PDA

View Full Version : Stuxnet: Target Bushehr?



bourbon
09-24-2010, 01:36 AM
Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant? (http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant), by Mark Clayton. The Christian Science Monitor, September 21, 2010.

The Stuxnet malware has infiltrated industrial computer systems worldwide. Now, cyber security sleuths say it's a search-and-destroy weapon meant to hit a single target. One expert suggests it may be after Iran's Bushehr nuclear power plant.

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.

But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."
http://www.langner.com/en/

This is pretty amazing.

IntelTrooper
09-24-2010, 01:55 AM
Israelis? Or SkyNet?

Tukhachevskii
09-24-2010, 12:02 PM
Sounds a lot like a Russian or Chinese programme. IMO it fits their respective doctrines.

bourbon
09-27-2010, 02:18 AM
Iranian nuclear programme targeted by computer virus (http://www.thenational.ae/apps/pbcs.dll/article?AID=/20100927/FOREIGN/100929554/1002), by Maryam Sinaiee and Michael Theodoulou. The National (UAE), September 26. 2010.

TEHRAN // Iran revealed yesterday that a so-called computer worm – which experts say shows unprecedented ingenuity and is unique in its ability to seize control of industrial plants – has infected the personal computers of staff at its first nuclear power plant.

But Tehran said the so-called Stuxnet malicious computer program, which has been described as the world’s first cyber-guided missile, has not damaged operations at the flagship facility in Bushehr, which is due to go online within weeks.

A likelier Stuxnet target, they speculate, would be Iran’s far more controversial nuclear facility at Natanz, where spinning centrifuges are producing low-enriched uranium for power plants.

davidbfpo
09-28-2010, 09:18 PM
An interesting comment:http://kingsofwar.org.uk/2010/09/kuang-grade-mark-11-targets-iranian-nuclear-facilities/

Which concludes:
To conclude then, well, what can we conclude? Not much, at present; we need to keep watching and not assume that the story is over because there are so many loose threads, so many questions to be answered, so much fog where clarity is needed for good judgement to be rendered. Still, I can’t help but think that some watershed has been passed, that Stuxnet of September 2010 will be remembered rather in the way we do the aerial bombings of civilian centres by Zeppelin airships–not as particularly strategically significant at the time but as a harbinger of what is still to come.

AdamG
09-29-2010, 02:27 AM
If this gets any curiouser, only my smile is going to be left....


While security experts know what Stuxnet is designed to do, Conficker is still the reigning mystery of the cyberworld because no one knows why it’s there or what it’s going to do. “Whoever developed it must be thinking that this was an incredible learning exercise,” says Joffe. “They were able to modify their code four times as we reacted defensively each time. They were able to step around us.” Version E of Conficker came out at the beginning of April 2009 and—alarmingly—it remains unbroken a year and a half later. “They raised the bar so high I have no idea what it’s doing,” he says. “It looks like it’s dormant.” But if he were to put himself in the Conficker controller’s shoes, he muses, “I'd be tactically selling off individual machines,” so that customers could choose their targets from a directory of hacked computers. “He could give me your computer, and we would never know it, as a security industry.”

Read more: http://www.businessinsider.com/cyber-war-2010-9#ixzz10sidE8AX

Global Scout
09-29-2010, 03:14 AM
Adam,

Thanks for the link to the article. I was not aware that malware caused a plane crash.



Already, malware has caused the loss of life. This August, the Spanish government released its report on Spanair Flight JK5022, which crashed on takeoff from Madrid two years ago. The pilot of the McDonnell Douglas MD 82 took off thinking that the flaps controlling lift were extended when they were, in fact, retracted. The plane ascended briefly before plunging into the ground, killing 154 of its 172 passengers. Trojan viruses spread by infected USB sticks—the dirty needles of the tech world—had stalled the execution of a key safety protocol before the jet took off, which would have shown that the aircraft’s systems were malfunctioning.

Read more: http://www.businessinsider.com/cyber-war-2010-9#ixzz10suFktT1

AdamG
09-30-2010, 02:01 PM
Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.
That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.
http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html

davidbfpo
09-30-2010, 09:32 PM
A very short article alleging it is the IDF's Cyber Unit 8200:http://www.telegraph.co.uk/news/worldnews/middleeast/israel/8034882/Israels-unit-8200-cyber-warfare.html

Elsewhere, possibly from another article in the paper, the 'clue':
Computer experts have discovered a biblical reference embedded in the code of the computer worm that has pointed to Israel as the origin of the cyber attack.

The code contains the word "myrtus", which is the Latin biological term for the myrtle tree. The Hebrew word for myrtle, Hadassah, was the birth name of Esther, the Jewish queen of Persia.

