A Finnish-Chinese Connection For Stuxnet?

Lingenfelter writes "I recently wrote a white paper entitled 'Dragons, Tigers, Pearls, and Yellowcake' in which I proposed four alternative scenarios for the Stuxnet worm other than the commonly held assumption that it was Israel or the US targeting Iran's Bushehr or Natanz facilities."

My paper is coming

[unity100]

In which, i will blame stuxnet worm on late Marilyn Monroe.

Overthinking it

[mike260]

Israel is (by far) the most nervous about Iran's nuclear program, and already had one pre-emptive attack on a nuclear plant under it's belt that (in their worldview) was a resounding success and is a point of national pride.
So one of the drives targeted by stuxnet is manufactured in China...I hate to state the obvious, but what isn't?

Re:Overthinking it

[gl4ss]

I guess the current way many finnish industrial machine manufacturing goes is that the first models are machined and done in finland and then at least parts manufacture is subcontracted from somewhere cheaper, also we don't have chip fabs in finland so naturally a lot of the parts need to be imports anyways. and another thing that's done on contract by finnish firms by finns is to go to a project site and fix up the mess that the export chinese workmen haven't been able to fix.

the finnish connection is an interesting one because there's plenty of people in finland who could've written stuxnet by themselfs(and access to fresh exploits and the means to look for exploits themselfs) and possibly had the information too - and quite low probability of getting connected to it by anyone else. but it's an obvious one that's hard to prove so it's just that it's targeting some finnish connection hardware that's the connection to finland. the motivation in that case wouldn't have been money, fame or such, it would be that it's just such a sweet target and even if caught criminal chargers would've been extremely hard to press(and even condemning it morally would have sparked a lot of discussion, after all stuxnet was a more civil way to slow the progress there than bombing some scientists).

finland does a lot of trade with many shady countries, nobody gives a rats ass you see(about what finland does and with whom) and economy isn't exactly booming so extra business is extra business, that's not to say that the iranians maybe hadn't lied about what they're going to use the machinery for - notice that had they been used for something else than what the iranians (now apparently confirmedly) were using them for then stuxnet would have done nothing :). they could've used them to run some fat seperators but nooo, had to use for some zero economical output work.

Chinas viewpoint on Iran and nukes

[antifoidulus]

China is actually worrying about Irans nuclear ambitions but for different reasons than most of the west is. They arent worried too much about Iran attacking any of its interest but dont want to see US influence continue to grow in the region

Its already well established(and the leaked cables support this) that many of the other countries in the area are quite wary of Iran and its ambitions, and a nuclear armed Iran would give the US and these countries a rationale for increasing US presence and influence in the region. China does not see this as being beneficial in the long run as it sees the US as its biggest, and really only, potential rival. Therefore they are against a nuclear armed Iran but on the other hand Iran is one of Chinas biggest oil suppliers and it really does not want to piss them off. So Chinas position is to try to prevent Iran from getting nukes while at the same time looking like the `good guy`. They often times abstain when it comes time to vote on Iranian sanctions in the security counsel. This essentially gives them an out, they can continue to see sanctions and pressure put on the Iranian nuke program without looking like a bad guy to Iran. They can always tell the Iranians that they were worried about vague and unspecified reprecussions if asked why they didnt vote no.

It's about oil and coal

[moxsam]

Iran not only gets money but also Chinese coal in exchange for their crude oil that they sell to China. Now when Iran finishes their reactors, Iran needs less coal for making electric energy. But China will still need the oil. Thus they have to pay more for the oil. Even worse, the less coal Iran needs the less dependent they become on China, so they are more likely to sell thei oil to other countries.

Sabotaging the nuclear plants of Iran is a cheap way to sustain the co-dependancy between Iran and China.

Re:It's about oil and coal

[tacktick]

Now that is a tempting hypothesis.
But I'm going with Occam's razor on this one.

Who has the most to lose should Iran get nukes? Israel. Who has the most interest in the region? Israel. Who has the cash and the tech know-how? Who has a close relationship with a more powerful country with a _big_ interest in stopping Iran? Israel

Re:Rather basic question

On the presumption that this is some electronic device with a user-modifiable firmware (how else would the worm be able to modify it?) - what would stop Iran from taking an unaffected piece, dumping the firmware, and re-uploading it?

