Slashdot Mirror
Stuxnet Infects 30,000 Industrial Computers In Iran
eldavojohn writes "The BBC and AFP are releasing more juicy details about the now infamous Stuxnet worm that Iranian officials have confirmed infected 30,000 industrial computers inside Iran following those exact fears. The targeted systems that the worm is designed to infect are Siemens SCADA systems. Talking heads are speculating that the worm is too complex for an individual or group, causing blame to be placed on Israel or even the United States — although the US official claims they do not know the origin of the virus. Iran claims it did not infect or place any risk to the new nuclear reactor in Bushehr, which experts are suspecting was the ultimate target of the worm."
"Siemens has advised its customers not to change the default passwords"
http://news.cnet.com/8301-1009_3-20011095-83.html
great....good security there
The future of diplomacy.
If Iran really is trying to develop a nuclear weapons ability, then they're heading for a nasty conflict one way or another.
If conflict is inevitable, then it's probably far better for their computers to catch a nasty flu, than for people do due in a U.S./Israeli airstrike.
Really? Because, as someone who has worked in gov't related cybersecurity, I can tell you that they try all the time.
There's no shortage of reasons for hackers to want access to data (classified or otherwise) really really badly.
You just need to get the hollywood fabricated ideas about teams of small teams of omnipotent superhacker "gods" out of your mind, because they don't exist.
while(1) attack(People.Sandy);
Yeah, that'll teach'm to open up emails and PDFs titled "Death To America!" while running an OS and applications software written and controlled by a U.S. company.
I have a hard time taking it seriously that a "Nation State" is the most likely source of the infection and I have an even harder time that it is the Untited States behind it. Siemens is a huge (German) manufaturer of control systems, their equipment is installed throughout the industrialized world. The Bushehr reactor is being built with help from Russia but I am sure there are engineers from many different countries involved (notably absent would be Israel and the U.S.). These engineers should include people responsible for the security of both the Windows and the Siemens systems.
I would argue that these engineers are the likely source of the information used to create the 'worm'. They have to be. Nobody else should have the information available to them to program the specific scenero to meet all of the inputs required to cause the mayhem the worm is intended to cause.
Perhaps over a couple of beers they decided they didn't like some of the things they were seeing? Maybe they wrote the worm or maybe they just provided the information to the people that did. But either way, it reeks of being an inside job.
Getting information was not so difficult, even from within the Manhattan Project. If a government is hellbent on infiltrating secret projects of a rival government, they sure have enough resources at hand.
cpghost at Cordula's Web.
"Hey, we just want them fucked up. We don't give a shit about the details."
"Talking heads are speculating that the worm is too complex for an individual or group, causing blame to be placed on Israel or even the United States "
How does "too complex for an individual or group" equate to "must be Israel or the United States"? I hope I'm reading this wrong.
Otherwise I might have to troll about "German companies blaming the US and the Jews for everything" or something.
do() || do_not();
Really? How big do you think the team that created Stuxnet is then? Or do you really think that one guy found 4 new zero days, wrote a P2P control mechanism, a custom kernel mode rootkit, a bunch of PLC code in an obscure form of assembly language and a shim DLL to hide the PLC infection from the operator?
The Stuxnet team is the closest thing to the Hollywood stereotype of a small team of omnipotent superhacker gods the world has seen.
The stuxnet team is most likely the product of a large intelligence department. That is to say a group effort from a nation state, not some independent hacking gods with nothing better to do.
The point is that expertise in scada, coming up with 4 zero days, getting 2 signed driver keys from JMicron and Realtek, and distributing the exploit without the internet to Iranian factories is not something a non-state can do.
In any event, in the early analyses of Stuxnet, that the target was Bushehr was speculative based on:
Assuming the screenshot and target of Stuxnet are both Bushehr, then I don't actually know which is worse; that someone would trust apparently pirated software to run a nuclear plant, or that someone would deliberately try to disrupt the operations of one...
UNIX? They're not even circumcised! Savages!
Uhh, you're missing the GP's point. It's HIGHLY doubtful a small group of scruffy super smart hackers a la Angeline Jolie and friends in "Hackers" created this virus. Given the complexity you point out (and by the way, you missed a very important point - stuxnet utilizes stolen encryption keys from TWO Tiawanese chip manufacturers), it's much more likely that a large, coordinated government or corporate organization that was able to assemble experts from many different fields was behind the attacks.
