A Finnish-Chinese Connection For Stuxnet?

Lingenfelter writes "I recently wrote a white paper entitled 'Dragons, Tigers, Pearls, and Yellowcake' in which I proposed four alternative scenarios for the Stuxnet worm other than the commonly held assumption that it was Israel or the US targeting Iran's Bushehr or Natanz facilities."

I did it.

[MrQuacker]

Since everyone else is taking credit, I might as well...

My paper is coming

[unity100]

In which, i will blame stuxnet worm on late Marilyn Monroe.

Overthinking it

[mike260]

Israel is (by far) the most nervous about Iran's nuclear program, and already had one pre-emptive attack on a nuclear plant under it's belt that (in their worldview) was a resounding success and is a point of national pride.
So one of the drives targeted by stuxnet is manufactured in China...I hate to state the obvious, but what isn't?

Re:Overthinking it

[gl4ss]

I guess the current way many finnish industrial machine manufacturing goes is that the first models are machined and done in finland and then at least parts manufacture is subcontracted from somewhere cheaper, also we don't have chip fabs in finland so naturally a lot of the parts need to be imports anyways. and another thing that's done on contract by finnish firms by finns is to go to a project site and fix up the mess that the export chinese workmen haven't been able to fix.

the finnish connection is an interesting one because there's plenty of people in finland who could've written stuxnet by themselfs(and access to fresh exploits and the means to look for exploits themselfs) and possibly had the information too - and quite low probability of getting connected to it by anyone else. but it's an obvious one that's hard to prove so it's just that it's targeting some finnish connection hardware that's the connection to finland. the motivation in that case wouldn't have been money, fame or such, it would be that it's just such a sweet target and even if caught criminal chargers would've been extremely hard to press(and even condemning it morally would have sparked a lot of discussion, after all stuxnet was a more civil way to slow the progress there than bombing some scientists).

finland does a lot of trade with many shady countries, nobody gives a rats ass you see(about what finland does and with whom) and economy isn't exactly booming so extra business is extra business, that's not to say that the iranians maybe hadn't lied about what they're going to use the machinery for - notice that had they been used for something else than what the iranians (now apparently confirmedly) were using them for then stuxnet would have done nothing :). they could've used them to run some fat seperators but nooo, had to use for some zero economical output work.

Re:Overthinking it

[grrrgrrr]

On the other hand China is the most obvious source of any cyber warfare or espionage. They have shown they can and will do it. So why not for this one? I think Israel would use one of the more trusted methods of bombing or assassination that is what they are known for and it has also the added benefit of showing your strength publicly as you point out yourself.

Re:Overthinking it

[Pharmboy]

I tend to agree, although the scientists that died of high velocity lead poisoning does sound like something Israel could and would do, very effectively. The problem with the US is that we are always too obvious, try to be "loved", and overly open about stuff like this. We save the secret spying and covert operations on our own citizens.

Re:Overthinking it

[LWATCDR]

Actually just about everybody is worried about Iran's nuclear program. Russia has it's own problems with muslim extremists and Iran and Russia are natural enemies that for now are cooperating. They do not want Iran to have nuclear weapons they just want to sell them stuff.
India doesn't really want an extremist Islamic nuclear power that could become allies with an extremist Pakistan.
Throw in France, Germany, the UK, Sweden, Italy, and all the nations near Iran and you have a long list. Frankly you can make it pretty easy.
Who wants Iran to have nuclear weapons.
The extremists elements of the Iran.

Who doesn't want Iran to have nuclear weapons?
Everybody else on the planet.

Of course you will have a few people outside of Iran but you get the picture. The world really doesn't want this.
 

Re:Overthinking it

[Xest]

"Israel is (by far) the most nervous about Iran's nuclear program, and already had one pre-emptive attack on a nuclear plant under it's belt that (in their worldview) was a resounding success and is a point of national pride."

Actually, it's done two. It bombed the Osirak reactor in Iraq and '81, and it bombed the Syrian nuclear installation in 2007.

