Stuxnet: Target Bushehr?

[bourbon]

Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?, by Mark Clayton. The Christian Science Monitor, September 21, 2010.

The Stuxnet malware has infiltrated industrial computer systems worldwide. Now, cyber security sleuths say it's a search-and-destroy weapon meant to hit a single target. One expert suggests it may be after Iran's Bushehr nuclear power plant.

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.

But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."

http://www.langner.com/en/

This is pretty amazing.

[IntelTrooper]

Israelis? Or SkyNet?

[Tukhachevskii]

Sounds a lot like a Russian or Chinese programme. IMO it fits their respective doctrines.

[bourbon]

Iranian nuclear programme targeted by computer virus, by Maryam Sinaiee and Michael Theodoulou. The National (UAE), September 26. 2010.

TEHRAN // Iran revealed yesterday that a so-called computer worm – which experts say shows unprecedented ingenuity and is unique in its ability to seize control of industrial plants – has infected the personal computers of staff at its first nuclear power plant.

But Tehran said the so-called Stuxnet malicious computer program, which has been described as the world’s first cyber-guided missile, has not damaged operations at the flagship facility in Bushehr, which is due to go online within weeks.

A likelier Stuxnet target, they speculate, would be Iran’s far more controversial nuclear facility at Natanz, where spinning centrifuges are producing low-enriched uranium for power plants.

[davidbfpo]

An interesting comment:http://kingsofwar.org.uk/2010/09/kua...ar-facilities/

Which concludes:

To conclude then, well, what can we conclude? Not much, at present; we need to keep watching and not assume that the story is over because there are so many loose threads, so many questions to be answered, so much fog where clarity is needed for good judgement to be rendered. Still, I can’t help but think that some watershed has been passed, that Stuxnet of September 2010 will be remembered rather in the way we do the aerial bombings of civilian centres by Zeppelin airships–not as particularly strategically significant at the time but as a harbinger of what is still to come.

[AdamG]

If this gets any curiouser, only my smile is going to be left....

While security experts know what Stuxnet is designed to do, Conficker is still the reigning mystery of the cyberworld because no one knows why it’s there or what it’s going to do. “Whoever developed it must be thinking that this was an incredible learning exercise,” says Joffe. “They were able to modify their code four times as we reacted defensively each time. They were able to step around us.” Version E of Conficker came out at the beginning of April 2009 and—alarmingly—it remains unbroken a year and a half later. “They raised the bar so high I have no idea what it’s doing,” he says. “It looks like it’s dormant.” But if he were to put himself in the Conficker controller’s shoes, he muses, “I'd be tactically selling off individual machines,” so that customers could choose their targets from a directory of hacked computers. “He could give me your computer, and we would never know it, as a security industry.”

Read more: http://www.businessinsider.com/cyber...#ixzz10sidE8AX

[Dayuhan]

Interesting NYT article claiming that the Stuxnet worm was aimed specifically at Iranian centrifuges...

http://www.nytimes.com/2011/01/16/wo...ewanted=1&_r=1

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program."

Our concern with such attacks has typically been that they would be used against the US: like other swords, this one apparently has two edges.

[anonamatic]

Our concern with such attacks has typically been that they would be used against the US: like other swords, this one apparently has two edges.

Where do you see any evidence of that? Also, if this was some US/Israeli effort, it was damned sloppy in that it was so easily traced. Leaving clues in code it amateur at best, and this thing has been seriously picked apart. Neither of which say good things, although the results are very much worthy of applause. Personally I don't care who did this, I'm just glad they did. We need more like that.

[Erich G. Simmers]

Mikko Hyppönen, Chief Research Officer at F-Secure, offers a good summary of why Stuxnet is unique in terms of malware design and execution: http://www.youtube.com/watch?v=gFzadFI7sco.

[AdamG]

The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.

http://www.nytimes.com/2011/02/13/sc..._r=2&src=twrhp

[Erich G. Simmers]

http://www.nytimes.com/2011/02/13/sc..._r=2&src=twrhp

The actual report can be found here: http://www.symantec.com/connect/ko/b...sier-available.

It is worth the read. Missing from the news story was that several vendors contributed samples and data on the worm including ESET, F-Secure, Kaspersky Labs, Microsoft, McAfee, and Trend.

[SWJ Blog]

Stuxnet: Cyberwar Revolution in Military Affairs

Entry Excerpt:

Stuxnet: Cyberwar Revolution in Military Affairs
by Paulo Shakarian

Download The Full Article: Stuxnet: Cyberwar Revolution in Military Affairs

On June 17th, 2010, security researchers at a small Belarusian firm known as VirusBlockAda identified malicious software (malware) that infected USB memory sticks. In the months that followed, there was a flurry of activity in the computer security community – revealing that this discovery identified only one component of a new computer worm known as Stuxnet. This software was designed to specifically target industrial equipment. Once it was revealed that the majority of infections were discovered in Iran, along with an unexplained decommissioning of centrifuges at the Iranian fuel enrichment plant (FEP) at Natanz, many in the media speculated that the ultimate goal of Stuxnet was to target Iranian nuclear facilities. In November of 2010, some of these suspicions were validated when Iranian President Mahmoud Ahmadinejad publically acknowledged that a computer worm created problems for a “limited number of our [nuclear] centrifuges.” Reputable experts in the computer security community have already labeled Stuxnet as “unprecedented,” an “evolutionary leap,” and “the type of threat we hope to never see again."

