Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Offers New Perspective On Stuxnet-Wielding Sabotage Program

Posted by timothy on from the back-then-we-tied-an-onion-to-our-belts dept.

An anonymous reader writes with this excerpt from Help Net Security: "Stuxnet, the malware that rocket the security world and the first recorded cyber weapon, has an older and more complex 'sibling' that was also aimed at disrupting the functioning of Iran's uranium enrichment facility at Natanz, but whose modus operandi was different. The claim was made by well-known German control system security expert and consultant Ralph Langner, who has been analyzing Stuxnet since the moment its existence was first discovered. He pointed out that in order to known how to secure industrial control systems, we need to know what actually happened, and in order to do that, we need to understand all the layers of the attack (IT, ICS, and physical), and be acquainted with the actual situation of all these layers as they were at the time of the attack."

46 comments

  1. Rocket the security world? by digitalPhant0m · · Score: 3, Insightful

    Stuxnet, the malware that rocket

    I didn't know it was airborne.

    1. Re:Rocket the security world? by NatasRevol · · Score: 2

      Only way to get across the air gap.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Rocket the security world? by slashmydots · · Score: 1

      Stuxnet, Skynet, what's the difference?

    3. Re:Rocket the security world? by a-zarkon! · · Score: 1

      Stuxnet prevents a nuclear exchange, Skynet initiates one.

  2. "the first recorded cyber weapon" by Anonymous Coward · · Score: 0

    Stopped reading right there.

    1. Re:"the first recorded cyber weapon" by kbg · · Score: 4, Informative

      But it is actually a cyber weapon. Instead of bombing the facility with conventional weapons it used software to sabotage the facility. Stuxnet was specially designed to be an actual cyber weapon.

  3. Grammar nazis overload by Anonymous Coward · · Score: 2, Funny

    A grammar nazi dies everytime someone reads TFS

    1. Re:Grammar nazis overload by HornWumpus · · Score: 1

      Dats goodly!

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:Grammar nazis overload by NoNonAlphaCharsHere · · Score: 2

      Don't kid yourself, "Stuxnet, the malware that rocket the security world" would kill a grammar Boy Scout.

  4. grammar by sect0r0 · · Score: 1

    Was this put through Google translator? I almost choked on my lunch trying to reach through this.

    1. Re:grammar by Anonymous Coward · · Score: 0

      Reach? You must be an editor too.

    2. Re:grammar by Anonymous Coward · · Score: 0

      Agreed! It has been very bad lately.

    3. Re:grammar by Anonymous Coward · · Score: 0

      Ah....Muphry's Law in action...always a thing of beauty.

    4. Re:grammar by NatasRevol · · Score: 1

      Looks like a sector0 error.

      --
      There are two types of people in the world: Those who crave closure
  5. Proof read? by Anonymous Coward · · Score: 5, Informative

    They should proof read these posts. It's been bad lately. Good subjects, just makes it hard to read. the malware that "rocket" -> "rocked"

    1. Re:Proof read? by Zontar_Thing_From_Ve · · Score: 3, Interesting

      They should proof read these posts. It's been bad lately. Good subjects, just makes it hard to read. the malware that "rocket" -> "rocked"

      You have a good point, but at least it's better than all those people who can't read properly and post articles in a panic saying "This article says X!" when in fact the article says "not X". We can figure out that "rocket" is a bad word choice and get around that but it really sucks when people claim and article says the exact opposite of what it really says because then we get tons of comments about how bad X is and how they can't believe that someone would actually do that and then a few posts follow up (and mostly get ignored) telling people to actually read the article where it is actually against X, so the submitter blew it. It seems to me that quite often about 90% of the posters never read the article in the links, so when the idiot submitter misrepresents what he submitted, that becomes what the article is about in the minds of most people here.

    2. Re:Proof read? by jiadran · · Score: 1

      Well, the document (from which TFS is extracted) was written by a non-native English speaker (Ralph Langner, who is German). Interestingly, I note that as a non-native English speaker myself I make a number of mistakes that Americans find particularly annoying (this post is probably full of them), while at the same time I have difficulties reading comments with typical American mistakes (theirs / there's, then / than, he's / his, etc.). I think that native-English speakers rely more on how it sounds, while non-native English speakers tend to analyze the structure more and thus make different types of mistakes.

