Stuxnet Struck Five Targets In Iran

Batblue writes "Researchers at Symantec said that the notorious Stuxnet worm targeted five separate organizations, and attacks against those objectives — all with a presence in Iran — started in June 2009, more than a year before independent experts raised the alarm."

Well...

[fuzzyfuzzyfungus]

That makes me feel sooo much better about the value of antivirus software.

Does slashdot's new interface support posting from a Babbage engine running OpenBSD?

Re:Well...

[FooAtWFU]

When users can't tell the difference, bad software drives out the good.

Re:Well...

[golden+age+villain]

Probably the worm was under the radar back then and was not noticed until it propagated significantly outside of Iran. So the relevant time lag is from that time point till the alarm was rung.

Re:Well...

[DigiShaman]

Of course, most anti-virus software is reactionary based off previous viri found in the wild. They're reversed engineered and a solution is rolled up into the next set of scheduled updates. Most of the time, anti-virus is good to have for the home user and/or small and medium business. But if your organization is explicitly targeted with custom code, most anti-virus software will do squat to help unless you provide them exploited code to reverse engineer.

Re:Well...

[Nerdfest]

... and if it's well written, you 'll probably never know it's there ... even if you go looking for it.

Re:Well...

[Yaur]

that isn't necessarily true. There are lots of bad behaviors associated with viruses and/or rootkits that could be proactively targeted (e.g. SSDT hooking, cross process code injection) I'm sure they are to some extent, but obviously not enough.

Re:Watch for Falling Regime

[nedlohs]

Iranians aren't arabs, so whether something "makes arabs more or less inclined" is irrelevant to them.

1992 is calling it wants its virus back ..

[doperative]

> That makes me feel sooo much better about the value of antivirus software. Does slashdot's new interface support posting from a Babbage engine running OpenBSD?

1992 is calling, it wants its Windows virus back ...

"Researchers at Symantec said that the notorious Stuxnet worm targeted five separate organizations, and attacks against those objectives — all with a presence in Iran — started in June 2009, more than a year before independent experts raised the alarm."

What experts, none of these peopel have been able to produce an Operating System that is immune to "computer viruses" ..

Re:1992 is calling it wants its virus back ..

[MikeDirnt69]

OSes in most cases are imune to viruses but not to lame users.

Re:1992 is calling it wants its virus back ..

[Arker]

You first paragraph is great. The second is insane.

Any language which gives the programmer the power to write a good program, also gives the power to write a poor one. A language which was 'immune to exploitation' would be a language which was impossible to write a decent (non-trivial) program in as well. It would be so crippled that nothing of consequence could be done without invoking incredible overhead and redirection costs.

Security is the job of the system architect first, the coder second, the user third. To create a system where all three can neglect their responsibility without consequence all three would have to be essentially neutered in favour of a god-like compiler that, even if perfectly executed, would still produce the most bloated object code imaginable. And then what happens when someone finds a flaw in the compiler itself? Instead of vulnerabilities affecting a single program, they would affect a whole class of programs, and even better, a class of programs likely exempted from normal oversight and limitations since they are presumed secure.

The only entities that would benefit from that would be the hardware manufacturers (since you would need incredible hardware to run any non-trivial program produced in this way) and the crackers.

Re:1992 is calling it wants its virus back ..

[__aamnbm3774]

Any language which gives the programmer the power to write a good program, also gives the power to write a poor one. A language which was 'immune to exploitation' would be a language which was impossible to write a decent (non-trivial) program in as well.

I disagree with you immediately. You can modify a binary file with a freaking hex editor and run it again. We should build encryption and check-sums into executables to prevent tampering with. Sure, there will be ways around that, but it's like we aren't even trying.

Java and .Net do a much better job against buffer overflows than C/C++. Hell, in C you can overwrite the entire program using a buffer overflow if you have a lot of time on your hands.

Our compilers/runtimes/languages could get a LOT better about security.

Re:1992 is calling it wants its virus back ..

[Yvanhoe]

On the other hand, there are several languages that forbid the direct manipulation of pointers and make it impossible to have out-of-bounds calls without crashing.

