Does computer worm "stuxnet" attack Iranian Nuclear Program?

[Carsten Wiethoff]

A very sophisticated computer worm dubbed "stuxnet" began infecting Windows PCs and Industrial Controller Computers, specifically those made by German Siemens AG, sometime in 2009.
Current speculation is that a nation state may be behind it, judging from the sophistication of the attack methods.
See http://threatpost.com/en_us/blogs/stuxne...say-080410

In the current German "Frankfurter Allgemeine Zeitung" there is a background article (in German), claiming that many infections have been in Iran and speculating that the Nuclear Program may have been the target.
See http://www.faz.net/s/RubCEB3712D41B64C3094E31BDC1446D18E/Doc~E8A0D43832567452FBDEE07AF579E893C~ATpl~Ecommon~Scontent.html

(here for a rough google translation).

In case the claims are true, I would say that reduces the number of suspects to about two. :elefant:

[Magda Hassan]

Thank you Carsten! Most interesting. Here are some recent articles in English covering similar area.

http://www.thetechherald.com/article.php...xpert-says

“With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,” wrote Ralph Langner, the CEO of Langner Communications, on the company website.
Langner’s research, as well as information from other experts who have seen it, was the basis for the Monitor story. You can see the entire story on a single printer page here.

http://www.computerworld.com/s/article/9...r_program_
A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran's Bushehr nuclear reactor. That's the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they have broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker -- possibly a nation-state -- and it was designed to destroy something big.
Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company found the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers, who say they have never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran's nukes.
Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm's attack.

[Carsten Wiethoff]

From http://www.langner.com/en/index.htm

Stuxnet logbook, Sep 21 2010, 1200 hours MESZ

Ralph's analysis, part 2

Many aspects of Stuxnet are so completely different from malware as we know it that it's only natural that so many hard-working experts at some point in the analysis ended in frustration. The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.

Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates

Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers

Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence

What this shows is that the 0day exploits were only of temporary use during the infiltration stage. Quite a luxury for such sophisticated exploits! After the weapon was in place, the main attack is executed on the controllers. At that point, where the rogue ladder logic is executed, it's all solid, reliable engineering -- attack engineering.

[Ed Jewett]

See also:

The War Against Iran Has Already Started

By TREVOR BUTTERWORTH

There is little doubt that the fine gradations of history will give cyber war an earlier start. But just as television news was transformed by technology before the Iranian Revolution in 1979, and politics was transformed by social networking before it appeared that Twitter would bring about a second Iranian Revolution, process and progress need crystallizing events, where the political and cultural significance of technological innovation becomes indisputable.

Such a moment came in July with the discovery of a worm known as Stuxnet, which sought out a particular version of the Siemens' SCADA (supervisory control and data acquisition) systems that control power grids and industrial plants. According to Ralph Langner, an expert in industrial control systems who published a study of the worm last week, Stuxnet was capable of taking over SCADA controls in order to deliver a kinetic attack by causing critical systems to physically malfunction. The systems infected weren't randomly targeted: a majority are in Iran.

Computer World magazine recently pronounced Stuxnet, "a piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals." And according to the latest article in the magazine, speculation is rife that Israel may have been behind the worm – and that it was designed to sabotage or even take control of the operating systems for Iran's Bushehr nuclear reactor.

Whether that is what really happened is beside the point. The reality of Stuxnet (and more to the point, its next incarnation) is that critical state infrastructure can be commandeered and destroyed without anyone firing a shot. The very prospect that Israel – or whomever – could shut down Iran by destroying its electrical grid through causing every generator to overload in a matter of minutes is a powerful signal: the signal that cyber war has physical consequences that make conventional air strikes look quaint and maladroit, so 20th century.

This evolutionary stage is a game-changer. Previously, as with Russia's invasion of South Ossetia in Georgia, cyber attacks focused on basic communications systems (through denial of service attacks, where a network of computers floods a target computer with requests to slow or shut it down), and sophomoric propaganda warfare (pasting an image of Adolf Hitler next to Georgian President Mikhail Saakashvili on the Ministry of Foreign Affairs website). Even if Iran successfully cocooned its nuclear control systems, the fact that most critical infrastructure is embedded in the civilian world give rival state and non-state actors myriad pathways to unleash havoc.