Do a clean reinstall of Windows, and you're set to go.

Is there something I am missing?

Here's what you're missing:

We originally only had two basic kinds of memory chips, RAM which is volatile, and ROM which was non-volatile. Then someone came up with a new chip that could be 'flashed', that is you could change the data values once but then it became completely non-volitile and was no longer updatable (WORM- Write Once Read Many).
These were the first flashable chips, and had a finite amount of space to use for updates since once you wrote new data, it was there for good.
Well we have largely moved away from WORM technology on most consumer devices, since it's a lot better to have a chip which is largely non-volitie but can still be updated so you don't run out of space or risk totally ruining the chip.

But a lot of high-dollar embedded devices still use WORM chips. Why? Because devices like the ones in question are not only expensive in terms of the raw hardware, but also cost a fortune in license fees for the software which runs them. And the last thing they want is for someone to purchase the equipment from someone else (used or stolen, for example) and run their own software on it- the company makes nothing. So they use chips which are based on WORM technology, which means that a malicious (or bugged) update could easily prevent any further updates (upgrades or downgrades, it's all updates)... which would require replacing the chip. And in most cases, it would be an entire board not just a single chip.

So that's basically a headache for any legit operation which has a support contract with the manufacturer (which they WILL have, always), they ship it back and the maker ships a new one. Or maybe just sends a tech to the site with a spare. Which is all fine and dandy when you're not a country under international embargo, and has multiple powerful nations working to prevent you from getting these machines in the first place. But when you are a 'rogue state' or whatever we're calling them today, getting a replacement chip with the proper software on it is probably even more difficult than just getting an entirely new unit on the black market.

Re:If Lingenfelter is right

[acidfast7]

As a microbiologist, I haven't anyone reputable suggest that H1N1/09 was engineered. Sounds like tin-foil hat material to me. And I wouldn't trust an MD/DO to speculate about the evolutionary origin of a virus.

Re:If Lingenfelter is right

[tacktick]

Seriously?
If it was an escaped Chinese military virus wouldn't it have been alot more deadly?

Also, it was traced to a pig farm in Mexico.

Now please coat your tin foil suit with tungsten carbide.You're gonna need it.

Re:Rather basic question

[tacktick]

Stuxnet is quite the nasty piece of malware. There isnt anything simple about it.
This is Symantec's summary:

Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power
plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet contains many features such as:
Self-replicates through removable drives exploiting a vulnerability a llowing auto-execution.
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
  Spreads in a LAN through a vulnerability in the Windows Print Spooler.
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
  Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution
Vulnerability (BID 31874).
  Copies and executes itself on remote computers through network shares.
  Copies and executes itself on remote computers running a WinCC database server.
  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is
loaded.
  Updates itself through a peer-to-peer mechanism within a LAN.
  Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities
for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be
disclosed.
  Contacts a command and control server that allows the hacker to download and execute code, including updated
versions.
  Contains a Windows rootkit that hide its binaries.
  Attempts to bypass security products.
  Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage
the system.
  Hides modified code on PLCs, essentially a rootkit for PLCs.

The full Stuxnet dossier for interesting reading:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

The FSM did it.

You leave a dog alone with a steak. When you later come back, the steak is eaten.

Who ate the steak? It could of course be anyone or anything. It could even be the FSM.

In all recent stuxnet-stories I've read on slashdot I've found a lot of comments (modded +5) beginning like this:

I don't know why everyone is so quick to assume it's {USA,Israel} behind this. It could be {Random country, the Yeti}...

Which is of course true. If you don't know who did it, you don't know who did it. BUT! That doesn't mean every possibility has the same probability.

Re:+1 for hilarious

[GameboyRMH]

I just pictured Glenn Beck proudly and slowly walking onto the set of his show in an elaborate tungsten-carbide-tinfoil suit, complete with a samurai-style helmet and a US flag strapped to his back.

"Today friends, I am immune to the electromagnetic radiation of the liberal media, and the silent-but-deadly kinetic impact of their hybrid cars. I can think freely and walk the streets without fear. Bring it on, Obama, if that IS your real name"

XD