Buffer overflows are really linked to low-level languages (which I include C++ in, which is debattable I agree).

Re:1992 is calling it wants its virus back ..

[Arker]

Thinking that the lack of ability to directly manipulate pointers makes better programs strikes me as very much like thinking that non-removable training-wheels would make better bicycles.

Also I cannot help but laugh when I see people calling C++ a "low level" language. You realise the original "high-level" language was Assembler?

Re:1992 is calling it wants its virus back ..

[Yaur]

in C# you can manipulate pointers and p/invoke to unmanaged code for performance critical bits of your app... these are just not capabilities that are not needed for most problems.

Re:1992 is calling it wants its virus back ..

[Arker]

You can modify a binary file with a freaking hex editor and run it again.

No matter how many times I re-read that it still doesnt make any sense. I mean, what, you just discovered this? Why do you think we have hex-editors in the first place? How else would you expect to be able to modify a binary file? And, assuming the person that is doing the editting understands what they are doing, why wouldnt it run?

Re:1992 is calling it wants its virus back ..

[shentino]

Self modifying code is a questionable programming tactic and many times you will get a segfault if you attempt to write to a program area.

Re:1992 is calling it wants its virus back ..

[__aamnbm3774]

That wasn't my point. It shouldn't even be allowed to happen by the runtime or the operating system. That was my point.

Re:1992 is calling it wants its virus back ..

[__aamnbm3774]

I can't help but laugh when people call C++ a "high level" language.

You realize the original Assembler was released 200 years ago. Definitions change fucknuts.

Re:1992 is calling it wants its virus back ..

[robsku]

Perhaps C/C++ is "laughable at security" because as far as languages and security go security is not an issue of low level languages to deal with - unless a low level language (or rather a compiler in this case) has bugs that cause it to compile code that does not do what the language is documented to do with the piece of code in question the language/compiler is secure. Even with high level languages the security is lesser issue and while I can agree that some languages have implemented things in ways that need extra care to make sure that your code is secure (ie. PHP which has no modules but just files to include in same namespace versus Perl which has modules with their own namespace) the security issue is mostly an issue for coders, not for the language to take care of. However with these languages you would have some kind of point (I have myself criticized PHP for many things when compared to Perl and in fact one is of security, ie. when I install plugins for wordpress I can't be sure that some of them wont overlap different variables, function names, etc. in same namespace while if it were written in perl this would me way smaller issue if done properly, that is plugins would be implemented as modules with each of them in their own namespace). However this security claim is PURE NONSENSE when talking about low level languages - you could just as well criticize GNU Assembler for being insecure "language" (yes, assembler is not a language which is why I put it in quotes, replace with machine code of your preference if it bothers).

Just remember, everyone

[wiredog]

"Cyberwar" is just a propaganda term, and doesn't really exist.

Right?

Re:Just remember, everyone

[nog_lorp]

Lol. Unless the attack was formulated and perpetrated by / at the behest of a government. Like Stux (hint: read HBGary emails for references to Stuxnet)

Re:Just remember, everyone

[Kwestmt]

Perhaps you should read Richard Clarke's book - "CYBERWAR "- the next threat to national security and what to do about it. Perhaps, enlightenment about what other countries are doing to US will stir your imagination!

Re:Just remember, everyone

[alien9]

right, war actually exists. Please leave the term cyber alone, that's so 80's.

Re:Just remember, everyone

[SimonTheSoundMan]

Cloud war? That any better?

Re:Just remember, everyone

[shentino]

A cyberwar is a real war in that belligerents seeking to secure dominance over the enemy exist.

The only difference is that the interconnectedness of the internet only ensures lots of collateral damage.

I'm sure that if tempers flared up enough, an aggressive sovereignty would have zero qualms about trampling over intervening networks to get their way.

Re:The nice thing about attacking Arab countries..

[oodaloop]

Did Iran suddenly become an Arab country or something?

Re:More like collateral damage.

[HornWumpus]

RTFA. Stuxnet was able to report back when if found a controller that matched it's target.

Those idiots didn't even have their systems air gaped.

Further, 5 targets? Iran has only acknowledged and allowed inspections of 1 ultra-centrifuge plant.

