Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 55

Thread: Stuxnet: Target Bushehr?

  1. #21
    Council Member
    Join Date
    Sep 2007
    Location
    UK
    Posts
    203

    Default

    Re. Stuxnet

    Firstly take the reports in the press with a bucket load of salt, particularly Langner’s wild speculations in post 14.

    If you are interested in this malware read Symantec’s report (64 page .pdf ) which outlines the function of all code modules, propagation methods and variations in great detail.

    What is clear (see graphs around page 6) and from the infection method is that the intended target was in Iran. The intended end result is the speeding up, and slowing down, of some industrial motors. It is very specific in the criteria needed for activation the report outlines the nitty gritty on page 42

    To more clearly illustrate the behavior of the injected code, we’ve outlined the key events that would occur with an infected 315-2 CPU connected to multiple CP 342-5 modules each with 31 frequency converter drive slaves, as shown in the diagram below.
    The PLC is infected.•
    Frequency converter slaves • send records to their CP-342-5 master, building a frame of 31 records The CPU records the CP-342-5 addresses.
    The frames are examined and the fields are recorded.•
    After approximately 13 days, enough events have been recorded, showing the system has been operating • between 807 Hz and 1210 Hz.
    The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
    Normal operation resumes.•
    After approximately 27 days, enough events have been recorded.•
    The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.
    Normal operation resumes.•
    After approximately 27 days, enough events have been recorded.•
    The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
    Normal operation resumes.•
    After approximately 27 days, enough events have been recorded.•
    The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.#
    What is going on here is the authors – of the malware - are only interested in motors running at between 807 & 1210Hz they could instruct the motor to spin at very high speed in reverse and cause immediate catastrophic damage but what they do is introduce a cycle that waits a couple of week then increases the revs to 1410Hz (not wildly above the normal range) then returns to normal operation for weeks before almost stopping the motor (2Hz) then setting it to 1064Hz (inside the normal range) before restarting the cycle. What effect this would have obviously depends on what the motors are driving and this control equipment is so generic the Siemens site has a sales .pdf with case studies of various companies using their system controlling sewing machines and motors moving packages off a conveyor belt and onto a palette. The very specific criteria and precise speed changes imply a detailed knowledge of the target and imply an attempt not to cause collateral damage.

    The extreme complexity of the code, the use of 3 Windows zero day exploits (these are like gold dust they are previously undocumented security weakness each of which would normally be the basis of a new virus, to ‘waste’ 3 in one attack is unheard of) and one in the Siemens Step 7 control software. This is man years of work and probably needed someone to gain access to the premises of both Realtek & JMicron (both in Tiawan)
    “The attackers would have needed to obtain the digital certificates from someone who may have physically entered the premises of the two companies and stole them, …”
    I do not know where in Iran the target was but the report shows that Iran alone had 60,000 infected computers in 30,000 organisations at one point with nearly 70% running the Step 7 control software. The complexity, specificity, absence of pecuniary advantage, and attempts not to damage systems, other than the target, does point to a Nation State. The fact that Iran was the epicentre of the attack does make one wonder if its nuclear facilities were the intended target but I have seen no reports that state that Natanz or Bushehr use the S7-315 CPU which is the very specific target.

    Now if anyone here can tell me authoritatively that the Natanz centrifuges spin speeds are controlled by 6ES7 315-2 (it is that specific) processors then …
    Last edited by JJackson; 12-08-2010 at 05:36 PM.

  2. #22
    Council Member Dayuhan's Avatar
    Join Date
    May 2009
    Location
    Latitude 17° 5' 11N, Longitude 120° 54' 24E, altitude 1499m. Right where I want to be.
    Posts
    3,137

    Default A US/Israeli cyber attack on Iran's nuclear program?

    Interesting NYT article claiming that the Stuxnet worm was aimed specifically at Iranian centrifuges...

    http://www.nytimes.com/2011/01/16/wo...ewanted=1&_r=1

    Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

    To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.

    Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program."
    Our concern with such attacks has typically been that they would be used against the US: like other swords, this one apparently has two edges.
    Last edited by davidbfpo; 01-16-2011 at 12:20 PM. Reason: Use quote marks rather than italics

  3. #23
    Council Member
    Join Date
    Aug 2010
    Posts
    98

    Default

    Quote Originally Posted by Dayuhan View Post
    Our concern with such attacks has typically been that they would be used against the US: like other swords, this one apparently has two edges.
    Where do you see any evidence of that? Also, if this was some US/Israeli effort, it was damned sloppy in that it was so easily traced. Leaving clues in code it amateur at best, and this thing has been seriously picked apart. Neither of which say good things, although the results are very much worthy of applause. Personally I don't care who did this, I'm just glad they did. We need more like that.

  4. #24
    Council Member
    Join Date
    Mar 2009
    Location
    Florida
    Posts
    44

    Default

    Mikko Hyppönen, Chief Research Officer at F-Secure, offers a good summary of why Stuxnet is unique in terms of malware design and execution: http://www.youtube.com/watch?v=gFzadFI7sco.
    Erich G. Simmers
    www.weaponizedculture.org

  5. #25
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.
    http://www.nytimes.com/2011/02/13/sc..._r=2&src=twrhp
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  6. #26
    Council Member
    Join Date
    Mar 2009
    Location
    Florida
    Posts
    44

    Default

    The actual report can be found here: http://www.symantec.com/connect/ko/b...sier-available.

    It is worth the read. Missing from the news story was that several vendors contributed samples and data on the worm including ESET, F-Secure, Kaspersky Labs, Microsoft, McAfee, and Trend.
    Erich G. Simmers
    www.weaponizedculture.org

  7. #27
    Council Member davidbfpo's Avatar
    Join Date
    Mar 2006
    Location
    UK
    Posts
    13,366

    Default Stuxnet: targeting Iran's nuclear programme

    An IISS Strategic Comment, which provides a good IMHO overview, starts:
    ..it is essentially a delaying tactic and has not dimmed the country’s resolve to develop nuclear capabilities..
    and ends with:
    Cyber sabotage is likely only to buy time for the international community to devise alternative policy responses to Iran’s nuclear programme. In the meantime, sanctions and negotiations are likely to remain their priority.
    Link:http://www.iiss.org/publications/str...ear-programme/
    davidbfpo

  8. #28
    Council Member Cannoneer No. 4's Avatar
    Join Date
    May 2007
    Location
    Georgia
    Posts
    140

    Default Hackers release Stuxnet's decompiled code online

    http://www.rockto.com/launcher/33781...ed-code-online

    The Anonymous group released the Stuxnet code on 13 February, after finding it in a database of e-mails it stole from HBGary. “First public Stuxnet decompile is to be found here,” one representative of the group wrote over Twitter.

  9. #29
    Council Member
    Join Date
    Aug 2007
    Location
    Montreal
    Posts
    1,602

    Default

    Iran's Natanz nuclear facility recovered quickly from Stuxnet cyberattack

    By Joby Warrick
    Washington Post Foreign Service
    Wednesday, February 16, 2011; 12:00 AM

    VIENNA - In an underground chamber near the Iranian city of Natanz, a network of surveillance cameras offers the outside world a rare glimpse into Iran's largest nuclear facility. The cameras were installed by U.N. inspectors to keep tabs on Iran's nuclear progress, but last year they recorded something unexpected: workers hauling away crate after crate of broken equipment.

    In a six-month period between late 2009 and last spring, U.N. officials watched in amazement as Iran dismantled more than 10 percent of the Natanz plant's 9,000 centrifuge machines used to enrich uranium. Then, just as remarkably, hundreds of new machines arrived at the plant to replace the ones that were lost....
    They mostly come at night. Mostly.


  10. #30
    Council Member
    Join Date
    Aug 2010
    Posts
    98

    Default

    Quote Originally Posted by Cannoneer No. 4 View Post
    he Anonymous group released the Stuxnet code on 13 February, after finding it in a database of e-mails it stole from HBGary. “First public Stuxnet decompile is to be found here,” one representative of the group wrote over Twitter.
    Stuxnet lacked, as can be seen readily by some of the results of the HBGary debacle, what's known as 'anti-reverse' code. Meaning it didn't have any provisions to protect it against decompilation or reverse engineering. Which considering everything else it was doing was something of a serious oversight.