But here's the point, when you consider that Iran is no more a threat to Israel than Iraq was then, and than Syria was in 2007, then why do you think if Israel is responsible, that they made such a change of tactics this time? Why switch to such a covert method that's at worst going to delay things a bit, and certainly not going to completely destroy the facility when their pre-existing modus operandi is simply to go in and bomb the installations? Something they're more than capable of doing.

You may be right that China didn't do it, but there's so many possibilities, just because Iran vocally hates Israel doesn't mean it's any more concerned than other countries. With Iran trying to build long range missiles capable of hitting Europe, what makes you think that pretty much any European country isn't responsible? It's arguable that even Saudi Arabia is more interested in dealing with Iran than Israel.

Yes you're right Israel has motive, but when they want to do something they also tend not to fuck around either, Stuxnet seems to very much be a case of fucking around. It seems more like something designed to disrupt Iran's ambitions rather than outright destroy them, likely to delay their programme to force them to sit at the negotiating table longer, again, something Israel tends not to care about if it's really bothered by something.

Re:Overthinking it

[mike260]

The Military Option: Bushehr is not Osirak:

the GOI does not know where all of the targets are located

potential targets are well dispersed throughout the country, with several located in built-up civilian areas

any attack on Bushehr would likely result in Russian casualties and endanger Moscow's cooperation

Re:Overthinking it

[Unequivocal]

Bruce Schneirer debunked the sociopath theory reasonably well when he observed that this tool is very specifically focused. If this tool had been built with sociopathic/antisocial intent it would have f'ed-up way, way more public infrastructure world-wide.

Rather basic question

On the presumption that this is some electronic device with a user-modifiable firmware (how else would the worm be able to modify it?) - what would stop Iran from taking an unaffected piece, dumping the firmware, and re-uploading it?

Do a clean reinstall of Windows, and you're set to go.

Is there something I am missing?

Re:Rather basic question

[mike260]

Nope, seems about right. But you can reinfect a PC by inserting an infected USB key and viewing the contents, so until you know the infection-vectors (which took a while to discover) you'd have difficulty staying clean.

Stuxnet was made to stay undetected as long as possible - it only mucks about with attached drives (rapidly spinning them up and down) at long intervals and for short periods. So instead of a room full of exploding centrifuges, you get an abnormally high failure-rate. It even records sensor data from normal operation and replays it while it's messing with the drives to hide itself from anyone monitoring it.

Re:Rather basic question

On the presumption that this is some electronic device with a user-modifiable firmware (how else would the worm be able to modify it?) - what would stop Iran from taking an unaffected piece, dumping the firmware, and re-uploading it?

Do a clean reinstall of Windows, and you're set to go.

Is there something I am missing?

Here's what you're missing:

We originally only had two basic kinds of memory chips, RAM which is volatile, and ROM which was non-volatile. Then someone came up with a new chip that could be 'flashed', that is you could change the data values once but then it became completely non-volitile and was no longer updatable (WORM- Write Once Read Many).
These were the first flashable chips, and had a finite amount of space to use for updates since once you wrote new data, it was there for good.
Well we have largely moved away from WORM technology on most consumer devices, since it's a lot better to have a chip which is largely non-volitie but can still be updated so you don't run out of space or risk totally ruining the chip.

But a lot of high-dollar embedded devices still use WORM chips. Why? Because devices like the ones in question are not only expensive in terms of the raw hardware, but also cost a fortune in license fees for the software which runs them. And the last thing they want is for someone to purchase the equipment from someone else (used or stolen, for example) and run their own software on it- the company makes nothing. So they use chips which are based on WORM technology, which means that a malicious (or bugged) update could easily prevent any further updates (upgrades or downgrades, it's all updates)... which would require replacing the chip. And in most cases, it would be an entire board not just a single chip.

So that's basically a headache for any legit operation which has a support contract with the manufacturer (which they WILL have, always), they ship it back and the maker ships a new one. Or maybe just sends a tech to the site with a spare. Which is all fine and dandy when you're not a country under international embargo, and has multiple powerful nations working to prevent you from getting these machines in the first place. But when you are a 'rogue state' or whatever we're calling them today, getting a replacement chip with the proper software on it is probably even more difficult than just getting an entirely new unit on the black market.