5 targets means any air strike just got more complicated. But we are still better off then before.

Stuxnet can't be ignored

[mooboy]

ATTN: Systems Integrators.
Guys, we can’t ignore this one. Stuxnet has taught the whole world what can be done. So it is now orders of magnitude more likely that an attacker could develop a modified version of it or design something similar to it in nature with the potential of doing much more damage than Stuxnet actually caused.

Here’s a worst-case scenario:
We’re now in a situation (unlikely, but potential) where an American systems integrator could connect his laptop to a plant in India, pick up something like this, and then bring it back to our in-house systems, where it would then spread to every system they ship. The control systems then start failing, accidents occur, etc.

I don’t think Systems Integrators are at risk to this particular threat (the original Stuxnet) for the following reasons:
                  The antivirus vendors are all over this one. Its probably in every signature scanner, and its behavioral tricks are probably being watched by all of the behavior-based malware products.
                  Microsoft issued a fix for the Windows exploit Stuxnet uses in early August (or sooner). So if you’ve done Windows Update since then you’re protected regardless of antivirus status.

The quick policy change I think we need to make is this:
1. Control systems products and Internet surfing must be 100% separated. So if you run Step7 or RSLogix on your native boot laptop, then you need to surf inside a VM. OR, If you surf on your main machine, all your controls programs must run inside VMs.
2. Develop a good firewall procedure for when we connect laptops to foreign plant networks (especially International). We need to block the laptop from accepting inbound IP traffic from any addresses other than the ones in our own panel. This won’t be a big deal to implement and maintain as we travel to different networks.
3. Keep all hosts and VM’s current on Critical updates from Microsoft.
4. Keep current updates on whichever antivirus or antimalware program you’re using. I actually think we’re safer overall if we keep a mix of security products in use (different ones on different machines) rather than picking one single vendor’s solution, because we’re more likely to learn we’ve been infected, even if its just 1 of the products we’re using that detected it. Then we can use appropriate measures to remove it from any systems that didn’t detect it.
Is this good enough for now? Too extreme? Other ideas?

Re:Stuxnet can't be ignored

[Coldmoon]

"Then we can use appropriate measures to remove it from any systems that didnâ(TM)t detect it. Is this good enough for now? Too extreme? Other ideas?"

You need to block and be able to reset/restore any effected system quickly as well. If you have to clean up afterwords, the deed/damage may already be done. Your idea of virtualization is a good one, but it does not go far enough, in that VMs are not security but simulation with potential for leakage in one form or another.

Also, relying on AVs as your core protection ignores the fact that you are only going to snag 30% - 50% of the total population of potential malware on average; and when talking about critical industrial control systems, this represents and unacceptable level of risk. This means that you need to research a more robust, intelligent layering approach where the weaknesses in any given security measure/solution are backed up by the other solutions and control measures you use in the whole.

So this would be virtualization with antiexecute/HIPS, System/image restore on the fly, and physical/policy restrictions on dangerous activities that could lead to infection. It is not enough to be reactive which has been proven over and over again.

Re:Stuxnet can't be ignored

[Hijacked+Public]

I doubt anyone in the US is vulnerable to the original Stuxnet worm's ultimate payload, not because they've updated their AV, but because there isn't likely anyone using the specific drives in the specific configuration that the payload targets.

On #1 of your list, I don't know of any big controls outfits that haven't been using VMs at least since Ethernet IO came into widespread use. Probably not since VMs that run well on laptops became available. We visit far too many facilities with different configs to have to manually configure even something as simple as RSLinx on every call.

2-3 would not have helped against Stuxnet until, as the article notes, more than a year after it was in the wild. If someone is working on critical infrastructure that someone else, with the resources to pull off a Stuxnet, might want to destroy, their efforts would probably be better focused on physical security than hoping for a Microsoft Update to protect them.

We still don't know the ogirinal infection vector. Given all the resources that were spent to create Stuxnet in the first place it wouldn't suprise me if ninjas broke into the cargo hold of the airplane the orignal programmers were taking to Iran and rooted their laptops in mid flight.

Re:Stuxnet can't be ignored

[djdanlib]

Careful, now.

