How Investigators Deciphered Stuxnet

suraj.sun tips a story at Wired that takes an in-depth look into how security researchers tracked down and worked to understand the infamous Stuxnet worm. The article begins: "It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran's enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months. The question was, why?"

Possibly the coolest cyberwar article I've read

[He+Who+Has+No+Name]

The part about the differences in loyalties of the Symantec researchers was telling, though.

"We don't care if this harms something important our country is doing to stop madmen from getting the Fist of God. We have customers to do business with!"

Re:Possibly the coolest cyberwar article I've read

[neochubbz]

The part about the differences in loyalties of the Symantec researchers was telling, though.

"We don't care if this harms something important our country is doing to stop madmen from getting the Fist of God. We have customers to do business with!"

You're looking at this the wrong way; fighting computer viruses is akin to fighting biological viruses, it benefits everyone. Even if stuxnet was being used in some sort of covert fashion, you don't go around using viruses as weapons without having an effective vaccination/cure in place.

Re:Possibly the coolest cyberwar article I've read

[IamTheRealMike]

Madmen? Compared to what?

Last I checked, the only country claiming credit for Stuxnet was Israel, ie, a country that refuses international inspections of its atomic facilities and "neither confirms nor denies" that it has the bomb (confirming would mean losing US aid that is contingent on not developing these weapons). Israel also has a track record of invading other countries whereas Iran does not.

Measured by past actions, Israel is a far more dangerous country than Iran. It certainly has nukes, has a power mad and oppressive government that regularly ignores basic human rights, is warlike, and shows zero interest in making peace with its neighbours. Infecting 100,000+ computers with a virus and assassinating scientists in order to achieve its foreign policy objectives is exactly the kind of reckless behavior I'd associate with madmen.

Re:Possibly the coolest cyberwar article I've read

[He+Who+Has+No+Name]

Computers can be reformatted and replaced.

Tel Aviv cannot.

The groups behind Stuxnet were prioritizing the risks of a surgical anti-nuclear proliferation strike as being worth the potential collateral damage. I think that was a prescient and reasonable decision, especially given Iran's irrationality and their hunger for nuclear weapons.

Re:Possibly the coolest cyberwar article I've read

[EvanED]

If you had RTFA (or perhaps with a more critical eye) you'd know that they had no clue about that at that time. When they first went public with it, all they knew was that it was a quite sophisticated attack that went after Step7 controllers. And given that, I definitely agree with them that it was in everyone's best interest to release that information.

Re:Possibly the coolest cyberwar article I've read

[rwven]

"Both the Israeli and U.S. governments conducted inquiries and issued reports that concluded the attack was a mistake due to Israeli confusion about the identity of the USS Liberty."

All the whining about how Israel was intentionally trying to sick the ship doesn't make any sense. Considering the efficiency of the Israeli military at getting these sorts of jobs done, there's no way they somehow didn't manage to sink the ship. If they had intended to do it, they would have done it. No question whatsoever.

The only explanation is that they attempted to destroy it with all due effort, and ceased attempting when they realized that they were attacking a friendly target. Considering they accidentally attacked a column of their own tanks the day before, it's not hard to imagine that they could make another similar mistake, especially given the craziness that was going on during those days.

Re:Possibly the coolest cyberwar article I've read

[steelfood]

You're a troll.

You will note that according to TFA, the researchers didn't know it was targeted to sabotage an Iranian nuclear facility until the very end. And by the time anyone realized it was, the cat was out of the bag. Towards the end, it was only a matter of figuring out what specific facility was being targeted.

It is true these guys were suspicious the entire time that it was a government black ops operation. But that suspicion in and of itself says nothing. It could have been attacking anything, like Russian natural gas pipelines again, for all they knew. What they did know was that it was a virus designed to sabotage a controller used in industrial manufacturing. And as the Russian pipeline incident illustrates, that can have very serious consequences.