Re:Rather basic question

[tacktick]

Stuxnet is quite the nasty piece of malware. There isnt anything simple about it.
This is Symantec's summary:

Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power
plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet contains many features such as:
Self-replicates through removable drives exploiting a vulnerability a llowing auto-execution.
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
  Spreads in a LAN through a vulnerability in the Windows Print Spooler.
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
  Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution
Vulnerability (BID 31874).
  Copies and executes itself on remote computers through network shares.
  Copies and executes itself on remote computers running a WinCC database server.
  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is
loaded.
  Updates itself through a peer-to-peer mechanism within a LAN.
  Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities
for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be
disclosed.
  Contacts a command and control server that allows the hacker to download and execute code, including updated
versions.
  Contains a Windows rootkit that hide its binaries.
  Attempts to bypass security products.
  Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage
the system.
  Hides modified code on PLCs, essentially a rootkit for PLCs.

The full Stuxnet dossier for interesting reading:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Chinas viewpoint on Iran and nukes

[antifoidulus]

China is actually worrying about Irans nuclear ambitions but for different reasons than most of the west is. They arent worried too much about Iran attacking any of its interest but dont want to see US influence continue to grow in the region

Its already well established(and the leaked cables support this) that many of the other countries in the area are quite wary of Iran and its ambitions, and a nuclear armed Iran would give the US and these countries a rationale for increasing US presence and influence in the region. China does not see this as being beneficial in the long run as it sees the US as its biggest, and really only, potential rival. Therefore they are against a nuclear armed Iran but on the other hand Iran is one of Chinas biggest oil suppliers and it really does not want to piss them off. So Chinas position is to try to prevent Iran from getting nukes while at the same time looking like the `good guy`. They often times abstain when it comes time to vote on Iranian sanctions in the security counsel. This essentially gives them an out, they can continue to see sanctions and pressure put on the Iranian nuke program without looking like a bad guy to Iran. They can always tell the Iranians that they were worried about vague and unspecified reprecussions if asked why they didnt vote no.

It's about oil and coal

[moxsam]

Iran not only gets money but also Chinese coal in exchange for their crude oil that they sell to China. Now when Iran finishes their reactors, Iran needs less coal for making electric energy. But China will still need the oil. Thus they have to pay more for the oil. Even worse, the less coal Iran needs the less dependent they become on China, so they are more likely to sell thei oil to other countries.

Sabotaging the nuclear plants of Iran is a cheap way to sustain the co-dependancy between Iran and China.

Re:It's about oil and coal

[tacktick]

Now that is a tempting hypothesis.
But I'm going with Occam's razor on this one.

Who has the most to lose should Iran get nukes? Israel. Who has the most interest in the region? Israel. Who has the cash and the tech know-how? Who has a close relationship with a more powerful country with a _big_ interest in stopping Iran? Israel

Endless loop.

[miffo.swe]

Iran needs nuclear weapons to be sure US and Israel wont invade. Those two knows that the minute Iran has nuclear weapons as a deterrent, they cant invade. This is an endless loop where Usrael says invasion is the only solution because Iran is trying to get nuclears to deter an invasion.

The only really path to getting Iran off the path to nuclears are that the US and Israel promises to not invade Iran. Since thats their goal they wont.

One can hope China will step in and assure the freedom of Iran from US/Israeli aggression and thus disarm the situation. Thus far China have taken a very laid back aproach to the rest of the world and tried to not interfere with other countries policies. Maybe the time has come to rethink that.

Re:Endless loop.

[miffo.swe]

I see you have eaten and digested the propaganda very well. Iran is not a crazy banana republic with raving mad leaders.

The US and Israel wants an excuse to invade, just as the lies about Iraq WMD was used to fool the world. It doesnt matter if Iran stops its (for now) civilian nuclear program, some other excuse will be made. Iran sadly needs nuclear weapons to protect itself from the US and Israel.

Do you seriously think Iran would launch a first strike at Israel knowing it would turn every square inch of Iran into a parking space?

Up until today Israel and the US has been far more aggressive against other countries than Iran, who furthermore has had to defend themselves from US weapons, chemical weapons and money through Saddam back when he was US best buddy.