It is, perhaps, one of the odder coincidences of history that Iran should again be a crucible for technological transformation. The revolution in 1979 may have had more than a whiff of neo-medievalism, but it was the first major instantaneous media event, due to the use of new portable VCR cameras, the availability of affordable satellite transmission, and the spread of satellite ground stations, largely as a consequence of televising the 1978 world cup.

As Mike Mosettig and Henry Griggs Jr noted in "TV at the Front," an article for Foreign Policy in 1980, the new Iranian regime – unlike North Vietnam – was able to communicate through broadcast networks in real time, and to a massive international audience, without yielding any corresponding access. Such speed, magnified by competition between networks, threatened to oversimplify complex or ambiguous events turning the news media into an unwitting, malleable force in international affairs, rather than a restrained spectator and careful explicator of events.

"The networks," they concluded, "will run into more problems with governments and revolutionaries who try to turn correspondents and producers into diplomats, message carriers, propagandists, and even targets of murder. The networks will have to match their technology, speed, and aggressiveness with sensitivity and sophistication. Meanwhile, the hardest task of all will be reporting the news."

Twitter's emergence as samizdat media tool in Iran's "Green Revolution" seemed, for a while, to signal that "crowd reporting" – for the want of a phrase" – could undermine a closed state mediated by top-down control through bottom-up collective communication. But Twitter didn't fail as an organizational tool; it failed because there wasn't a critical threshold of samizdat culture in Iran to use it to advance emancipatory politics. The medium was very much the message and the message was confusion.

Nevertheless, as Jared Keller noted in the Atlantic, "the Green movement remains the first major world event broadcast worldwide almost entirely via social media" – and as such, stands as a transformational event with consequences as potentially significant for politics, international affairs, and the role of communications as those brought by the shift from film stock to video cassette.

Stuxnet is an even more dramatic transformational event: warfare is never going to be the same, at least while the underlying protocols governing the Internet create these kinds of systemic vulnerabilities. But even if there was agreement to rewrite these protocols starting tomorrow, such a project would take a decade. So, let the damage assessment begin. Who knows? By demonstrating how Iran could so very easily experience a Chernobyl-like catastrophe, or the entire destruction of its conventional energy grid, the first round of the "war" may have already been won.

http://blogs.forbes.com/trevorbutterwort...y-started/

###

• Stuxnet. A professional grade software worm that is designed to take control and destroy industrial systems. It has infected 45,0000 industrial systems worldwide. "Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world. This is not about espionage, as some have said. This is a 100 percent sabotage attack." What's interesting is that it is weaponized software aimed at a very specific industrial target. This is a great example of replication (and self-replication) as it applies to open source warfare and systems disruption. The future of warfare has already happened, most people haven't realized it yet.
  

http://globalguerrillas.typepad.com/glob...-2010.html

###

TEHRAN: A bomb tore through a military parade in Iran on Wednesday killing 12 people as the Islamic republic showcased its weaponry at events marking the start 30 years ago of the bloody Iran-Iraq war.

Among the dead were the wives of two commanders, an official said, while medics reported 81 people wounded and fearing the toll will rise.

The bomb, placed just 50 metres from the podium at the parade in the ethnically Kurdish northwestern town of Mahabad in West Ajarbaijan province, exploded at around 10:20 am (0650 GMT), officials said.

More at the link:
http://www.channelnewsasia.com/stories/a...27/1/.html

[Carsten Wiethoff]

http://warincontext.org/2010/09/25/bush-...k-on-iran/

Bush White House security adviser: Israel likely source of cyber attack on Iran

by Paul Woodward on September 25, 2010

(Updated below)
In an interview on Bloomberg TV, Richard Falkenrath suggested that Israel is the most likely source of the Stuxnet malware which seems designed to cripple industrial facilities in Iran.
Falkenrath is currently the Deputy Commissioner of Counter-Terrorism for the NYPD and held several positions in the George W Bush White House including Deputy Assistant to the President and Deputy Homeland Security Advisor.