Imagine if someone sabotaged a manufacturing plant used to build commercial planes that would shorten its maintenance cycle or lifespan from the engineered specifications. Or one that sabotaged a vehicle tire manufacturing facility. Or high speed railway brakes. That would have been disastrous.

What their attitudes told me was that at the very real risk of personal health and safety, they did the entire civilized world a huge service by making their findings public. They revealed to the world the method by which a very real act of industrial sabotage happened, all the while knowing that it could land them dead. They put the duty of warning the entire world of such an attack vector before their own selves.

Sure, TFA says they were doing it for their customers. But that's a disingenuous way of looking at it. Because the customers who benefit the most from their disclosure are the same ones who manufacture physical equipment that must be within established guidelines, many of which are safety guidelines. And that means we, the people who operate the equipment or rely on such equipment to not fail unexpectedly are the ultimate beneficiaries.

To me, it puts them among the very few noble and honorable individuals left in the world. You may not care for such attributes in people, but I think there are still a few in the world who do. At the very least, I think most people wouldn't want to live in a world where everyone was petty and underhanded, as you seem to advocate by your comment. And I think they by their actions are greater believers of freedom than you by your weasel words.

Re:Possibly the coolest cyberwar article I've read

Iran is not going to attack Israel. Even Ahmadinejad in his most insane moments would not attack Israel first. But it would play right into the madman's wet dream if Israel attacked Iran. Then Iran would basically be defending against Israeli aggression.

This is what Ahmadinejad believes. He believes that the return of the Mahdi will only happen when Iran is attacked by Israel. An attack the other way around would "void the prophecy".

Re:Possibly the coolest cyberwar article I've read

[Sheik+Yerbouti]

You would put the Iranians above the Israelis? The Iranians are self declared anti semites who recently brutally repressed the self expression of their own people and have declared the US and Israel their enemy. The same people that round up jews and shoot them with firing squads? While Israel has been one of the few steadfast and erstwhile US allies in the middle east. Must be nice to be so poorly informed about reality. Here is the reality Israel is surrounded by anti semites that beat and repress their own people and specifically beat, repress, and generally mistreat women and execute gays. They share no common values with you lefty they would just as soon see you dead as to let a jew live. There is no difference between Iranians and pre WW2 european anti semites only difference is this modern group of anti semites is about to have the bomb. But no reason to worry about that I am sure.

Re:Possibly the coolest cyberwar article I've read

[siddesu]

Actually, considering what "our country" has done to the region over the past decade it may have been the patriotic decision.

Re:Possibly the coolest cyberwar article I've read

[rhook]

Visibility of American flag: The official Israeli reports say that the reconnaissance and fighter aircraft pilots, and the torpedo boat captains did not see any flag on Liberty. Official American reports say that the Liberty was flying her American flag before, during and after the attack. The only exception being a brief period in which one flag had been shot down and then replaced with a larger flag that measured approximately 13 ft (4.0 m) long. U.S. Naval Court of Inquiry finding number 2 states: "The calm conditions and slow speed of the ship may well have made the American flag difficult to identify." And finding number 28 states: "Flat, calm conditions and the slow five knot patrol speed of LIBERTY in forenoon when she was being looked over initially may well have produced insufficient wind for steaming colors enough to be seen by pilots".[86] The NSA History Report (page 41) states: "... every official interview of numerous Liberty crewmen gave consistent evidence that indeed the Liberty was flying an American flag—and, further, the weather conditions were ideal to ensure its easy observance and identification."

The official report is not consistent with what the crew reported. There is also no excuse for attacking an research ship in international waters. The Liberty was, after all, a communications ship.

On October 2, 2007, The Chicago Tribune published a special report[6] into the attack, containing numerous previously unreported quotes from former military personnel with first-hand knowledge of the incident. Many of these quotes directly contradict the U.S. National Security Agency's position that it never intercepted the communications of the attacking Israeli pilots, claiming that not only did transcripts of those communications exist, but also that it showed the Israelis knew they were attacking an American naval vessel.

