacker) were to be successful with this one, it could be very serious," said Dunham. "Although we are aware of his contacts with Russian and Palestinian code-authoring groups, we're not yet sure how strong those relationships are."

Joe Weiss, a cyber-security expert for the electric power industry at KEMA Consulting in Fairfax, Va., warned that if Melhacker gained even partial control of enough encabulators, he could remotely shut off electricity to "as big [of an area] as you want" for six months or more. "I wouldn't even [call it an] absolute" worst-case scenario, Weiss clarified.

But it's difficult to speculate because there have been many such viruses that have gone nowhere, he asserted. "We will carefully study the Scezda 2.0 worm in our encabulator test facility," Weiss said.

Melhacker, who has also gone by the name Kamil, may have had some involvement in the release of the BugBear mass-mailing network attack worm. According to iDefense, Melhacker has close ties to Nur Mohammad Kamil, who identifies himself as part of a group known as "A.Q.T.E. Al-Qaeda Network." Melhacker has also associated himself with the Al Qaeda network for a long period and has been an active Malaysian malicious coder threat for at least seven years.

The continuing development of malicious code from pro-Islamic and pro-Al Qaeda hackers, especially in Malaysia, is of great concern and one that needs to be closely watched, according to an intelligence bulletin released by iDefense.

"While it might be true that Al Qaeda operatives are not well organized, skilled or equipped to mount a serious cyberoffensive, it is likely that Al Qaeda sympathizers will serve as surrogates in their cyberoffensive," Dunham cautioned.

Weiss was more pessimistic. "Encabulators are a vital aspect of the electric power industry and Al Qaeda sympathizers have now demonstrated their ability to take the power grid hostage," he said.