So we're arguing about the definition whether the team was "small" or "large" then :-) Given that Stuxnet is around half a megabyte in size, I'd guess the code itself was written by a team of around 5 people, probably with each person owning an area of functionality. Say another 5 for project infrastructure, eg, building testing environments, finding the zero days and doing whatever was required to steal the digital certs.
I'm sure there is a fairly large supporting cast for this "Myrtus/Guava" project, but I'd wager a crisp benjamin the bulk of the work was done by less than 10 people. Now whether this sort of effort is "small" or "large" is a matter of perspective - for a state sponsored military project it'd be very small, for a computer virus project it'd be pretty large.
By the way, if the authors of Stuxnet are reading this - nice work, but I seriously hope you know what the hell you are doing. Remotely sabotaging industrial facilities in a part of the world that's on a political knife edge can go wrong in so many ways I don't even want to think about it.
There are some strange things that the state-sponsor theory of Stuxnet is at a loss to explain.
The first of these is the P2P update cycle of the worm. One important element of this is that to update the one has to re-seed the network with a new version. However anybody with appropriate skills can do this, so the worm could be easily retooled to strike back at the creator. The idea that a nation would be incompetent enough to allow such a weapon as this to be redirected back at their critical infrastructure doesn't sit well with me.
The second major problem has to do with the fact the virus tends to be digitally signed via stolen private keys of reputable companies from around the globe many of which have no presence in the Middle East. Theft of these private keys is suggestive of a long-term effort probably involving past viruses and trojans.
Also while Iran is a major hotspot of infections they aren't the only ones. Indonesia is a close second.
These things are easy to explain from perspective that assumes a criminal syndicate but hard to explain from the perspective of a theory of state sponsorship.
Stuxnet is groundbreaking in a large number of ways. It's also an interesting question as to whether the malfunctions in the SCADA systems expected under Stuxnet could be similar to those experienced by Deepwater Horizon before the tragic explosion. While it might not be stuxnet in that case, it raises important questions about possible consequences of such a virus. These consequences are significantly more severe for a state sponsor than for a criminal one.
LedgerSMB: Open source Accounting/ERP
There is an analysis of the screenshot at http://www.hackerfactor.com/blog/index.php?/archives/396-No-Nukes.html
The conclusion is that it is probably a screenshot of a wast water treatment plan, not a nuke facility.
The problem is that as far as I know, international law doesn't know how to deal with national cyber-attacks. Are they the equivalent of a physical attack? If they do large scale financial damage (loss of services)? If they do large scale physical damage (destroy a factory of power plant), if they kill a few people (factory accident), kill a lot of people (chemical plant explodes)?
If a cyber-attack on financial institutions costs billions of dollars is that an act of war?
If a cyber-attack from country A caused a Bophal like disaster in country B, is country B justified in launching a physical attack on population centers of country A?
Words are one thing - attacks (physical or cyber) that cause damager are another.
I do all of that while cooking my morning breakfast.
However, I am the most interesting man in the world....
Stay thirsty my friends.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
No you don't. Show me a quote from an Iranian leader currently in power who said "We will hit Israel with a nuke." US Republicans and Israeli Likudniks have said to nuke Iran, but do you have a statement showing the reverse?
Iranians do see Israel and the US as enemies, since the US overthrew the democractic government of Iran in the 1950s, and tried to do it again after 1979. The amount of warmongering from Bush and Rumsfeld in both statements and actions (bombing Iranian embassy in an airstrike) only put them further on edge.
Your claim that their nuclear program can ONLY be for weapons and not energy is a silly claim, and you make it without proof. The IAEA and academics disagree with you.
Thanks for the tip. We'll definitely keep that in mind.
Well. Let's ignore the problem of motive for now (there are far easier ways for criminals to turn a profit than this) - one has to wonder why Stuxnet is written as a traditional self-propagating virus.
Apparently it has some kind of self-kill logic which tries to ensure it doesn't spread after three "hops", which suggests whoever wrote it didn't want it to become a totally uncontrolled worldwide infection.
Presumably whoever wrote this knew they wouldn't be able to obtain actual physical access to the facility they wanted to damage, nor would they be able to insert an undercover agent, nor would they be able to compromise an existing employee. If you wanted to attack a high security facility and your intelligence agency wasn't able to penetrate it using more traditional techniques, creating a virus that spreads indiscriminately and hoping you get lucky seems like a pretty reasonable strategy.