Link:http://www.telegraph.co.uk/news/worldnews/middleeast/israel/8034987/Israeli-cyber-unit-responsible-for-Iran-computer-worm-claim.html

SJPONeill
09-30-2010, 09:43 PM
http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html

Then again, if you wanted to deflect investigation from the true source, just drop a name deep inside the file...you'd like to think that any adversary smart enough to infiltrate a virus like this, wouldn't be advertising its origins...

Erich G. Simmers
10-06-2010, 01:42 AM
Here is good summary of technical analysis from Symantec, F-Secure, and Trend Micro via the very good technology and security blog, "Thoughts of a Technocrat." (http://djtechnocrat.blogspot.com/2010/10/stuxnet-update-dossier-faq.html)

Erich G. Simmers
10-07-2010, 04:20 PM
Bruce Schneier, a expert on security and cryptography, wrote this October 7th analysis of Stuxnet (http://www.schneier.com/blog/archives/2010/10/stuxnet.html) (also featured at Forbes.com (http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html)), which summarizes what is known and unknown about the worm including possible clues from the code and alternative explanations to the Bushehr nuclear reactor sabotage hypothesis. Schneier's arguments on issues of technology and security tend to focus on putting threats and vulnerabilities into the most rational/least emotional light, and as such he has consistently downplayed the dangers of cyberwar. Whatever your stance on the threat, it is a measured analysis worth noting:


Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story.

As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation.

Here's what we do know...

More at Schneier on Security (http://www.schneier.com/blog/archives/2010/10/stuxnet.html)...

Best,

Erich Simmers

AdamG
10-19-2010, 04:42 PM
What Stuxnet Means for Small Business

Tom Harnish

Oct 18, 2010 -

When the cyber weapon hit, it rocked the computer industry and aftershocks rattled brains in cyber security centers around the world. This is no plot line from a science fiction novel, someone really designed and built a groundbreaking computer program — a cyber missile. Called Stuxnet, it was designed to hunt and destroy a specific industrial process, maybe even blow something up.

http://www.openforum.com/idea-hub/topics/money/article/what-stuxnet-means-for-small-business-tom-harnish

AdamG
11-28-2010, 06:39 AM
The target was seemingly impenetrable; for security reasons, it lay several stories underground and was not connected to the World Wide Web. And that meant Stuxnet had to act as sort of a computer cruise missile: As it made its passage through a set of unconnected computers, it had to grow and adapt to security measures and other changes until it reached one that could bring it into the nuclear facility.

When it ultimately found its target, it would have to secretly manipulate it until it was so compromised it ceased normal functions.

And finally, after the job was done, the worm would have to destroy itself without leaving a trace.

That is what we are learning happened at Iran's nuclear facilities -- both at Natanz, which houses the centrifuge arrays used for processing uranium into nuclear fuel, and, to a lesser extent, at Bushehr, Iran's nuclear power plant.

At Natanz, for almost 17 months, Stuxnet quietly worked its way into the system and targeted a specific component -- the frequency converters made by the German equipment manufacturer Siemens that regulated the speed of the spinning centrifuges used to create nuclear fuel. The worm then took control of the speed at which the centrifuges spun, making them turn so fast in a quick burst that they would be damaged but not destroyed. And at the same time, the worm masked that change in speed from being discovered at the centrifuges' control panel.

At Bushehr, meanwhile, a second secret set of codes, which Langner called “digital warheads,” targeted the Russian-built power plant's massive steam turbine.

Here's how it worked, according to experts who have examined the worm:

Read more: http://www.foxnews.com/scitech/2010/11/26/secret-agent-crippled-irans-nuclear-ambitions/#ixzz16YZpEt3P

davidbfpo
11-28-2010, 11:23 AM
Adam G,

Good catch, well written too. A lot of thought applied to the strategy and tools used.

AdamG
11-30-2010, 01:52 AM
If you liked that, you'll positively plotz over this :

Recommended reading music

http://www.youtube.com/watch?v=9LdTe2EbrLk


While the media blabs on about (relatively) inconsequential WikiLeaks, real drama plays out on the streets of Teheran where two Iranian nuclear scientists were the targets of assassination attempts – one of them successful.

http://pajamasmedia.com/rogerlsimon/2010/11/29/death-in-teheran-stuxnet-continued/

IntelTrooper
11-30-2010, 02:44 AM
[B]
If you liked that, you'll positively plotz over this :
http://pajamasmedia.com/rogerlsimon/2010/11/29/death-in-teheran-stuxnet-continued/

If someone wanted to target high-value individuals in Iran's nuclear program, these would definitely be two of them. If someone wanted to increase anti-Western sentiment while doing some internal housecleaning, these might be the way to go as well...

