Mark Clayton / The Christian Science Monitor & Al Jazeera & Dan Williams / Reuters – 2010-09-28 22:54:03
Stuxnet Worm Mystery: What’s the Cyber Weapon After?
Mark Clayton / The Christian Science Monitor
(September 24, 2010) — Top industrial control systems experts have now gleaned enough about the Stuxnet worm to classify it as a cyber superweapon. But the mystery of what its target is — or was — remains unsolved, though guesswork about its mission is intensifying among those who have studied Stuxnet’s complicated code.
Educated guesses about what Stuxnet, described as the world’s first cyber guided missile, is programmed to destroy include the reactor for Iran’s new Bushehr nuclear power plant, as well as Iran’s nuclear fuel centrifuge plant in Natanz. Both facilities are part of Tehran’s nuclear program, which Iranian officials say is for peaceful purposes but that many other countries, including the United States, suspect are part of an atom-bombmaking apparatus.
The Bushehr power plant was supposed to be humming by now, but is not — a possible sign that Stuxnet impaired one of its vital systems, says one computer security expert. But another analyst who has also been assisting on the Stuxnet case says the worm’s internal order makes that scenario unlikely. The nuclear fuel centrifuge plant in the Iranian town of Natanz is a better fit and a larger nuclear threat, he says.
There is no independent confirmation that Bushehr or Natanz or anyplace else has been attacked by a directed cyberweapon. But competing theories are emerging about Stuxnet’s target. Here are two from a cybersecurity duo from Germany who have worked, separately, on deconstructing Stuxnet — and why they think what they do.
Ralph Langner is no Middle East policy wonk or former diplomat privy to insider information. He is a German software security engineer with a particular expertise in industrial control system software created by industrial giant Siemens for use in factories, refineries, and power plants worldwide.
This week, Mr. Langner became the first person to detail Stuxnet’s peculiar attack features. He explained, for example, how Stuxnet “fingerprints” each industrial network it infiltrates to determine if it has identified the right system to destroy. Stuxnet was developed to attack just one target in the world, Langner says and other experts confirm. His best guess as to the target?
During an interview with the Monitor about Stuxnet’s technical capabilities, Langner pointed at the Bushehr nuclear power plant. He cites shards of information he has gleaned from open sources, including news accounts, as well as his technical understanding of the attack software. Here are his main arguments for his case.
â€¢ Iran is the epicenter of the Stuxnet infection. Geographic studies by Microsoft, Symantec, and others show the majority of infections to be in Iran, making it a likely location for Stuxnet’s presumed target.
â€¢ Bushehr is a high-value target. Damaging the nuclear power plant would deal a blow to Iran — a blow that would be worth the considerable time and money a government would expend to develop such as sophisticated cyberweapon.
â€¢ Concern about Bushehr is high among nations with cyberwar capability. The imminent completion of the nuclear plant has roiled the international community. Dismayed parties include the US and Israel, in particular. But China, Russia, and France also are presumed to have sophisticated cyberwarfare capabilities.
â€¢ Bushehr uses Siemens software and equipment. Stuxnet appears to target Siemens SCADA systems. Bushehr was built largely with equipment from Siemens, the German industrial giant that began the reactors in the 1970s but later pulled out of the project. The plant still uses industrial control software created by Siemens, but it has been installed by Russian contractors.
â€¢ Stuxnet spreads via USB memory sticks. A steady flow of Russian contractors to the Bushehr construction site ensured outside access to the plant’s computer system. USB memory sticks are an invaluable tool for engineers during construction of sophisticated computer-intensive projects. Contractors building the plant would likely have made wide use of them â€“ giving Stuxnet a way to move into the plant without having to rely on the Internet.
â€¢ Bushehr’s cyberdefenses are dubious. A journalist’s photo from inside the Bushehr plant in early 2009, which Langner found on a public news website, shows a computer-screen schematic diagram of a process control system — but also a small dialog box on the screen with a red warning symbol.
Langner says the image on the computer screen is of a Siemens supervisory control and data acquisition (SCADA) industrial software control system called Simatic WinCC — and the little warning box reveals that the software was not installed or configured correctly, and was not licensed. That photo was a red flag that the nuclear plant was vulnerable to a cyberattack, he says.
“Bushehr has all kinds of missiles around it to protect it from an airstrike,” Langner says. “But this little screen showed anyone that understood what that picture meant … that these guys were just simply begging to be [cyber]attacked.”