There's just too many unanswered questions about this.

Re:Possibly the coolest cyberwar article I've read

[EEPROMS]

You seriously need to go to Israel and see how the local officials and zionists treat their Arab citizens. It's common practice for Zionist officials to re-assign property as being abandoned or derelict if an arab family lives in it so they can move a zionist family into it, even if the arab family have lived there for 30 years and have paperwork to prove ownership of the property. Then you have the local police standing by while zionists stone arabs and break their windows to force them out of their homes. If that isn't ethnic cleansing I don't know what is. People keep saying Israel is a democracy. I say Israel is a democracy for jews and screw everyone else.

Re:Possibly the coolest cyberwar article I've read

[pheonix7117]

I hate to have to do this, but while 'semitic' may indeed include Jews, Muslims, and Christians, the definition of 'anti-semitism' is quite clear. From Miriam-Webster:

Definition of ANTI-SEMITISM: hostility toward or discrimination against Jews as a religious, ethnic, or racial group

Source: http://www.merriam-webster.com/dictionary/anti%20semitic

Re:Possibly the coolest cyberwar article I've read

[Darinbob]

But the stuxnet virus was out there on malware sites and could have been adapted to other uses. Figuring out what it did and how it worked was crucial in being able to stop it effectively.

Re:Possibly the coolest cyberwar article I've read

[labnet]

You should have been marked -1Troll not +5Insightful.

Isreal (a tiny sliver of land) is surrounded on all sides by Arabs (who vastly outnumber them) who are mostly Muslims, who's stated aim is the destruction of Isreal.
It has been the Arab neighbours that have waged wars against Israel, not the otherway around.
Palestine refugees only exist because their Arab brothers (Jordan/Egypt etal) refuse to let them resetle, thus they become an antogonstic pawn (PLO etc) against Israel.

Re:Possibly the coolest cyberwar article I've read

[silentcoder]

I would take your logic a step further.
If a major virus hit in Asia tomorrow representing a major threat to any countries it reached - you would want your CDC doing all in their power to assist in finding a prevention/cure while it's still only in those other countries. You would want them to stop it - saving lives there as well as reducing risk to yourself.
You would certainly want the redcross and doctors without borders and similar organisations doing all in their power to stem the tide before it reached you.
Now if you later learn that the virus was actually a biological weapon developed by the pentagon to launch on countries that supported terrorists - you would not afterwards be calling DwB and RC evil for fighting (and perhaps curing/inoculating against) it would you ? Cyberthreats have a much lower risk to human life that's true (though stuxnet proved that virusses could be targetted at computer-controlled machinery and designed to break them - what if the next stuxnet specifically hits heart-lung machines in private hospitals ?) you may or may not agree with private hospitals - but you'd not want a lot of sick people being murdered would you ?

Much as I'm in favor of market regulation - a security company choosing to ignore politics and fight the threat - that's their JOB - I cannot fault them for that.

Re:Possibly the coolest cyberwar article I've read

[silentcoder]

As somebody from Africa I must say:
Can you guarantee that everybody who sits in the white house with nuclear launch codes, now and in the future, won't start nuking countries if they refuse to pass laws demanded by US companies ?

You've had a history of removing democratically elected leaders around the world if those leaders put the development of their own people ahead of corporate profits and replacing them with dictators that would do as you say. In the case of Panama you actually had a CIA agent become the official ruler of the country to get your way.

You gave the nuclear launch codes to G.W. Bush... TWICE !

Iran has a risk of acting insane in the name of Islam. You have a HISTORY of acting insane in the name of the great god Profit.

Why should the world trust you more than them ?

Oh - and unlike Iran - you HAVE in fact used nukes in war before (twice), in fact you're the only country in the world that has done so - EVER.
Oh ... and also unlike Iran - you don't have the potential to develop nuclear power, you ARE a nuclear power you have enough of the damn things stockpiled to turn the entire planet into a glass parking lot.