    It had somewhat obscure, but still present pointers that have caused some attempts at attribution in the code. That if it was intentionally diversionary was a good idea. If it wasn't a diversion, well obviously in that case it's clear it was a really bad idea.

    Strategically there are some different things I probably would have done that the authors didn't do. On the other hand, it did some really slick things too, and interestingly enough the stuff that's interesting are attributes that aren't of any great use to the criminal malware community, and granted it's something of an idiot filled sewer, but not completely either. If that was the case no one would need AV software anymore.

    Overall it's some pretty fine work. There's more I could say about the technical aspects of it, but in the interests of common sense I'll refrain. I will say that some of architecture was very impressive, and that the attention it's gotten from some of the technology community is not pure hyperbole. This was some very well thought out code, and implemented very well aside from the few criticisms I've made.

  11. #31
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    On the Trail of Stuxnet
    March 11, 2011

    Last year, somebody somewhere – possibly a government, possibly several governments – unleashed one of the most sophisticated pieces of malware ever created, specially designed apparently to target Iran’s uranium enrichment program. In a gripping narrative in Vanity Fair, author Michael Joseph Gross follows the trail of the so-called Stuxnet virus and argues that it marks cyberwarfare’s Hiroshima moment.

    http://www.onthemedia.org/transcripts/2011/03/11/07
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  12. #32
    Council Member
    Join Date
    Mar 2009
    Posts
    11,074

    Default Stuxnet: Cyberwar Revolution in Military Affairs

    Stuxnet: Cyberwar Revolution in Military Affairs

    Entry Excerpt:

    Stuxnet: Cyberwar Revolution in Military Affairs
    by Paulo Shakarian

    Download The Full Article: Stuxnet: Cyberwar Revolution in Military Affairs

    On June 17th, 2010, security researchers at a small Belarusian firm known as VirusBlockAda identified malicious software (malware) that infected USB memory sticks. In the months that followed, there was a flurry of activity in the computer security community – revealing that this discovery identified only one component of a new computer worm known as Stuxnet. This software was designed to specifically target industrial equipment. Once it was revealed that the majority of infections were discovered in Iran, along with an unexplained decommissioning of centrifuges at the Iranian fuel enrichment plant (FEP) at Natanz, many in the media speculated that the ultimate goal of Stuxnet was to target Iranian nuclear facilities. In November of 2010, some of these suspicions were validated when Iranian President Mahmoud Ahmadinejad publically acknowledged that a computer worm created problems for a “limited number of our [nuclear] centrifuges.” Reputable experts in the computer security community have already labeled Stuxnet as “unprecedented,” an “evolutionary leap,” and “the type of threat we hope to never see again."

    In this paper, I argue that this malicious software represents a revolution in military affairs (RMA) in the virtual realm – that is Stuxnet fundamentally changes the nature of cyber warfare. There are four reasons to this claim: (1) Stuxnet represents the first case in which industrial equipment was targeted with a cyber-weapon, (2) there is evidence that the worm was successful in its targeting of such equipment, (3) it represents a significant advance in the development of malicious software, and (4) Stuxnet has shown that several common assumptions about cyber-security are not always valid. In this paper I examine these four points as well as explore the future implications of the Stuxnet RMA.

    Download The Full Article: Stuxnet: Cyberwar Revolution in Military Affairs

    Paulo Shakarian is a Captain in the U.S. Army and a Ph.D. candidate in computer science at the University of Maryland (College Park) and will soon take up a position teaching computer science at the U.S. Military Academy. He holds a BS from the U.S. Military Academy and an MS from the University of Maryland (College Park), both in computer science.

    The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Military Academy, United States Cyber Command, the Department of the Army, the Department of Defense, or the United States Government.




    --------
    Read the full post and make any comments at the SWJ Blog.
    This forum is a feed only and is closed to user comments.