The picture was reportedly taken on Feb. 25, 2009, by which time the reactor should have had its cybersystems up and running and bulletproof, Langner says. The photo strongly suggests that they were not, he says. That increases the likelihood that Russian contractors unwittingly spread Stuxnet via their USB drives to Bushehr, he says.
“The attackers realized they could not get to the target simply through the Internet â€“ a nuclear plant is not reachable that way,” he says. “But the engineers who commission such plants work very much with USBs like those Stuxnet exploited to spread itself. They’re using notebook computers and using the USBs to connect to one machine, then maybe going 20 yards away to another machine.”
In the end, the evidence pointing most strongly toward Bushehr is Bushehr itself, Langner says. “What would be the one prime target that would be worth the whole scenario — all the money, the teams of experts needed to develop Stuxnet? Bushehr is the one target that might be worth the cost.”
Not so fast, says Frank Rieger, a German researcher with GSMK, a Berlin encryption firm that has been helping governments on the Stuxnet case, who is familiar with the internal architecture of Stuxnet. His theory is that Stuxnet’s target is a different facility in Iran: Natanz.
The Natanz nuclear centrifuge facility is widely condemned as a nuclear weapons threat. It currently produces low-enriched uranium for power plants, but nonproliferation experts it could be converted to produce highly enriched uranium fuel for use in nuclear weapons.
Two things in particular may make Natanz a more likely Stuxnet target, Mr. Rieger says.
â€¢ Stuxnet had a halt date. Internal time signatures in Stuxnet appear to prevent it from spreading across computer systems after July 2009. That probably means the attack had to be conducted by then — though such time signatures are not certain.
â€¢ Stuxnet appears designed to take over centrifuges’ programmable logic controllers. Natanz has thousands of identical centrifuges and identical programmable logic controllers (PLCs), tiny computers for each centrifuge that oversee the centrifuge’s temperature, control valves, operating speed, and flow of cooling water. Stuxnet’s internal design would allow the malware to take over PLCs one after another, in a cookie-cutter fashion.
“It seems like the parts of Stuxnet dealing with PLCs have been designed to work on multiple nodes at once — which makes it fit well with a centrifuge plant like Natanz,” Rieger says. By contrast, Bushehr is a big central facility with many disparate PLCs performing many different functions. Stuxnet seems focused on replicating its intrusion across a lot of identical units in a single plant, he says.
Natanz also may have been hit by Stuxnet in mid-2009, Rieger says. He notes that “a serious, recent, nuclear accident” was reported at that time on WikiLeaks, the same organization that recently revealed US Afghanistan-war documents. About the same time, the BBC reported that the head of Iran’s nuclear agency had resigned.
Lending some credence to the notion that Stuxnet attacked more than a year ago, he says, is the International Atomic Energy Agency’s finding of a sudden 15 percent drop in the number of working centrifuges at the Natanz site. Rieger posted that data on his blog.
“Bushehr didn’t present the immediate threat that Natanz and the other centrifuge plants did at that time and still do,” Rieger says. “What is clear is that there was an enormous amount of effort spent to do Stuxnet in this way, and it all points [to a target with] a high level of priority assigned to it by the people who did it.”
Cyber Attack ‘Targeted Iran’
TEHRAN (September 24, 2010) — The discovery of so-called malicious software — malware — on systems in Iran and elsewhere across the world has prompted speculation of an attempted cyber attack on Iranian industry, possibly including the Bushehr nuclear reactor.
The Stuxnet “Trojan worm” was designed to attack industrial control systems produced by Siemen’s AG, which are commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.
It spreads from USB devices and exploits a vulnerability in Microsoft Corp’s Windows operating system that has since been resolved. Once the worm infects a system, it sets up communications with a remote server computer that can be used to steal data or take control of the system, according to experts.
Symantec, a US-based computer security services company, said that 60 per cent of the computers infected worldwide were in Iran.
“It’s pretty clear that based on the infection behaviour that installations in Iran are being targeted,” Kevin Hogan, the senior director of Security Response at Symantec, told the Reuters news agency.
“The numbers [of infections in Iran] are off the charts,” he said, adding Symantec had located the IP addresses of the computers infected and traced the geographic spread of the malicious code.
Hogan said the virus’s target could be a major complex such as an oil refinery, a sewage plant, a factory or water works.
Sean McGurk, who runs the National Cybersecurity and Communications Integration Center, part of the US department of homeland security, said he was unable to confirm if Bushehr had been targeted, but said Stuxnet was capable of taking over physical systems when a certain combination of Siemens software and hardware were present.
It’s very hard to understand what the code was developed for,” he said. “It looks for a particular combination of a software code, or an application, and a hardware platform.