Sorry, but speaking as somebody who is not a citizen of either country - I trust neither of you, and I trust the USA less than Iran.

Oh, and my country WAS a nuclear power in the 1980s, we chose to dismantle our nuclear capability ourselves (without any pressure to do so from outside) purely because we were opposed to the concept of continuing to stockpile bombs that we had no conceivable scenario of ever using.

Re:Possibly the coolest cyberwar article I've read

[silentcoder]

Paragraph 1: The Israeli army was too efficient to fail in an attack.

Paragraph 2: The Isreali army was not efficient enough to identify friendly targets.

That's pretty much a summary of your post.. am I the only one seeing the rather major contradiction ?

Those two paragraphs can't both be true.

A much more likely scenario is:
The Israeli army at that stage was so inefficient not only did it repeatedly strike friendly targets - when it did it failed at the attacks.

Re:Possibly the coolest cyberwar article I've read

[black+soap]

You gave the nuclear launch codes to G.W. Bush... TWICE !

What makes you think we gave him the launch codes? Those were the codes to his luggage....

I wonder if the alarmist view that Iran was...

[Assmasher]

...expanding enrichment production because of the influx of tubes was a direct result of this damage...?

Another really good article

[bigredradio]

There was another good article in Vanity Fair

Re:Whats with the Layout?

[AnotherShep]

I like it; it's pretty damn readable.

Re:I do hope

[chispito]

Yes. Those poor, poor theocrats.

Re:I do hope

[TheCarp]

> In this case, if you read the article - it's fascinating (highly recommend!) - whether there were any 'wrongful acts' would seem to
>depend solely on perspective, and receiving a fair trail in Iran is somewhat of an oxymoron.

Right well... thats the point now isn't it.

> So the real question here is, is delaying Iran from making nuclear weapons (which they'd most use for mass murder) by a method
> that caused no loss of life itself (unlike a bombing), an act of evil? I guess that depends which side you're rooting for.

Well, only if you assume that the major purpose of this venture is a weapons program. The stated purposes are peaceful and lawful. It is also entirely likely that, even if a weapons program were hidden in the works, that the major effect will be peaceful power as, nobody has used a nuke in war in over 60 years, and I don't see that trend changing, whether they get them or not.

Honestly, I agree most with the assessments that say that the best way to deal with Iran is to give them the recognition that they want...and stop pulling stupid chest pumping adversarial tactics, and sabotaging what could be progress towards normalization of relations and, eventually their own reform. However, pulling this sort of shit plays right into the strong hand of those in Iran who would want weapons programs and oppose reform, and rebuilding trust with the rest of the world.

Its hard to argue with "they are out to get us, and see us as the enemy" when.... well... their shit gets sabotaged and we just grin and laugh at them. If this happened to the UK we would be doing everything we could to help catch any Americans involved.

My first-hand experience with this

[Thagg]

In 1993, I was working one Saturday at Pacific Data Images in Sunnyvale. (who later went on to make such classics as "Shrek", but that's another story.) At the time we were one of the leading CG advertising companies in the world.

Anyway, I wandered into the front lobby, and there was a guy there, the husband of the receptionist, that had this very long roll of paper, maybe 20 feet, with a undulating line drawn along it it. He was searching up and down along the line, for quite some time....well, I couldn't help but ask what it was.

He said that it was the fourier transform of the power line going into a plant. He and his company were examining the spectrum to see if they could deduce what was going on inside the plant -- if the machines inside the plant would leak substantial information back onto the power line. Anybody with any electrical engineering experience would know that of course this would be true. I said, OK, that's interesting. What do you see in this spectrum?