Much more, including video, at the given link.

[Mark Stapleton]

I'm glad we now know who was responsible.

The suspense was killing me.

[Magda Hassan]

No doubt there is back channel communication (threats) between Iran and the US using this as an example of further things to come if they don't tow the Empire's line but I also wonder how Siemen's is feeling about being caught in it all too. Damaging their brand somewhat.

[Peter Lemkin]

While ordinary warfare and covert operations have been bad enough for as long as history records it, the new Cyberwarfare is in many ways more insidious - more like biological or chemicial or nuclear weapons [WMD], for while they can [as it seems in this case] be 'tailored' to destroy a target system; it can also be used [and IS being developed] to attack ALL of an 'opponents' computers and internet structures [which in turn control in the modern age all communication, military, emergency response, water, power, banking....you-name-it! It is well known that China, Russia, Israel and the USA [and very likely many others] are busy at work on this. Even a 'targeted system' could go wild and viral. Blowback to the dealing nation from an attack on the dealt to nation[s] is a very real possibility and almost impossible to stop [computers are just about the same worldwide now]. This madness - manifest on all fronts - needs to be stopped and reversed. One more push toward the abyss for humanity.....how nice :wavey: And make no mistake about it - it will be and should be taken as an offensive attack, equivalent to a standard covert or military one....and will only cause an equal or escalated response of some kind. Civility and Peace seem to be concepts completely abandoned by the most powerful nations - they even seem to have given up giving them 'lip service'. Nice times we live in. :motz:

[Ed Jewett]

Cyber attack on Iran expands: Tehran threatens long-term war in reprisal
DEBKAfile Exclusive Report September 27, 2010, 6:13 PM (GMT+02:00) Tags: Bushehr attacked cyber war Stuxnet Stuxnet spreads to Bushehr an personal computers Iran admitted Monday, Sept. 27 it was under full-scale cyber terror attack. The official IRNA news agency quoted Hamid Alipour, deputy head of Iran's government Information Technology Company, as saying that the Stuxnet computer worm "is mutating and wreaking further havoc on computerized industrial equipment."

Stuxnet was no normal worm, he said: "The attack is still ongoing and new versions of this virus are spreading."

Revolutionary Guards deputy commander Hossein Salami declared his force had all the defensive structures for fighting a long-term war against "the biggest and most powerful enemies" and was ready to defend the revolution with more advanced weapons than the past. He stressed that defense systems have been designed for all points of the country, and a special plan devised for the Bushehr nuclear power plant. debkafile's military sources report that this indicates that the plant - and probably other nuclear facilities too - had been infected, although Iranian officials have insisted it has not, only the personal computers of its staff.

The Stuxnet spy worm has been created in line with the West's electronic warfare against Iran," said Mahmoud Liayi, secretary of the information technology council of the Industries Minister.

As for the origin of the Stuxnet attack, Hamid Alipour said: The hackers who enjoy "huge investments" from a series of foreign countries or organizations, designed the worm, which has affected at least 30,000 Iranian addresses, to exploit five different security vulnerabilities. This confirmed the impressions of Western experts that Stuxnet invaded Iran's Supervisory Control and Data Acquisition systems through "zero-day" access.

Alipour added the malware, the first known worm to target large-scale systems and industrial complexes control systems, is also a serious threat to personal computers.

debkafile's Iranian and intelligence sources report that these statements are preparing the ground for Tehran to go beyond condemning the states or intelligence bodies alleged to have sponsored the cyber attack on Iranian infrastructure and military industries and retaliate against them militarily. Iran is acting in the role of victim of unprovoked, full-scale, cyber terror aggression.

http://www.debka.com/article/9048/

http://www.commongroundcommonsense.org/f...&p=1158322

[Mark Stapleton]

debkafile's Iranian and intelligence sources report that these statements are preparing the ground for Tehran to go beyond condemning the states or intelligence bodies alleged to have sponsored the cyber attack on Iranian infrastructure and military industries and retaliate against them militarily. Iran is acting in the role of victim of unprovoked, full-scale, cyber terror aggression.

"the opponent is left responding to situations which have already changed".