In this paper, I argue that this malicious software represents a revolution in military affairs (RMA) in the virtual realm – that is Stuxnet fundamentally changes the nature of cyber warfare. There are four reasons to this claim: (1) Stuxnet represents the first case in which industrial equipment was targeted with a cyber-weapon, (2) there is evidence that the worm was successful in its targeting of such equipment, (3) it represents a significant advance in the development of malicious software, and (4) Stuxnet has shown that several common assumptions about cyber-security are not always valid. In this paper I examine these four points as well as explore the future implications of the Stuxnet RMA.

Download The Full Article: Stuxnet: Cyberwar Revolution in Military Affairs

Paulo Shakarian is a Captain in the U.S. Army and a Ph.D. candidate in computer science at the University of Maryland (College Park) and will soon take up a position teaching computer science at the U.S. Military Academy. He holds a BS from the U.S. Military Academy and an MS from the University of Maryland (College Park), both in computer science.

The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Military Academy, United States Cyber Command, the Department of the Army, the Department of Defense, or the United States Government.



--------
Read the full post and make any comments at the SWJ Blog.
This forum is a feed only and is closed to user comments.

[SWJ Blog]

Stuxnet was Work of U.S. and Israeli Experts

Entry Excerpt:



--------
Read the full post and make any comments at the SWJ Blog.
This forum is a feed only and is closed to user comments.

[davidbfpo]

Not a surprise - there is now a film / documentary on Stuxnet; Zero Days, by Oscar-winning director Alex Gibney and an article, written after a preview of the film, has the sub-title:

A new documentary on “Stuxnet”, the joint U.S.-Israeli attack on Iran’s nuclear program, reveals it was just a small part of a much bigger cyber operation against the nation’s military and civilian infrastructure under the code name “NITRO ZEUS”.

As a joint US-Israeli project it had some "issues" as one source claims:

Our friends in Israel took a weapon that we jointly developed — in part to keep Israel from doing something crazy — and then used it on their own in a way that blew the cover of the operation and could’ve led to war.

Citing Michael Hayden, ex-CIA & NSA:

I know no operational details and don’t know what anyone did or didn’t do before someone decided to use the weapon, all right. I do know this: If we go out and do something, most of the rest of the world now thinks that’s a new standard, and it’s something they now feel legitimated to do as well. But the rules of engagement, international norms, treaty standards, they don’t exist right now.

Link:http://www.buzzfeed.com/jamesball/us...ma#.hb5pVQAmPj

Merged into the old thread on Stuxnet, with 52 posts and 20k views.

[SWJ Blog]

U.S. Had Cyberattack Planned if Iran Nuclear Negotiations Failed

This is NYT report:

In the early years of the Obama administration, the United States developed an elaborate plan for a cyberattack on Iran in case the diplomatic effort to limit its nuclear program failed and led to a military conflict, according to a forthcoming documentary film and interviews with military and intelligence officials involved in the effort. The plan, code named Nitro Zeus, was designed to disable Iran’s air defenses, communications systems and key parts of its power grid, and was shelved, at least for the foreseeable future, after the nuclear deal struck between Iran and six other nations last summer was fulfilled.

Link:http://www.nytimes.com/2016/02/17/wo...iled.html?_r=0

[CloseDanger]

Duqu most likely is more of an information gathering virus that saves files on the infected machine for further use later. It is also a keylogger.

https://infosecisland.com/blogview/1...er-Weapon.html

[AdamG]

The U.S. and Israel are widely assumed to be responsible for the Stuxnet computer worm that hit Iran’s nuclear facilities. But Moscow has just as good a motive.

http://the-diplomat.com/2011/12/10/w...ehind-stuxnet/

[AdamG]

Iranian nuclear facilities have reportedly been attacked by a “music” virus, turning on lab PCs at night and blasting AC/DC’s “Thunderstruck.”

http://www.rt.com/news/iran-computer-virus-acdc-940/

[Erich G. Simmers]

http://www.rt.com/news/iran-computer-virus-acdc-940/

I got a chuckle out of this news item, too, but that article--particularly the title--is crap. Mikko's original blog post is much more informative. There's really two issues. There's a report of some other worm, and the Iranian believes Metasploit is at use. Metasploit is not a virus; it's an exploitation framework. Download it here if you're curious.

HD Moore, Metasploit's creator, tweeted two responses to articles like this one:

"definitely a confused individual, Metasploit isn't a worm and doesn't ship with AC/DC's Thunderstruck " (source)

He also added a bit on how you use the framework to load MP3s:

"you can do it today (msf> load sounds) & copy mp3" (source)

If the e-mail to Mikko is truthful and accurate, this strikes me as the act of an amateur--not a state, much less the U.S. Moreover, the fact that there is no effort to be covert makes me think this is a grand middle finger to US and other intelligence agencies. It is as if the perpetrator is saying, "You developed developed malware and cryptographic attacks over the course of years to penetrate computers relevant to the Iranian nuclear program; I did it downloading an app freely available to anyone." They probably even used a commonly available exploit, too. I can't see someone burning a 0-day to blast "Thunderstruck" to some Iranian engineers just for, as the kids say, "the lulz."

If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran's nuclear program. That’s pure speculation, but that is the impression I get.

[AdamG]

If I had to ‘profile’ the perpetrator, I would suggest a lone male with a grudge or grievance with one or more US intelligence agencies (perhaps a past applicant). If there is a political motive, I would suggest someone affiliated with Anonymous or other like-minded group who might think disrupting Iranian networks would mean disrupting any ongoing US intelligence operation. Either way, the objective in my view is disrupting or discrediting US efforts rather than Iran's nuclear program. That’s pure speculation, but that is the impression I get.

That'd make a good movie script. Seriously.