AdamG
11-30-2010, 03:11 AM
If someone wanted to target high-value individuals in Iran's nuclear program, these would definitely be two of them. If someone wanted to increase anti-Western sentiment while doing some internal housecleaning, these might be the way to go as well...

You'd like to think that, wouldn't you? You've beaten my giant, which means you're exceptionally strong, so you could've put the poison in your own goblet, trusting on your strength to save you, so I can clearly not choose the wine in front of you. But, you've also bested my Spaniard, which means you must have studied, and in studying you must have learned that man is mortal, so you would have put the poison as far from yourself as possible, so I can clearly not choose the wine in front of me. - Vizzini

Ron Humphrey
11-30-2010, 04:06 AM
You'd like to think that, wouldn't you? You've beaten my giant, which means you're exceptionally strong, so you could've put the poison in your own goblet, trusting on your strength to save you, so I can clearly not choose the wine in front of you. But, you've also bested my Spaniard, which means you must have studied, and in studying you must have learned that man is mortal, so you would have put the poison as far from yourself as possible, so I can clearly not choose the wine in front of me. - Vizzini

Thats cool, prefer beer anyway:D

AdamG
12-08-2010, 04:08 AM
(Dec. 7) -- The computer virus Stuxnet, which some experts believe was created specifically to target Iran's nuclear facilities, could also threaten U.S. infrastructure, a senior Department of Homeland Security official says.

"That virus focused on specific software implementations, and those software implementations did exist in some U.S. infrastructure," Greg Schaffer, the department's assistant secretary for cybersecurity and communications, told reporters at a breakfast Monday morning. "So, there was the potential for some U.S. infrastructure.to be impacted at some level."

http://www.aolnews.com/nation/article/us-also-vulnerable-to-stuxnet-virus-official-warns/19750249

JJackson
12-08-2010, 05:29 PM
Re. Stuxnet

Firstly take the reports in the press with a bucket load of salt, particularly Langner’s wild speculations in post 14.

If you are interested in this malware read Symantec’s report (64 page .pdf (http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf) ) which outlines the function of all code modules, propagation methods and variations in great detail.

What is clear (see graphs around page 6) and from the infection method is that the intended target was in Iran. The intended end result is the speeding up, and slowing down, of some industrial motors. It is very specific in the criteria needed for activation the report outlines the nitty gritty on page 42



To more clearly illustrate the behavior of the injected code, we’ve outlined the key events that would occur with an infected 315-2 CPU connected to multiple CP 342-5 modules each with 31 frequency converter drive slaves, as shown in the diagram below.
The PLC is infected.•
Frequency converter slaves • send records to their CP-342-5 master, building a frame of 31 records The CPU records the CP-342-5 addresses.
The frames are examined and the fields are recorded.•
After approximately 13 days, enough events have been recorded, showing the system has been operating • between 807 Hz and 1210 Hz.
The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.#

What is going on here is the authors – of the malware - are only interested in motors running at between 807 & 1210Hz they could instruct the motor to spin at very high speed in reverse and cause immediate catastrophic damage but what they do is introduce a cycle that waits a couple of week then increases the revs to 1410Hz (not wildly above the normal range) then returns to normal operation for weeks before almost stopping the motor (2Hz) then setting it to 1064Hz (inside the normal range) before restarting the cycle. What effect this would have obviously depends on what the motors are driving and this control equipment is so generic the Siemens site has a sales .pdf (http://www.automation.siemens.com/salesmaterial-as/brochure/en/brochure_simatic-technology_en.pdf) with case studies of various companies using their system controlling sewing machines and motors moving packages off a conveyor belt and onto a palette. The very specific criteria and precise speed changes imply a detailed knowledge of the target and imply an attempt not to cause collateral damage.

The extreme complexity of the code, the use of 3 Windows zero day exploits (these are like gold dust they are previously undocumented security weakness each of which would normally be the basis of a new virus, to ‘waste’ 3 in one attack is unheard of) and one in the Siemens Step 7 control software. This is man years of work and probably needed someone to gain access to the premises of both Realtek & JMicron (both in Tiawan)

“The attackers would have needed to obtain the digital certificates from someone who may have physically entered the premises of the two companies and stole them, …”

I do not know where in Iran the target was but the report shows that Iran alone had 60,000 infected computers in 30,000 organisations at one point with nearly 70% running the Step 7 control software. The complexity, specificity, absence of pecuniary advantage, and attempts not to damage systems, other than the target, does point to a Nation State. The fact that Iran was the epicentre of the attack does make one wonder if its nuclear facilities were the intended target but I have seen no reports that state that Natanz or Bushehr use the S7-315 CPU which is the very specific target.

Now if anyone here can tell me authoritatively that the Natanz centrifuges spin speeds are controlled by 6ES7 315-2 (it is that specific) processors then …

Dayuhan
01-16-2011, 01:13 AM
Interesting NYT article claiming that the Stuxnet worm was aimed specifically at Iranian centrifuges...

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=1&_r=1


Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program."

Our concern with such attacks has typically been that they would be used against the US: like other swords, this one apparently has two edges.

anonamatic
01-16-2011, 03:55 AM
Our concern with such attacks has typically been that they would be used against the US: like other swords, this one apparently has two edges.

Where do you see any evidence of that? Also, if this was some US/Israeli effort, it was damned sloppy in that it was so easily traced. Leaving clues in code it amateur at best, and this thing has been seriously picked apart. Neither of which say good things, although the results are very much worthy of applause. Personally I don't care who did this, I'm just glad they did. We need more like that.

Erich G. Simmers
01-17-2011, 10:06 PM
Mikko Hyppönen, Chief Research Officer at F-Secure, offers a good summary of why Stuxnet is unique in terms of malware design and execution: http://www.youtube.com/watch?v=gFzadFI7sco.

AdamG
02-14-2011, 12:01 AM
The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.

http://www.nytimes.com/2011/02/13/science/13stuxnet.html?_r=2&src=twrhp

Erich G. Simmers
02-14-2011, 12:18 AM
http://www.nytimes.com/2011/02/13/science/13stuxnet.html?_r=2&src=twrhp

The actual report can be found here: http://www.symantec.com/connect/ko/blogs/updated-w32stuxnet-dossier-available.

It is worth the read. Missing from the news story was that several vendors contributed samples and data on the worm including ESET, F-Secure, Kaspersky Labs, Microsoft, McAfee, and Trend.

davidbfpo
02-15-2011, 08:26 PM
An IISS Strategic Comment, which provides a good IMHO overview, starts:
..it is essentially a delaying tactic and has not dimmed the country’s resolve to develop nuclear capabilities.. and ends with:
Cyber sabotage is likely only to buy time for the international community to devise alternative policy responses to Iran’s nuclear programme. In the meantime, sanctions and negotiations are likely to remain their priority.

Link:http://www.iiss.org/publications/strategic-comments/past-issues/volume-17-2011/february/stuxnet-targeting-irans-nuclear-programme/

Cannoneer No. 4
02-16-2011, 03:49 PM
http://www.rockto.com/launcher/33781/homelandsecuritynewswire.com/hackers-release-stuxnets-decompiled-code-online


The Anonymous group released the Stuxnet code on 13 February, after finding it in a database of e-mails it stole from HBGary. “First public Stuxnet decompile is to be found here,” one representative of the group wrote over Twitter.

Rex Brynen
02-16-2011, 05:05 PM
Iran's Natanz nuclear facility recovered quickly from Stuxnet cyberattack (http://www.washingtonpost.com/wp-dyn/content/article/2011/02/15/AR2011021505395.html?hpid=topnews)

By Joby Warrick
Washington Post Foreign Service
Wednesday, February 16, 2011; 12:00 AM


VIENNA - In an underground chamber near the Iranian city of Natanz, a network of surveillance cameras offers the outside world a rare glimpse into Iran's largest nuclear facility. The cameras were installed by U.N. inspectors to keep tabs on Iran's nuclear progress, but last year they recorded something unexpected: workers hauling away crate after crate of broken equipment.

In a six-month period between late 2009 and last spring, U.N. officials watched in amazement as Iran dismantled more than 10 percent of the Natanz plant's 9,000 centrifuge machines used to enrich uranium. Then, just as remarkably, hundreds of new machines arrived at the plant to replace the ones that were lost....

anonamatic
02-17-2011, 01:51 AM
he Anonymous group released the Stuxnet code on 13 February, after finding it in a database of e-mails it stole from HBGary. “First public Stuxnet decompile is to be found here,” one representative of the group wrote over Twitter.

Stuxnet lacked, as can be seen readily by some of the results of the HBGary debacle, what's known as 'anti-reverse' code. Meaning it didn't have any provisions to protect it against decompilation or reverse engineering. Which considering everything else it was doing was something of a serious oversight.

It had somewhat obscure, but still present pointers that have caused some attempts at attribution in the code. That if it was intentionally diversionary was a good idea. If it wasn't a diversion, well obviously in that case it's clear it was a really bad idea.

Strategically there are some different things I probably would have done that the authors didn't do. On the other hand, it did some really slick things too, and interestingly enough the stuff that's interesting are attributes that aren't of any great use to the criminal malware community, and granted it's something of an idiot filled sewer, but not completely either. If that was the case no one would need AV software anymore.

Overall it's some pretty fine work. There's more I could say about the technical aspects of it, but in the interests of common sense I'll refrain. I will say that some of architecture was very impressive, and that the attention it's gotten from some of the technology community is not pure hyperbole. This was some very well thought out code, and implemented very well aside from the few criticisms I've made.

AdamG
03-15-2011, 06:53 PM
On the Trail of Stuxnet
March 11, 2011

Last year, somebody somewhere – possibly a government, possibly several governments – unleashed one of the most sophisticated pieces of malware ever created, specially designed apparently to target Iran’s uranium enrichment program. In a gripping narrative in Vanity Fair, author Michael Joseph Gross follows the trail of the so-called Stuxnet virus and argues that it marks cyberwarfare’s Hiroshima moment.

http://www.onthemedia.org/transcripts/2011/03/11/07

SWJ Blog
04-15-2011, 01:51 AM
Stuxnet: Cyberwar Revolution in Military Affairs (http://smallwarsjournal.com/blog/2011/04/stuxnet-cyberwar-revolution-in/)

Entry Excerpt:

Stuxnet: Cyberwar Revolution in Military Affairs
by Paulo Shakarian

Download The Full Article: Stuxnet: Cyberwar Revolution in Military Affairs (http://smallwarsjournal.com/blog/journal/docs-temp/734-shakarian2.pdf)

On June 17th, 2010, security researchers at a small Belarusian firm known as VirusBlockAda identified malicious software (malware) that infected USB memory sticks. In the months that followed, there was a flurry of activity in the computer security community – revealing that this discovery identified only one component of a new computer worm known as Stuxnet. This software was designed to specifically target industrial equipment. Once it was revealed that the majority of infections were discovered in Iran, along with an unexplained decommissioning of centrifuges at the Iranian fuel enrichment plant (FEP) at Natanz, many in the media speculated that the ultimate goal of Stuxnet was to target Iranian nuclear facilities. In November of 2010, some of these suspicions were validated when Iranian President Mahmoud Ahmadinejad publically acknowledged that a computer worm created problems for a “limited number of our [nuclear] centrifuges.” Reputable experts in the computer security community have already labeled Stuxnet as “unprecedented,” an “evolutionary leap,” and “the type of threat we hope to never see again."

In this paper, I argue that this malicious software represents a revolution in military affairs (RMA) in the virtual realm – that is Stuxnet fundamentally changes the nature of cyber warfare. There are four reasons to this claim: (1) Stuxnet represents the first case in which industrial equipment was targeted with a cyber-weapon, (2) there is evidence that the worm was successful in its targeting of such equipment, (3) it represents a significant advance in the development of malicious software, and (4) Stuxnet has shown that several common assumptions about cyber-security are not always valid. In this paper I examine these four points as well as explore the future implications of the Stuxnet RMA.

Download The Full Article: Stuxnet: Cyberwar Revolution in Military Affairs (http://smallwarsjournal.com/blog/journal/docs-temp/734-shakarian2.pdf)

Paulo Shakarian is a Captain in the U.S. Army and a Ph.D. candidate in computer science at the University of Maryland (College Park) and will soon take up a position teaching computer science at the U.S. Military Academy. He holds a BS from the U.S. Military Academy and an MS from the University of Maryland (College Park), both in computer science.

The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Military Academy, United States Cyber Command, the Department of the Army, the Department of Defense, or the United States Government.



--------
Read the full post (http://smallwarsjournal.com/blog/2011/04/stuxnet-cyberwar-revolution-in/) and make any comments at the SWJ Blog (http://smallwarsjournal.com/blog).
This forum is a feed only and is closed to user comments.

AdamG
04-25-2011, 02:35 PM
Iran has been hit with new malicious software as part of cyber attacks against the country, a military officer told Mehr news agency on Monday without specifying the target.
"Certain characteristics about the 'Stars' virus have been identified, including that it is compatible with the (targeted) system," Gholam Reza Jalali, commander of the Iranian civil defence organisation, told the agency.

"In the initial stage, the damage is low and it is likely to be mistaken for governmental executable files," Jalali said, adding that Iranian experts were still investigating the full scope of the malware's abilities.

http://www.breitbart.com/article.php?id=CNG.52b1c572200691378e42eaf823edf1d 3.4e1&show_article=1

AdamG
05-18-2011, 10:08 PM
VIENNA — The U.N. nuclear agency is investigating reports from its experts that their cellphones and laptops may have been hacked into by Iranian officials looking for confidential information while the equipment was left unattended during inspection tours in the Islamic Republic, diplomats have told The Associated Press.

http://www.huffingtonpost.com/2011/05/18/iaea-hacked-nuclear-agenc_n_863625.html?icid=maing-grid7|main5|dl1|sec3_lnk1|63967

AdamG
05-20-2011, 04:30 PM
JERUSALEM (AFP) – Then Russian president Vladimir Putin ordered the sabotage of Iran's nuclear programme in 2006, according to WikiLeaks documents published by Israeli daily Yediot Aharonot on Thursday.

The leaked documents, which were not immediately available on either the Yediot or Wikileaks websites, purportedly detail talks between the head of Israel's Atomic Energy Commission and then-US ambassador to Israel Richard Jones.

http://news.yahoo.com/s/afp/20110519/wl_afp/irannuclearpoliticsrussiawikileaks

AdamG
05-29-2011, 11:30 AM
(Newser) – Iran is waging war on open Internet. Looking to limit the cyber-infiltration of Western ideas, Iran's telecommunications chief claimed that, in two years time, all Iranians would be forced to use a state-censored, fully-internal Internet. About 60% of the nation's homes and businesses are expected to be on it much sooner than that, he added. Iran sees the move toward heightened online policing as a way to uphold Islamic moral values, though whether it can truly block the world's Internet remains an open question, the Wall Street Journal reports.

http://www.newser.com/story/119645/iran-plans-to-unplug-internet-create-its-own.html?utm_medium=fark&utm_campaign=pop

davidbfpo
06-17-2011, 01:35 PM
Thanks to 'Doctrine Man' pointing to this Australian, three minute animated explanation:http://vimeo.com/25118844

Good question or warning at the end.

AdamG
09-27-2011, 01:33 PM
Langner says as they dug deeper into the Stuxnet code, each new discovery left them more impressed and wondering what was coming next. He says he couldn't imagine who could have created the worm, and the level of expertise seemed almost alien. But that would be science fiction, and Stuxnet was a reality.

"Thinking about it for another minute, if it's not aliens, it's got to be the United States," he says.

http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-stuxnet?ps=cprs

AdamG
10-24-2011, 04:08 AM
A newly discovered piece of malicious code dubbed Duqu is closely related to the notorious Stuxnet worm that damaged Iran's nuclear-enrichment centrifuges last year. Although it has no known target or author, it sets the stage for more industrial and cyberwar attacks, experts say.

"This is definitely a troubling development on a number of levels," says Ronald Deibert, director of Citizen Lab, an Internet think-tank at the University of Toronto who leads research on cyberwarfare, censorship, and espionage. "In the context of the militarization of cyberspace, policymakers around the world should be concerned."

http://www.technologyreview.com/computing/38955/?p1=MstRcnt

anonamatic
11-02-2011, 09:29 AM
They found the loader, updates here:
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit

It didn't get less interesting.

CloseDanger
11-21-2011, 04:37 PM
Duqu most likely is more of an information gathering virus that saves files on the infected machine for further use later. It is also a keylogger.

https://infosecisland.com/blogview/18229-Duqu-May-Actually-Be-An-Advanced-Cyber-Weapon.html

AdamG
12-10-2011, 03:27 AM
The U.S. and Israel are widely assumed to be responsible for the Stuxnet computer worm that hit Iran’s nuclear facilities. But Moscow has just as good a motive.

http://the-diplomat.com/2011/12/10/was-russia-behind-stuxnet/

SWJ Blog
06-03-2012, 07:50 AM
Stuxnet was Work of U.S. and Israeli Experts (http://smallwarsjournal.com/blog/stuxnet-was-work-of-us-and-israeli-experts)

Entry Excerpt:



--------
Read the full post (http://smallwarsjournal.com/blog/stuxnet-was-work-of-us-and-israeli-experts) and make any comments at the SWJ Blog (http://smallwarsjournal.com/blog).
This forum is a feed only and is closed to user comments.