Re:Endless loop.

[John+Hasler]

But the threat of attack by Israel and/or the USA (and the idiot "sanctions") is very useful to the rulers of Iran (Ahmadinejad is far from being a dictator). They need an external enemy to blame for all their internal problems.

Re:RTFA?

[Spazztastic]

A spectacularly worthless summary.

And even in TFA you have to click through three different links just to download the white paper.

USB delivered.

[Anonymous+Admin]

China would be far more likely to imbed this in the motherboard or nic than to rely on USB as a delivery vehicle.

Stuxnet and Wikileaks

[giorgist]

I think you need to include the
Stuxnet Israel Wikileaks connection that was anounced in the last couple of days

Re:If Lingenfelter is right

[acidfast7]

As a microbiologist, I haven't anyone reputable suggest that H1N1/09 was engineered. Sounds like tin-foil hat material to me. And I wouldn't trust an MD/DO to speculate about the evolutionary origin of a virus.

Re:If Lingenfelter is right

[tacktick]

Seriously?
If it was an escaped Chinese military virus wouldn't it have been alot more deadly?

Also, it was traced to a pig farm in Mexico.

Now please coat your tin foil suit with tungsten carbide.You're gonna need it.

The FSM did it.

You leave a dog alone with a steak. When you later come back, the steak is eaten.

Who ate the steak? It could of course be anyone or anything. It could even be the FSM.

In all recent stuxnet-stories I've read on slashdot I've found a lot of comments (modded +5) beginning like this:

I don't know why everyone is so quick to assume it's {USA,Israel} behind this. It could be {Random country, the Yeti}...

Which is of course true. If you don't know who did it, you don't know who did it. BUT! That doesn't mean every possibility has the same probability.

+1 for hilarious

[tacktick]

Did you get the tungsten-carbide coated tinfoil idea from me?

Either way, how about going into business together?
There's money to be made from paranoid people..
Glenn Beck and talk radio do the prep work for us and we do Cha-ching!

Re:+1 for hilarious

[GameboyRMH]

I just pictured Glenn Beck proudly and slowly walking onto the set of his show in an elaborate tungsten-carbide-tinfoil suit, complete with a samurai-style helmet and a US flag strapped to his back.

"Today friends, I am immune to the electromagnetic radiation of the liberal media, and the silent-but-deadly kinetic impact of their hybrid cars. I can think freely and walk the streets without fear. Bring it on, Obama, if that IS your real name"

XD

Re:Zionist origin is attested inside Stuxnet code

[radtea]

That the date of death (19790509 or 9th of May 1979) for a jewish martyr, lynched during the iranian islamic revolution is hardcoded in a registry key used by Stuxnet. QED

Ok, I'm convinced: it wasn't the Israelis.

Two things convince me of that: the unbelievably lame little astro-turf campaign going on here with AC's all repeating "I'm gonna go with the OBVIOUS on this one" without one shred of actual evidence to back it up; and this particular claim that a group as canny as the Israelis would effectively sign the worm with a value that points back to them.

The astro-turfer's efforts are simply racist, no different from the police looking for a convenient person of the correct racial orgin to pin a crime on. You don't need to have any evidence, just a general knowledge that your favourite ethic group are likely to be criminals, so if a crime was committed it's OBVIOUS that one of them must have done it, right?

But this "signature" is proof of non-Israeli origin, as it requires an incredibly subtle and clever attack on Iran's nuclear program to also include an apparently clear indication of who did it.

In my experience with the Israelis, they aren't shy about taking credit. Nor are they shy about bombing Iranian nuclear facilities.

So sticking them with Stuxnet requires that Israel for some reason decide to take an indirect, deniable, clandestine approach, AND AT THE SAME TIME hardcode a clear pointer to Israeli origin in the code.

For anyone who finds anything "obvious" about that, I recommend a visit to Dr. Ockham.

Re:If Lingenfelter is right

[Eunuchswear]

I believe the '"AIDS is a CIA plot" is Soviet propaganda' rumour started as a Belgian misinformation campaign in '93.