The truth may be somewhere in the middle. The top candidates are the US and Israel based on "who dislikes Iran the most". Israeli intelligence has proven several times before they apparently don't care about being detected or involving other nations as collateral damage, see the recent UK passport forging that was a part of an assassination. A guy who used to be a director of anti-proliferation strategy for the US government has remarked that the style doesn't seem like a US operation given how much noise the approach would inevitably create, and the tremendous impact outside of the intended target.
Now obviously he is biased, but I'd tend to agree with him. It seems kind of unlikely the US would do something so dramatically non-covert. The way Stuxnet works practically guaranteed it would be eventually detected and subjected to intense scrutiny. The fact that there's so many clues and possible evidence trails lying around also suggests that whoever did it wasn't too concerned with being caught, eg, it's possible the stolen digital certs or the C&C servers will provide a trail that can be investigated.
So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of random other nations or organizations? If I had to pick an intelligence agency in the world that most resembled a criminal syndicate, the Mossad would be pretty high up the list. Speculation is fun isn't it.
just read
http://frank.geekheim.de/?p=1189
MB for complexity? What the fuck? That's like GHz for speed -- there is relation only when you restrict the scenario (e.g. 100% ASM). Apparently you haven't seen any 64KB demos, or 10MB STL+Boost* HelloWorld programs.
* This remark is a detraction of programmer inefficiency, not C++/STL/Boost. It doesn't occur when they are used correctly.
You just need to get the hollywood fabricated ideas about teams of small teams of omnipotent superhacker "gods" out of your mind, because they don't exist.
Not quite in the Hollywood image they don't, no. But assuming that such hacking is beyond the efforts of one or two highly intelligent, knowledgeable and motivated individuals is a big mistake. You just need someone with an IQ in the 150 range who reads manuals and code for fun and thinks so far outside the box he can barely see it from there.
(Some 35 years ago I routinely pwned the campus mainframe, a Burroughs B6700, through a combination of inspired guesswork (giving me access to allocated but unused accounts), dumpster diving (hey, a listing of the OS, that looks interesting. Gee, what's this string "&:*" being passed to a call that expects the [root-equivalent] password?), social engineering (me at a Burroughs sales office: "I'm a student at X, can I get some B6700 manuals?" They: "We don't have any for sale here, but [checks in back] here are some old ones I'll just give you." Systems programmer back at X: "How'd you get those? We can't even get those!") and plain outside the box thinking (Sys programmer: "but you can't edit a Burroughs backup tape!" Me: "not on the Burroughs, no. But on the IBM 360/50..." He: "Oh, shit." Being able to edit a Burroughs backup tape let you (or me) get around the fact that only a program tagged as a compiler could tag a binary file as executable, and only an operator console command could tag a program as a compiler. But if you could create your own arbitrary executable binaries, you had access to all kinds of system calls normally reserved to the OS.) Of course those were more naive, innocent times, pre Morris worm, and terms like "dumpster diving" and "social engineering" hadn't been coined yet. It's a little harder these days (back then I was barely even trying), but there are better tools available, so don't fool yourself. Script kiddies are one thing -- it's the folks inventing those scripts, or rather, the ones who invent scripts the kiddies never see, that you need to worry about.)
-- Alastair
Citation please, along with the actual non-paraphrased quotes.
Enjoy:
http://www.youtube.com/watch?v=FckLO8HcNyo
http://www.youtube.com/watch?v=Gk_eXtCu03E
Oh, and here are a few more which, while they don't quite come from leaders, do come from agents of the Iranian state - in their official capacity - cheering the crowd:
http://www.youtube.com/watch?v=XHoVuFlrcjA
http://www.youtube.com/watch?v=92myDzAFgU4
Search for "death to Israel" and "death to America" on YouTube for tons more of that.
I agree. Stuxnet, and who knows what will follow it, are similar to the USA Skunkworks that managed to develop and deploy the SR-71 Blackbird in complete secrecy, or before that the Manhattan Project in the USA, and the Enigma work done in Great Britain.
We have a new player on the world stage, and data security is never going to be the same again. Actually we probably have more than one new player, since there are a probably a dozen countries that are capable of doing this kind of thing. And quite possibly they've been around for a long time, hiding behind spammer botnet facades, etc. I find it suspicious that while spammer botnets are supposed to be making their fortunes by selling advertising, there has never been a serious effort to go after the companies that are apparently buying these services. I wonder how many distributors of v14gRuh there really are, and how many are virtual fronts for information gathering and disinformation distribution activities?
Hmm. I prolly read too much Philip K Dick in a younger day.
Will