“If it finds it, then it starts manipulating some of the settings” of devices known as programmable logic controllers. Such devices are used, for instance, to move robot arms that build cars, open elevator doors and control HVAC systems.
McGurk said Siemens systems were used by companies doing everything from pharmaceutical and chemical manufacturing to water purification and power.
Kaspersky Labs, a European digital security company, said the attack could only be conducted “with nation-state support.”
“Stuxnet is a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world,” it said in a statement.
Israel, which has admitted it has the capability to launch cyber attacks, has previously hinted it could attack Iranian facilities if international diplomacy fails to curb Tehran’s nuclear ambitions. Western nations, including the US, are also at odds with Iran over its uranium enrichment programme.
Fred Burton, a former US counterterrorism agent and vice-president of risk consultancy Stratfor, said he suspected Stuxnet was a covert action on the part of a nation state intelligence service in an effort to disrupt Iranian military or nuclear efforts.
“Disinformation causes disruption and internal witchhunts lacing the seed of doubt as to who could have done this. The internal security blowback will cause chaos. Brilliant if true.”
Ralph Langner, a German cyber expert, suggested in a blog posting last week that Bushehr may have been the target of the attack, possibly exploiting the plant’s use of unlicensed Windows software.
Unspecified problems have been blamed for a delay in getting the nuclear facility fully operational.
On August 31, Iranian atomic chief Ali Akbar Salehi blamed “severe hot weather” for a delay in moving fuel rods into its Russian-built first nuclear power plant.
Stuxnet was identified by Belarussian firm Virusblokada in mid-June ater it emerged on the computer of one of its clients in Iran.
CyberTakes Centre Stage in Israel’s War Strategy
Dan Williams / Reuters
Iran’s Stuxnet Worm Has Fingers Pointing at Israel
Israelis seen weighing “deniable” tactics against foe
JERUSALEM (September 28, 2010) — Cyber warfare has quietly grown into a central pillar of Israel’s strategic planning, with a new military intelligence unit set up to incorporate high-tech hacking tactics, Israeli security sources said on Tuesday.
Israel’s pursuit of options for sabotaging the core computers of foes like Iran, along with mechanisms to protect its own sensitive systems, were unveiled last year by the military intelligence chief, Major-General Amos Yadlin.
The government of Prime Minister Benjamin Netanyahu has since set cyber warfare as a national priority, “up there with missile shields and preparing the homefront to withstand a future missile war”, a senior source said on condition of anonymity.
Disclosures that a sophisticated computer worm, Stuxnet, was uncovered at the Bushehr atomic reactor and may have burrowed deeper into Iran’s nuclear programme prompted foreign experts to suggest the Israelis were responsible.
Israel has declined to comment on any specific operations. Analysts say cyber capabilities offer it a stealthy alternative to the air strikes that it has long been expected to launch against Iran but which would face enormous operational hurdles as well as the risk of triggering regional war. [nLDE5BE29K]
According to security sources, over the last two years the military intelligence branch, which specialises in wiretaps, satellite imaging and other electronic espionage, has set up a dedicated cyber warfare unit staffed by conscripts and officers.
They would not say how much of the unit’s work is offensive, but noted that Israeli cyber defences are primarily the responsibility of the domestic intelligence agency Shin Bet.
In any event, fending off or inflicting damage to sensitive digital networks are interconnected disciplines. Israeli high-tech firms, world leaders in information security, often employ veterans of military computing units.
Security sources said Israel awoke to the potential of cyber warfare in the late 1990s, when the Shin Bet hacked into a fuel depot to test security measures and then realised the system could be reprogrammed to crash or even cause explosions.
Israel’s defence priorities suggest it may be shying away from open confrontation with the Iranians, whose nuclear facilities are distant, numerous, dispersed and well-fortified.
Even were its warplanes to manage a successful sortie, Israel would almost certainly suffer retaliatory Iranian missile salvoes worse than the short-range rocket attacks of Lebanese and Palestinian guerrillas in the 2006 and 2009 wars.
There would be a wider diplomatic reckoning: World powers are in no rush to see another Middle East conflagration, especially while sanctions are still being pursued against an Iranian nuclear programme which Tehran insists is peaceful.
An Israeli security source said Defence Ministry planners were still debating the relative merits of cyber warfare.
“It’s deniable, and it’s potent, but the damage it delivers is very hard to track and quantify,” the source said. “When you send in the jets — the target is there, and then it’s gone.”
Editing by Jon Boyle.
Posted in accordance with Title 17, Section 107, US Code, for noncommercial, educational purposes.