  13. #33
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    Iran has been hit with new malicious software as part of cyber attacks against the country, a military officer told Mehr news agency on Monday without specifying the target.
    "Certain characteristics about the 'Stars' virus have been identified, including that it is compatible with the (targeted) system," Gholam Reza Jalali, commander of the Iranian civil defence organisation, told the agency.

    "In the initial stage, the damage is low and it is likely to be mistaken for governmental executable files," Jalali said, adding that Iranian experts were still investigating the full scope of the malware's abilities.
    http://www.breitbart.com/article.php...show_article=1
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  14. #34
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    VIENNA — The U.N. nuclear agency is investigating reports from its experts that their cellphones and laptops may have been hacked into by Iranian officials looking for confidential information while the equipment was left unattended during inspection tours in the Islamic Republic, diplomats have told The Associated Press.
    http://www.huffingtonpost.com/2011/0...ec3_lnk1|63967
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  15. #35
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    JERUSALEM (AFP) – Then Russian president Vladimir Putin ordered the sabotage of Iran's nuclear programme in 2006, according to WikiLeaks documents published by Israeli daily Yediot Aharonot on Thursday.

    The leaked documents, which were not immediately available on either the Yediot or Wikileaks websites, purportedly detail talks between the head of Israel's Atomic Energy Commission and then-US ambassador to Israel Richard Jones.
    http://news.yahoo.com/s/afp/20110519...ussiawikileaks
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  16. #36
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    (Newser) – Iran is waging war on open Internet. Looking to limit the cyber-infiltration of Western ideas, Iran's telecommunications chief claimed that, in two years time, all Iranians would be forced to use a state-censored, fully-internal Internet. About 60% of the nation's homes and businesses are expected to be on it much sooner than that, he added. Iran sees the move toward heightened online policing as a way to uphold Islamic moral values, though whether it can truly block the world's Internet remains an open question, the Wall Street Journal reports.
    http://www.newser.com/story/119645/i...m_campaign=pop
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  17. #37
    Council Member davidbfpo's Avatar
    Join Date
    Mar 2006
    Location
    UK
    Posts
    13,366

    Default Stuxnet made simple

    Thanks to 'Doctrine Man' pointing to this Australian, three minute animated explanation:http://vimeo.com/25118844

    Good question or warning at the end.
    davidbfpo

  18. #38
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    Langner says as they dug deeper into the Stuxnet code, each new discovery left them more impressed and wondering what was coming next. He says he couldn't imagine who could have created the worm, and the level of expertise seemed almost alien. But that would be science fiction, and Stuxnet was a reality.

    "Thinking about it for another minute, if it's not aliens, it's got to be the United States," he says.
    http://www.npr.org/2011/09/26/140789...tuxnet?ps=cprs
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  19. #39
    Council Member AdamG's Avatar
    Join Date
    Dec 2005
    Location
    Hiding from the Dreaded Burrito Gang
    Posts
    3,096

    Default

    A newly discovered piece of malicious code dubbed Duqu is closely related to the notorious Stuxnet worm that damaged Iran's nuclear-enrichment centrifuges last year. Although it has no known target or author, it sets the stage for more industrial and cyberwar attacks, experts say.

    "This is definitely a troubling development on a number of levels," says Ronald Deibert, director of Citizen Lab, an Internet think-tank at the University of Toronto who leads research on cyberwarfare, censorship, and espionage. "In the context of the militarization of cyberspace, policymakers around the world should be concerned."
    http://www.technologyreview.com/comp...55/?p1=MstRcnt
    A scrimmage in a Border Station
    A canter down some dark defile
    Two thousand pounds of education
    Drops to a ten-rupee jezail


    http://i.imgur.com/IPT1uLH.jpg

  20. #40
    Council Member
    Join Date
    Aug 2010
    Posts
    98

    Default

    They found the loader, updates here:
    http://www.symantec.com/connect/w32-...ro-day-exploit

    It didn't get less interesting.

Similar Threads

  1. Snipers Sniping & Countering them
    By DDilegge in forum Trigger Puller
    Replies: 226
    Last Post: 04-30-2019, 08:59 AM
  2. The Roles and Weapons with the Squad
    By Faceman in forum Trigger Puller
    Replies: 977
    Last Post: 05-25-2014, 01:49 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •