Stuxnet: Target Bushehr?

[CloseDanger]

Duqu most likely is more of an information gathering virus that saves files on the infected machine for further use later. It is also a keylogger.

https://infosecisland.com/blogview/1...er-Weapon.html

[AdamG]

The U.S. and Israel are widely assumed to be responsible for the Stuxnet computer worm that hit Iran’s nuclear facilities. But Moscow has just as good a motive.

http://the-diplomat.com/2011/12/10/w...ehind-stuxnet/

[AdamG]

Iranian nuclear facilities have reportedly been attacked by a “music” virus, turning on lab PCs at night and blasting AC/DC’s “Thunderstruck.”

http://www.rt.com/news/iran-computer-virus-acdc-940/

[Erich G. Simmers]

http://www.rt.com/news/iran-computer-virus-acdc-940/

I got a chuckle out of this news item, too, but that article--particularly the title--is crap. Mikko's original blog post is much more informative. There's really two issues. There's a report of some other worm, and the Iranian believes Metasploit is at use. Metasploit is not a virus; it's an exploitation framework. Download it here if you're curious.

HD Moore, Metasploit's creator, tweeted two responses to articles like this one:

"definitely a confused individual, Metasploit isn't a worm and doesn't ship with AC/DC's Thunderstruck " (source)

He also added a bit on how you use the framework to load MP3s:

"you can do it today (msf> load sounds) & copy mp3" (source)

If the e-mail to Mikko is truthful and accurate, this strikes me as the act of an amateur--not a state, much less the U.S. Moreover, the fact that there is no effort to be covert makes me think this is a grand middle finger to US and other intelligence agencies. It is as if the perpetrator is saying, "You developed developed malware and cryptographic attacks over the course of years to penetrate computers relevant to the Iranian nuclear program; I did it downloading an app freely available to anyone." They probably even used a commonly available exploit, too. I can't see someone burning a 0-day to blast "Thunderstruck" to some Iranian engineers just for, as the kids say, "the lulz."

If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran's nuclear program. That’s pure speculation, but that is the impression I get.

[AdamG]

If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran's nuclear program. That’s pure speculation, but that is the impression I get.

That'd make a good movie script. Seriously.

[Erich G. Simmers]

That'd make a good movie script. Seriously.

Have you played with Metasploit? Typing commands in to msfconsole is a little hard to dramatize on screen. About the closest we've come to making the command line sexy was having Trinity from The Matrix run an nmap scan and a fictitious SSH exploit, and Trinity did it wearing a leather outfit (article and YouTube clip*). The real perpetrator may be doing it unshaven and in a bathrobe.

Definitely strikes me as an amateur--although who knows. If the Iranians are shutting down key parts of their network (I don't know how vital the automation bits mentioned in Mikko's piece are) to do forensics to figure out how the attacker is getting in, maybe blasting "Thunderstruck" is the next best thing to some fancy exploit to ruin centrifuges. Or, perhaps, some group who wants to disrupt Iran's nuclear program is flooding them with garbage attacks to overwhelm Iranians attempts to analyze their more 'long-term,' targeted malware. That analysis takes time and personnel who are in short supply even in the U.S.

However, these types of attacks seem every bit as likely to disrupt professional intelligence agencies' access as help them in some way. That's why I think there is another motive at work here. The reported worm and Metasploit hijinks may even be two separate actors.

--

* - Funny enough, that little 1:09 clip dramatizes pretty much every policy maker's fear of an infrastructure attack on the U.S.

[AdamG]

Researchers said today they have identified part of the powerful Flame cyber espionage program as a stand-alone, “highly flexible” spy program that centered its attacks on computer systems in Lebanon and Iran.

MiniFlame, as cyber experts at Moscow-based Kaspersky Labs dubbed the malware, is an “info-stealing” virus designed to hit only a few high-profile targets – perhaps just a few dozen computer systems. Kaspersky researchers said in a blog post they actually discovered MiniFlame in July but at the time believed it to be just a module within Flame.

http://abcnews.go.com/blogs/headline...-lebanon-iran/