Stuxnet worm causes much wailing and gnashing of teeth
« on: 2010-10-03 04:10:35 »
[letheomaniac] It was only a matter of time I suppose.
Source: The Register Author: John Leyden Dated: 1/10/10
Stuxnet worm slithers into China, heralds alien invasion
Conspiracy? Cock-up? Or Conspiracy?
Analysis The infamous Stuxnet worm has reportedly begun spreading in China.
The worm, which targets supervisory control and data acquisition (SCADA) systems, has infected "millions of computers" across the country, AFP reports.
Local anti-virus outfit Rising International told the official Xinhua news agency that six million individuals and nearly 1,000 corporate accounts across China had been infected with the worm. However Yu Xiaoqiu, an analyst with the China Information Technology Security Evaluation Centre, said it hadn't witnessed any damage as a result of apparent infestation, an observation that raises doubts about Rising International's estimates. Seven steps to sabotage
The sophisticated malware is designed to sabotage industrial plant control systems, specifically those running Siemens Simatic WinCC SCADA system software. Stuxnet exploits four Windows zero-day vulnerabilities, stolen signed certificates and a variety of other trickery with the ultimate aim of reprogramming the programmable logic controllers (PLCs) of control systems. The PLCs targeted by Stuxnet are programmed using Windows-based development environment called Step 7. The malware reconfigures a Step 7 setup which hides its presence on compromised components, making it a kind of rootkit for industrial control systems.
A diagram illustrating how Stuxnet works, based on an analysis by Symantec, can be found here.
Cyber-semtex
Stuxnet was first detected by Belarussian anti-virus firm VirusBlokAda in late June, and confirmed by other security firms shortly afterwards in July. Other SCADA-system strains of malware have been detected before but the sophistication of Stuxnet together with its first detection in systems in Iran have sparked the theory that it was designed by Mossad and targeted at disrupting operations at Iran's new nuclear reactor in Bushehr. Iran has reportedly responded to the outbreak by blocking command and control channels associated with Stuxnet across its entire internet infrastructure.
Some security analysts have described Stuxnet as the first cyber super-weapon. The bible code and UFOs...
The Stuxnet code contains reference to 9 May 1979, the date a prominent Jewish businessman, Habib Elghanian, was executed in Iran. Also the malware contains a string called Myrtus which corresponds to Myrtle, a figure from the Book of Esther who informs the informs the king of a plot against the Jews, prompting a royal authorisation for reprisals. Esther was born as Hadassah which means Myrtle.
Details like this, of course, make fantastic material for weaving elaborate conspiracy theories but do little to establish one way or another whether the worm was targeted at Iran, much less its nuclear facilities. Some argue that the Mossad worm targeting Iran idea is too neat and might be some sort of misdirection.
In fact stats from Russian anti-virus firm Kaspersky Lab suggest far more systems in India (86,000) and Indonesia (34,000) have been infected than the 14,000 systems hit in Iran. One report links Stuxnet infection with the blow-out of an Indian TV satellite system back in July, the link being the use of SCADA systems from Siemens. Other reports suggest Russian sub-contractors from Siemens on the Bushehr plant job might have spread the infection when they went to work in other countries.
In the absence of hard facts about the worm all sorts of wild speculation and conspiracy theories have flourished, including a surprising volume of discussions linking Stuxnet to UFOs and even suggesting it might be a prelude to alien invasion*. Yup. It all ties back to harvested UFO tech from Roswell and, just as plausibly, the replacement of Paul McCartney by a stand-in all these years.
Back to reality
Back on planet Earth anti-virus firm F-Secure has compiled the best FAQ on Stuxnet that we've seen to date.
The Stuxnet worm was high on the agenda of presentations at the Virus Bulletin conference in Vancouver this week. Symantec ran a proof of concept demo of what code that had similar capabilities to Stuxnet could do to mess with the operation of a Siemens PLC SCADA test rig. The demo featured an air-pump connected to a controller, balloons, confetti and and explosion. Delegates were invited to imagine what might happen with a similarly compromised controller that was connected to an oil pipeline or (though this was not said) a centrifuge in a uranium processing plant.
Bootnote
*We're grateful to Vmyths's Rob Rosenberger for this observation.