Microsoft issued a fix for the Windows exploit Stuxnet uses in early August (or sooner). So if you've done Windows Update since then you're protected regardless of antivirus status.

Most large enterprises have patch cycles >= 30 days. Integrated systems and vendor-supported systems, 60-90 or more days. Sometimes you even see quarterly patch processes. Yes, the patch came out in August 2010. Antivirus vendors were detecting it in what, July 2010? June 2010? But: The attacks started in June 2009 and we can assume that it took at least a few months to develop Stuxnet (and who knows what else) after the exploit was discovered. That means we're talking about a year and a few months between some black hat discovering a remote ownage vulnerability and Microsoft patching it, which is not out of the ordinary for them. That's a total of a year and a half at least where enterprise computers were vulnerable - and these computers were out in the field!

My point is, you can't assume that you're safe just because you're up to date on your patches and antivirus. You have to keep yourself updated, for sure. Separating the networks? Great! You can't have an environment on one machine that works like idea 1 part 2 above - if anyone breaks into the supervisor, they have access to the environment running within it. There's more to it, though. You can't allow media to be transferred between them without controls. No amount of careful firewalling is going to stop sneakernet, so you have to basically deploy GPOs to prevent removable media from being useful and disallow PC-to-PC networking via USB/Firewire somehow.

No solution

[should_be_linear]

Doing this kind of shit (and plain terrorist assassinations of physicists) only re-enforces Ahmadinejaad's power in Iran. It is not too difficult for state media there to display US, CIA and Israel as evil entities. So, this stupid "solution" to Iranian A-bomb problem actually made problem almost impossible to solve now.

Re:No solution

[Nerdfest]

They do that whether it is the US/Israel or not.

Re:No solution

You're assuming the US, CIA, or Israel did this. Iran has everything to gain while they're "developing" an atomic bomb; if they actually gain one the US will be forced to plant 3 carrier groups off their coast and bomb them into submission, and they know it. Since Stuxnet set their program back allowing them to continue in the "development" phase, and it gives a talking point to the Iranian government to blame the West for their piss poor economy strengthening their oppressive regime, it seems those who had the most to gain was the Iranian Government. I've always maintained this was a false flag operation.

I mean, what does the US or Israel gain by unleashing stuxnet? If they want to stop the program, it would be far better to attack it. They can't do it as the world will condemn them (because Iran's stance has always been it's a peaceful nuclear power program to solve their energy problems), and while it's in development if they attack it then the various Muslim administrations can use that as a pretext to incite Muslims against the West even more, strengthening those regimes. It's in Israel's and the US's interests for Iran to complete the program, because then Iran is the evil one with WMDs and the West was forced to act in the name of world peace. From the beginning Iran had everything to gain from stuxnet, and the US/Israel had nothing to gain from it.

People don't realize that this atomic weapon program of Iran's has always been an Ace in Iran's hand at the negotiation table, but it's not their only card. What happens if they develop a weapon? On their own, at best it's a low grade device, maybe 3-5 kilotons. And they would likely only get 1 - 3. They'd hurt Israel with that but they wouldn't wipe them out, and then the entire world would turn on them and Iran's government would be no more. However, the threat of developing a weapon has brought the 6 most powerful nations in the world to the negotiation table with them on numerous occasions, and gotten them all sorts of concessions and allowed them to play the major world powers off each other (US, Russia, and China all have different approaches to Iran). This is the same playbook used by Kim Jong Il, and it works beautifully.

Re:No solution

[yurtinus]

if they actually gain one the US will be forced to plant 3 carrier groups off their coast and bomb them into submission

Why?

Re:No solution

[oodaloop]

I mean, what does the US or Israel gain by unleashing stuxnet? If they want to stop the program, it would be far better to attack it.

What? It would be better to conduct a military strike on a sovereign nation, than conduct a non-attributable cyber attack? How exactly would that be better?

It's in Israel's and the US's interests for Iran to complete the program

Um, no. With Iran's wacky govt regularly saying things like they want to wipe Israel off the map, and actively supporting a wide range of terrorist groups that have attacked both the US and Israel, it's hardly ideal to let them have a nuke, from the US's perspective.

because then Iran is the evil one with WMDs and the West was forced to act in the name of world peace.

And since when has the US attacked a nuclear nation? Not a smart thing to do. If Iran has even one nuke and is threatened, they will most certainly use it. Then the US will be blamed both for not stopping it, and for instigating their use of it. Far better for Iran not to have one in the first place, from the US's point of view, and even better still not to take any credit for stopping it.

This is the same playbook used by Kim Jong Il, and it works beautifully.

Iran is not North Korea. And NK has several weapons and the capability to make more. Your argument seems to reverse itself here, since now that NK has nukes it has more bargaining power. Why would Iran intentionally stymie its own attempt at creating more bargaining power? Why would they go out of their way to write a worm to sabotage their own equipment, hide the fact that their equipment is sabotaged for over a year, and downplay the effects in the media? Just so they can look foolish? You need to work on your conspiracy theories.

Re:No solution

[ArcherB]

Doing this kind of shit (and plain terrorist assassinations of physicists) only re-enforces Ahmadinejaad's power in Iran. It is not too difficult for state media there to display US, CIA and Israel as evil entities. So, this stupid "solution" to Iranian A-bomb problem actually made problem almost impossible to solve now.

OK, what would you suggest?

Re:No solution

[Artemis3]

For all we know Iran has as many nukes as the US said Iraq had: None. Unless you mean "dirty" bombs, but ANY country with nuclear waste from power plants can have these.

Crafting a virus is ridiculously cheaper than mounting a military action of any sort, even sending a lone stealth plane to drop a single bomb is far more expensive than writing and deploying a virus, not to mention the anonymity involved.

Stuxnet targeted the uranium enrichment machines. They are needed because the 4 decade old power plant in Tehran needs enriched Uranium to continue operation, but only at 20%, while a bomb needs 95%. The infected machines probably damaged the material, which isn't exactly cheap or easy to obtain.

The only sickos perma-blaming Iran are Israel and the US. If both shut up and mind their own business, nothing will happen. But the perma-threats mean they have to forcefully arm themselves to the teeth, and Iraq was the example for this, which enforces NK's policy of having a very large military force before anything else as the only way to deter external threats.

CIA and Mossad ARE international criminals. They kidnap, torture and disappear people, plant and detonate bombs to civilians, traffic with drugs, assassinate people, sell weapons, sabotage industrial facilities, you name it. They are accountable to no one, since their activities are "secret", only the victims and defectors can _sometimes_ tell.

Re:No solution

[oodaloop]

I won't argue much of what you say, but you seem to be intimating that Iran is NOT making an atomic weapon and are enriching Uranium to 20% for purely peaceful use in power plants. By several estimates I've seen, Iran's several thousand centrifuges can make a few atom bombs' worth in a few years, and it's possible they have one or more by now. I hope you're also aware that said power plants make Plutonium, which can of course be used in atomic weapons. If they're only interested in peaceful purposes, what are they going to do with all that Plutonium, and why have they refused international inspectors? I'm sure they felt threatened by having US troops on either side of them and being called part of the Axis of Evil, but that doesn't mean they aren't making an atomic weapon, and it doesn't mean they wouldn't use it or let it get into the hands of someone who would. There's a very real threat of nuclear proliferation here, all rhetoric aside.

Hey. You over there...

[_0xd0ad]

The first rule of cyber-warfare is:
You do not talk about cyber-warfare.

The second rule of cyber-warfare is:
You do NOT talk about cyber-warfare!

(also, that was GP's point.)

Not SCADA, PLCs

It didn't actually target SCADA systems (though Siemens does make them) - it targetted their STEP 7 PLC systems. This is worse, it's a lower level control system. Google for Bruce Schneier's writing about Stuxnet for more good info.

They may have hit my Target as well...

They tried to charge me 30 bucks for toilet paper, if that don't scream stuxnet worm I don't know what does!

Experts?

[bill_mcgonigle]

In July 2009, Wikileaks posted a notice that said:

Two weeks ago, a source associated with Iranâ(TM)s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iranâ(TM)s nuclear enrichment program. WikiLeaks had reason to believe the source was credible, however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iranâ(TM)s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.