AdamG
07-25-2012, 03:16 AM
Iranian nuclear facilities have reportedly been attacked by a “music” virus, turning on lab PCs at night and blasting AC/DC’s “Thunderstruck.” (www.youtube.com/watch?v=lsmXLGKdkW4 )

http://www.rt.com/news/iran-computer-virus-acdc-940/

:D

Erich G. Simmers
07-25-2012, 05:14 AM
http://www.rt.com/news/iran-computer-virus-acdc-940/

:D

I got a chuckle out of this news item, too, but that article--particularly the title--is crap. Mikko's original blog post (https://www.f-secure.com/weblog/archives/00002403.html) is much more informative. There's really two issues. There's a report of some other worm, and the Iranian believes Metasploit is at use. Metasploit is not a virus; it's an exploitation framework. Download it here (http://www.metasploit.com/) if you're curious.

HD Moore, Metasploit's creator, tweeted two responses to articles like this one:


"definitely a confused individual, Metasploit isn't a worm and doesn't ship with AC/DC's Thunderstruck :)" (source (https://twitter.com/hdmoore/status/227413301552877568))


He also added a bit on how you use the framework to load MP3s:


"you can do it today (msf> load sounds) & copy mp3" (source (https://twitter.com/hdmoore/status/227413982544269312))


If the e-mail to Mikko is truthful and accurate, this strikes me as the act of an amateur--not a state, much less the U.S. Moreover, the fact that there is no effort to be covert makes me think this is a grand middle finger to US and other intelligence agencies. It is as if the perpetrator is saying, "You developed developed malware and cryptographic attacks over the course of years to penetrate computers relevant to the Iranian nuclear program; I did it downloading an app freely available to anyone." They probably even used a commonly available exploit, too. I can't see someone burning a 0-day to blast "Thunderstruck" to some Iranian engineers just for, as the kids say, "the lulz."

If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran's nuclear program. That’s pure speculation, but that is the impression I get.

AdamG
07-26-2012, 03:57 PM
If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran's nuclear program. That’s pure speculation, but that is the impression I get.

That'd make a good movie script. Seriously.

Erich G. Simmers
07-26-2012, 04:52 PM
That'd make a good movie script. Seriously.

Have you played with Metasploit? Typing commands in to msfconsole is a little hard to dramatize on screen. About the closest we've come to making the command line sexy was having Trinity from The Matrix run an nmap scan and a fictitious SSH exploit, and Trinity did it wearing a leather outfit (article (http://www.securityfocus.com/news/4831/) and YouTube clip (https://www.youtube.com/watch?v=ojFFS_T3UQk)*). The real perpetrator may be doing it unshaven and in a bathrobe. :D

Definitely strikes me as an amateur--although who knows. If the Iranians are shutting down key parts of their network (I don't know how vital the automation bits mentioned in Mikko's piece are) to do forensics to figure out how the attacker is getting in, maybe blasting "Thunderstruck" is the next best thing to some fancy exploit to ruin centrifuges. Or, perhaps, some group who wants to disrupt Iran's nuclear program is flooding them with garbage attacks to overwhelm Iranians attempts to analyze their more 'long-term,' targeted malware. That analysis takes time and personnel who are in short supply even in the U.S.

However, these types of attacks seem every bit as likely to disrupt professional intelligence agencies' access as help them in some way. That's why I think there is another motive at work here. The reported worm and Metasploit hijinks may even be two separate actors.

--

* - Funny enough, that little 1:09 clip dramatizes pretty much every policy maker's fear of an infrastructure attack on the U.S.

AdamG
10-16-2012, 04:19 AM
Researchers said today they have identified part of the powerful Flame cyber espionage program as a stand-alone, “highly flexible” spy program that centered its attacks on computer systems in Lebanon and Iran.

MiniFlame, as cyber experts at Moscow-based Kaspersky Labs dubbed the malware, is an “info-stealing” virus designed to hit only a few high-profile targets – perhaps just a few dozen computer systems. Kaspersky researchers said in a blog post they actually discovered MiniFlame in July but at the time believed it to be just a module within Flame.

http://abcnews.go.com/blogs/headlines/2012/10/miniflame-researchers-say-extremely-targeted-cyber-attack-hit-lebanon-iran/

AdamG
01-18-2013, 07:48 PM
After the Stuxnet malware attacks that are thought to have caused several Iranian nuclear centrifuges to explode, Iran has been steadily boosting its ability to carry out attacks against computer networks, and is growing into “a force to be reckoned with.”

That was the warning given by Gen. William Shelton (pictured in a file photo), head of the U.S. Air Force’s Space Command, which is also in charge of the Air Force’s cyber-war group, in a speech in Washington, D.C., yesterday, which was covered by Reuters.

http://allthingsd.com/20130118/iran-raised-its-cyberwar-game-after-stuxnet-us-general-says/

mthibode
01-19-2013, 03:24 PM
If anyone really wants to know in detail how severe and what exactly the alleged Iranian cyber threat entails, the last place to look is to a US service representative. It is in his interest, in these budget constrained times, to hype the threat.