And he pointed to a little sinc() shaped (kind of sombrero shaped) area at a particular frequency. And then showed the aliases of that at higher frequencies. He said that these were clearly signatures of many six-pole electrical motors running all at almost exactly the same speed. I looked inquistitive, and he said, "you know, like if you had a bunch of uranium gas centrifuges running." I thought about this for a few minutes....and said, "uhm, OK, but we don't use centrifuges to separate uranium", and he said "no, we don't" and left it at that.

Soon, he was back to Iraq, using a ground-penetrating radar he developed to look for buried weapons. I never saw him again.

Anti-Zionism != Anti-Semitism

[Artemis3]

No one declares anti-semitism, but anti-zionism.
Zionism is the political movement to re-establish the Jewish State, contradicting the scriptures about staying away... (Why keep Sabbath then?).

In any case, the Zionists waged war and won the land by force, then proceed to get rid of locals, who naturally resisted the invasion in any way they could. Lots of slaughtering and struggle in the process; oh yes, the Zionists did started with terrorism when the land was controlled by the UK... Were you not told about King David Hotel bombing?

The methods the Israeli forces use are simply mass murdering people trapped and sieged in ghettos. Sounds familiar doesn't it? Yes, ethnic cleansing it is; and all sorts of air bombardment and land and even sea warfare against civilians, mostly armed with just rocks and pitiful glorified firecrackers. No NATO bombing, or no fly zones there... Thousands of innocent people die in Gaza, the UN doesn't care, even after Israel destroys UN facilities there.

Say what you like about Iran, they haven't dropped white phosphor cluster bombs against civilians, Israel has; everyone watched "Cast Lead". Israel once bombed a Nuclear power plant in Irak, but nothing of the sort has occurred to Israel from Irak. And before there were incidents like the Sabra and Shatilla massacre, guess who was involved? The current Prime Minister... Reality surpasses intentions.

Things like executions occur when you let religious extremists in power. It would be the same if you followed your traditions to the letter. Do not forget both religions have the same root, and Christianity as well. And all of them have committed atrocities in the past, and in that very same patch of land even.

The Islam scripture actually treat Jews (and Christians) with respect, and before the Zionists invaded, local Jews and Christians did live there just like they live in other countries.

You say Israel is "surrounded", No s*** Sherlock, Zionists invaded the land and waged war against all its neighbors (defeating them). Thats when a violent future for Israel was sealed; and you have fanatics killing their own leaders, when daring to reach peace after decades of bloodshed.

Zionists don't care about anything and anyone, they want their conquered land clean of Palestinians and anti-zionists and they don't care about the UN or even if the whole world declared war against them, they have the nukes ready should they ever lose.

"Anti-semitism" is Zionist propaganda against anyone who dares think different.

Malicious use of a PLC

This article was a great read, it reminded me of my own first-hand experience with a time bomb planted in PLC code.

The company I was working for at the time manufactured hydraulic presses, the newest one installed at a long time customer included a touch screen control system running WinCE that was front-ending a PLC to control the machine. We had contracted out the development work on the control system and the owner of the company ended up in a billing dispute with the contractor just as the machine was being brought online. In the days before the dispute came to a head, the contractor had been on-site at the customer "making minor improvements to the interface based on customer feedback".

One day the customer calls and says: "Our brand new hydraulic press has stopped working and the control system guy says he can't fix it until you pay him." After the owner of the company was done swearing at the contractor on the phone and literally kicking a hole in his office door, he calls me in and tells me he needs me to go over to the customer and "undo whatever that a**hole did".

I had a basic understanding of PLC programming and access to a prior version of the touch screen interface and PLC code. It took a few hours of scanning both sets of code by hand on-site at the customer, but I located the very basic checks for system date in the touch screen interface code which would set a value that the PLC would read and trigger a safety interlock which effectively disabled the machine's function. This was easily remedied once discovered.

It was a slightly stressful experience for me as I had no input on this control system until the day it was disabled and I was on the spot to fix it. Once it was resolved, I was quite happy.

I'm pretty sure the billing dispute ended up going to the lawyers.