Re:Stuxnet worm causes much wailing and gnashing of teeth
« Reply #1 on: 2010-10-04 03:27:07 »
[Blunderov]I expect that cyber war is a much bigger component of state intelligence operations than might at first be supposed. Consider: when Gulf War 1 kicked off Iraqi defence systems went AWOL because of an American trojan that lay lurking in the memory chips of printers installed on military networks.
The inexpensive and effective power of Anonymous is not confined to the likes of (bless their black little hearts) 4chan/b/ - states can and do wield it too. Cyberspace must be a perfect environment for spies. We can see from our own everyday lives that the proliferation of information technology has made life very difficult for those who would keep secrets. For instance, The South African Police have had such a frabjous time with using cellphone records to solve cases that legislation has been passed to force all cellphone users to register their instruments and provide an address to go with it. Philanderers in particular have felt the full weight of the force. Facebook and Cell phones (not to mention e-mail)have made extracurricular activities an occupation fraught with peril. The machinations at state level must be truly extraordinary. We need a new le Carre to lay the lulz bare for us all.
Iran arrests 'nuclear spies' accused of cyber attacks
The Stuxnet worm affected staff computers at Iran's Bushehr power station Iran has arrested "nuclear spies" on suspicion of being behind cyber attacks on its nuclear programme, Iranian state media report.
Press TV says "a number" of people have been apprehended as part of an operation by Iran to counter "massive enemy schemes".
The report comes after the complex worm Stuxnet infected staff computers at Iran's first nuclear power station at Bushehr.
No details of the arrests were given.
Iranian Intelligence Minister Heidar Moslehi was cited by Press TV as saying his ministry was capable of countering any threats.
"We are always facing destructive activities by these [espionage] services, and, of course, we have arrested a number of nuclear spies to block the enemy's destructive moves," Mr Moslehi said.
But he did not say how many people were detained, or specify whether the cyber attack referred to the Stuxnet virus.
While the worm also affected computers India, Indonesia and the US, it has spread the most in Iran.
Reports suggest that the Stuxnet virus mutated in Iran and infected 30,000 computers.
It is believed to be the first worm designed to target major infrastructure facilities.
Iran's Russian-built Bushehr plant will start generating power in January, two months later than planned, but officials have said the delay was not due to the virus.
Some experts have said the virus was designed to target Tehran's nuclear programme, with some saying the complexity could only have been created by a state.
Iran has been subject to four rounds of UN sanctions because of its uranium enrichment programme, which is separate from Bushehr.
The West fears Tehran wants to build a nuclear weapon, but Iran insists its plans are for peaceful energy production.
Re:Stuxnet worm causes much wailing and gnashing of teeth
« Reply #2 on: 2010-10-04 12:37:48 »
[letheomaniac] Hmmm...
From the Register article:
Quote:
In fact stats from Russian anti-virus firm Kaspersky Lab suggest far more systems in India (86,000) and Indonesia (34,000) have been infected than the 14,000 systems hit in Iran.
From the BBC article:
Quote:
While the worm also affected computers India, Indonesia and the US, it has spread the most in Iran.
[letheomaniac] Obviously you can't trust those drunken Russian computer scientists. Manufacturing consent for a cyber attack on Iran?
[Blunderov] Since this thread began my recollections have returned to the epic shitstorm that hit Twitter during the recent Iranian elections - the so called Green Revolution. I smelled fish then and I do now too,..
Re:Stuxnet worm causes much wailing and gnashing of teeth
« Reply #4 on: 2010-10-06 13:53:26 »
Quote:
Since this thread began my recollections have returned to the epic shitstorm that hit Twitter during the recent Iranian elections - the so called Green Revolution. I smelled fish then and I do now too,..
[letheomaniac] I couldn't agree more. The Green Revolution. Certainly sounds like one of the CIA's patented colour-coded "revolutions" - Orange in the Ukraine, Rose in Georgia, Green in Iran...
Re:Stuxnet worm causes much wailing and gnashing of teeth
« Reply #7 on: 2012-06-01 13:38:09 »
The Virtual World now begs the question: "What constitutes an act of War !"
Cheers
Fritz
Confirmed: US and Israel created Stuxnet, lost control of it
Source: ARStechnica Author: Nate Anderson Date: 2012.06.01
In 2011, the US government rolled out its "International Strategy for Cyberspace," which reminded us that "interconnected networks link nations more closely, so an attack on one nation’s networks may have impact far beyond its borders." An in-depth report today from the New York Times confirms the truth of that statement as it finally lays bare the history and development of the Stuxnet virus—and how it accidentally escaped from the Iranian nuclear facility that was its target.