I suppose what we really need is a trusted third party... operating as Kapersky is doing now with the Stuxnet threat-- to gauge threat sophistication, intended target, etc. UN? Sweden?

davidbfpo
05-15-2013, 10:58 PM
A RUSI Journal article (behind paywall) that disputes the impact via a newspaper article:
Iran's nuclear potential may have been significantly increased by the Stuxnet worm that is believed to have infected the country's uranium enrichment facility at Natanz in 2009 and 2010, new research claims.

Link:http://www.telegraph.co.uk/technology/news/10058546/Stuxnet-worm-increased-Irans-nuclear-potential.html

davidbfpo
11-20-2013, 03:19 PM
A detailed explanation of the two versions of Stuxnet; for a layman like moi, just about followed: 'Stuxnet's Secret Twin: The real program to sabotage Iran's nuclear facilities was far more sophisticated than anyone realized'.

There are some, different passages; the best is:
The system might have keep Natanz's centrifuges spinning, but it also opened them up to a cyberattack that is so far-out, it leads one to wonder whether its creators might have been on drugs.

It ends with:
In other words, blowing the cover of this online sabotage campaign came with benefits. Uncovering Stuxnet was the end of the operation, but not necessarily the end of its utility. Unlike traditional Pentagon hardware, one cannot display USB drives at a military parade. The Stuxnet revelation showed the world what cyberweapons could do in the hands of a superpower. It also saved America from embarrassment. If another country -- maybe even an adversary -- had been first in demonstrating proficiency in the digital domain, it would have been nothing short of another Sputnik moment in U.S. history. So there were plenty of good reasons not to sacrifice mission success for fear of detection.

We're not sure whether Stuxnet was disclosed intentionally. As with so many human endeavors, it may simply have been an unintended side effect that turned out to be critical. One thing we do know: It changed global military strategy in the 21st century.

Link:http://www.foreignpolicy.com/articles/2013/11/19/stuxnets_secret_twin_iran_nukes_cyber_attack?page= full

davidbfpo
02-26-2014, 06:38 PM
A new thesis about that, to be outlined Tuesday at a security conference in San Francisco, points to a vulnerability in the Iranian facility's supply chain – and may hold lessons for owners of critical infrastructure in the US concerning how to guard their own industrial equipment against cyberattack.

Link:http://www.csmonitor.com/World/Security-Watch/2014/0225/.Uw4WJ0rTtag.twitter

davidbfpo
02-16-2016, 06:25 PM
Not a surprise - there is now a film / documentary on Stuxnet; Zero Days, by Oscar-winning director Alex Gibney and an article, written after a preview of the film, has the sub-title:
A new documentary on “Stuxnet”, the joint U.S.-Israeli attack on Iran’s nuclear program, reveals it was just a small part of a much bigger cyber operation against the nation’s military and civilian infrastructure under the code name “NITRO ZEUS”.As a joint US-Israeli project it had some "issues" as one source claims:
Our friends in Israel took a weapon that we jointly developed — in part to keep Israel from doing something crazy — and then used it on their own in a way that blew the cover of the operation and could’ve led to war.Citing Michael Hayden, ex-CIA & NSA:
I know no operational details and don’t know what anyone did or didn’t do before someone decided to use the weapon, all right. I do know this: If we go out and do something, most of the rest of the world now thinks that’s a new standard, and it’s something they now feel legitimated to do as well. But the rules of engagement, international norms, treaty standards, they don’t exist right now.Link:http://www.buzzfeed.com/jamesball/us-hacked-into-irans-critical-civilian-infrastructure-for-ma#.hb5pVQAmPj

Merged into the old thread on Stuxnet, with 52 posts and 20k views.

SWJ Blog
02-16-2016, 08:50 PM
U.S. Had Cyberattack Planned if Iran Nuclear Negotiations Failed (http://smallwarsjournal.com/blog/us-had-cyberattack-planned-if-iran-nuclear-negotiations-failed)

This is NYT report:
In the early years of the Obama administration, the United States developed an elaborate plan for a cyberattack on Iran in case the diplomatic effort to limit its nuclear program failed and led to a military conflict, according to a forthcoming documentary film and interviews with military and intelligence officials involved in the effort. The plan, code named Nitro Zeus, was designed to disable Iran’s air defenses, communications systems and key parts of its power grid, and was shelved, at least for the foreseeable future, after the nuclear deal struck between Iran and six other nations last summer was fulfilled.


Link:http://www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-planned-if-iran-nuclear-negotiations-failed.html?_r=0