The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet. The goal of the worm was to break Iranian nuclear centrifuge equipment by issuing specific commands to the industrial control hardware responsible for their spin rate. By doing so, both governments hoped to set back the Iranian research program—and the US hoped to keep Israel from launching a pre-emptive military attack.
The code was only supposed to work within Iran's Natanz refining facility, which was air-gapped from outside networks and thus difficult to penetrate. But computers and memory cards could be carried between the public Internet and the private Natanz network, and a preliminary bit of "beacon" code was used to map out all the network connections within the plant and report them back to the NSA.
That program, first authorized by George W. Bush, worked well enough to provide a digital map of Natanz and its industrial control hardware. Soon, US national labs were testing different bits of the plan to sabotage Natanz (apparently without knowing what the work was for) using similar centrifuges that had come from Libya's Qadaffi regime. When the coders found the right sets of commands to literally shake the centrifuges apart, they knew that Stuxnet could work.
When ready, Stuxnet was introduced to Natanz, perhaps by a double agent.
Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others—both spies and unwitting accomplices—with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”
In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.
When Barack Obama came to office, he continued the program—called "Olympic Games"—which unpredictably disabled bits of the Natanz plant even as it told controllers that everything was normal. But in 2010, Stuxnet escaped Natanz, probably on someone's laptop; once connected to the outside Internet, it did what it was designed not to do: spread in public. The blame game began about who had slipped up in the coding.
“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”
Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”
Once released more widely, the Stuxnet code was found and then disassembled by security researchers. Please don't follow our example
As the International Strategy for Cyberspace notes, these sorts of electronic attacks are serious business. The US in fact reserves the right to use even military force to respond to similar attacks. "All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners," says the report. "We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law."
Yet the US had just gone on the cyber-attack, and everyone knew it. Speculation has long swirled around government-backed hackers from nations like China and Russia, especially, who have been suspected of involvement in espionage, industrial trade secret theft, and much else. Would something like Stuxnet damage US credibility when it complained about such attacks? (China has long adopted the "you do it too!" defense on Internet issues, especially when it comes to censoring and filtering of Internet content.)
Obama was at least aware of the likely answer—yes—but pressed ahead, even accelerating the Olympic Games program.
[Obama] repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks. “We discussed the irony, more than once,” one of his aides said.
Stuxnet is old news by now. Even the newly discovered "Flame" malware was developed some time ago. While details about these two targeted attack packages are finally emerging, the next generation of attack tools has no doubt been developed and likely deployed.
Despite an error in the Stuxnet worm that attacked Iran’s uranium enrichment program, which caused the malware to spread wildly out of control and infect computers outside of Iran in 2010, President Barack Obama ordered U.S. officials who were behind the attack to continue the operation.
That was despite the fact that Stuxnet was spreading to machines in the United States and elsewhere and could have contained other unknown errors that might affect U.S. machines.
The information comes in a new report from The New York Times, which asserts that an error in the code led it to spread to an engineer’s computer after it was hooked up to systems controlling the centrifuges at Iran’s uranium enrichment plant near Natanz. When the engineer left the Natanz facility, he spread it to other machines, writes Times reporter David Sanger, based on a book he has written that will be released next week.
Sources told Sanger that they believed the Israelis introduced the error in the code.
“We think there was a modification done by the Israelis,” an unidentified U.S. source reportedly told the president, “and we don’t know if we were part of that activity.”
Vice President Joe Biden accused the Israelis of going “too far,” a source told Sanger.
According to the Times, Obama wondered to advisers whether the attack should be discontinued after Stuxnet began spreading, believing the operation might have been irrevocably compromised.
“Should we shut this thing down?” Obama reportedly asked at a meeting in the White House Situation Room that included Biden and the director of the Central Intelligence Agency at the time, Leon E. Panetta.
But aides advised him that it should proceed since it was unclear how much the Iranians knew about the code, and the sabotage was still working.
At the time, security researchers were still furiously trying to figure out what Stuxnet was designed to do, and hadn’t yet discovered that it was attacking the centrifuges in Iran. They would later determine that it was very targeted code that was tailor-made to attack only machines in Iran’s enrichment program. Although it infected more than 100,000 computers in and out of Iran, it didn’t do damage to those computers. But given that U.S. authorities appeared to be unclear about what the Israelis might have done to change the code, the exchange between Obama and his advisors seems to indicate that Obama gave the order to continue without the administration knowing precisely whether the code might damage other machines outside of Iran.
In weeks following that meeting, Sanger writes, while researchers at Symantec in the United States were still examining the code, the Natanz plant was hit by a newer version of the computer worm. A few weeks after Stuxnet was detected and disclosed in July 2010, the malware temporarily took out about 1,000 centrifuges in Iran.
The ongoing cyberattack authorized by Obama coincided with the Administration and members of Congress chastising China for its supposed roles in cyber-intrusions into government contractors, human rights groups and Western corporations. The Times piece notes that Obama was aware and concerned that the government’s forays into cyberattacks would give justification to Iran, China and other entities conducting similar attacks against the United States.
According to the Times the first Stuxnet attacks were launched in 2008, a date that is much earlier than previously believed. But those early attacks were small. No two attacks were alike so they caused confusion among the Iranians, who couldn’t figure out the source of problems that were occurring with centrifuges.
By the time President Bush left office in January 2009, the operation had still not accomplished wholesale destruction of centrifuges, and the outgoing president urged Obama to continue the operation.
The story provides new details that expand on a story that Sanger reported in January 2011 when he wrote that Bush had authorized the cybersabotage plan against Iran before he left office, but that Obama had accelerated it once he was inaugurated in January 2009. Sanger had previously written in 2011 that Israel and the United States had worked on the plan in partnership, and had tested it using centrifuges that had been seized from Libya’s defunct nuclear enrichment operations in 2003, which were the same model of centrifuges being used at Natanz.
Sanger’s latest story gets a little confusing in places. It jumps around in time and the organization of it makes it sound as if centrifuges were destroyed at Natanz before Bush left office at the beginning of 2009.
But reports from the U.N.’s nuclear monitoring agency, the International Atomic Energy Agency, indicate that centrifuges weren’t destroyed until much later, likely beginning in the early fall of 2009, after Obama took office.
Because Sanger doesn’t provide actual dates in his story, it’s difficult to determine when exactly events are taking place that he describes. The piece indicates, however, that the Obama administration knew the worm had escaped Natanz before the worm was publicly disclosed in July 2010.
Researchers have uncovered a version of the worm that appeared to have been first launched in June 2009. In March 2010, the attackers launched a new more aggressive wave of attacks against Natanz, that researchers also recovered. It was this version of the worm that spread Natanz wider than intended and eventually led to its discovery.
Sanger describes at least two subsequent attacks of the code after it spread. This coincides with what researchers have found. They say a slightly different version of Stuxnet was released again in April 2010 and that a version of its driver was discovered in July 2010, signed with a new digital certificate, suggesting another version of Stuxnet might have been released at that time.
Sanger doesn’t say what the error was that caused Stuxnet to spread. But researchers found that the attackers added a number of zero-day exploits to the code in the March 2010 attack that hadn’t been in the code previously. These allowed the worm to spread automatically to many machines on the same network as well as to machines on separate networks.
According to the Times, the first stage of the attack operation involved the use of a cyberespionage tool, which Sanger calls a beacon, to siphon intelligence about Natanz’s operations and technical configurations so that Stuxnet could be tailored to attack it. Sanger doesn’t mention the name of this “beacon,” but researchers in Hungary last year discovered a piece of malware they dubbed DuQu, which many believe was the precursor to Stuxnet and was used to gain information from machines in Iran to design the Stuxnet code.
What Sanger describes, however, is code that was placed in control systems made by Siemens, that were being used at Natanz. The beacon was designed to map the operation of the controllers and create an electrical blueprint of the Natanz plant, and send the data back to the National Security Agency. This intelligence-gathering stage took months, according to the Times.
DuQu, however, was not designed to infect Siemens systems and was found on computers that were not running Siemens software. Most researchers also believe that the espionage part of the plot against the centrifuges began outside of Natanz, and that the infection spread from contractors to computers at Natanz, not the other way around.
According to sources who spoke with Sanger, Flame, the most recently discovered malware found infecting targeted machines in Iran and other Middle East countries, was not part of operation Olympic Games and declined to acknowledge whether the United States was behind it.
Author
Logged