      Anyway, I appreciate people pointing out mistakes as this allows me to learn.

    3. Re:Proof read? by Anonymous Coward · · Score: 0

      > saying "This article says X!" when in fact the article says "not X"

      Well it depends on your programming language. In a postfix language, X! *is* "not X".

  6. Wow. by Chas · · Score: 0

    Hyperbole AND bad grasp of grammar!

    Really wants to make me keep reading...

    *Austin Powers* Really?

    *Doctor Evil* No. Not really.

    --


    Chas - The one, the only.
    THANK GOD!!!
  7. WHAT!? by Anonymous Coward · · Score: 0

    As a control systems expert myself, I look at Lagners' statements and say.....duh?
    Kind of obvious, is it not? Sounds like the usual forensic work we do any time there is a problem, security or otherwise.

  8. Interesting quote by cold+fjord · · Score: 2

    “Stuxnet is a low-yield weapon with the overall intention to reduce the lifetime of Iran’s centrifuges and make their fancy control systems appear beyond their understanding,” he says, and estimates that the Stuxnet set back the Iranian nuclear program by over two years.

    Interesting description - "low-yield"

    That is a rather different take on it given the uproar over it.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    1. Re: Interesting quote by semi-extrinsic · · Score: 3, Insightful

      Well, what would you say high yield is? I can't bring myself to call a US cyber weapon "high yield" unless it destroys or disables infrastructure on a large cale. Bonus points for egg on faces in Riyadh.

      The reason it has gotten so much attention is the same reason the F117 got a huge amount of press even though it's practically useless.

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    2. Re: Interesting quote by Anonymous Coward · · Score: 2, Informative

      I do think the F117 was highly effective in taking out lots of strategic targets in Iraq. Pilots tend to be more precise when they know the SA-5 missiles cannot hit them. Actually, it was the most effective air weapons system until the Iraqi integrated air defence system had been destroyed. And that was done in no small part by the F117s.

    3. Re:Interesting quote by plover · · Score: 1

      High yield would have been if it had destroyed the Busheshr reactor, as has been speculated one of the stuxnet payloads would do. The attack was supposed to open the steam valves on the main turbine shaft, while the temperature, pressure, and RPM sensors would continue to play back a recorded loop of pre-attack readings to disguise the failure.

      It would have been a spectacular disaster. Running a 75 foot turbine shaft at wide-open full steam was predicted to be able to cause an explosion as large as a 1 ton bomb. And it's not like Iran could run down to the local Turbine Shack and pick up a spare. Spraying radioactive debris around to hamper cleanup and repair would be a bonus. It would likely have halted their nuclear ambitions completely for a decade or more.

      And if you think the uproar over stuxnet was high-yield now, imagine the fallout from actually destroying their reactor.

      --
      John
    4. Re: Interesting quote by Anonymous Coward · · Score: 0

      F117s were used in Bosnia as well. One was shot down there. That conflict was decided by our air power.

      It's "useless" to the GP because the GP has a worldview where all US weapon systems are useless, developed for the wrong reasons and used illegitimately in all cases to further our racial and economic imperialism, the military industrial complex, corporate hegemony and all the other crimes of 'murica.

      Obviously.

    5. Re:Interesting quote by Forever+Wondering · · Score: 1

      I think "low yield" was referring to the nature of the over-pressure attack (vs. the rotor speed attack). Or, that things could have been orchestrated to damage/disable all centrifuges at one time [which would have been detected] instead of just increasing the failure rate [which, as Langner pointed out, would confuse/confound the Iranian engineers].

      Langner talks a lot about avoiding detection circa 2007 but that being less of a concern in 2009 [e.g. "now that the program has achieved its objectives, let's shock the world with our cyber attack prowess"].

      But, perhaps "uproar" was/became a desired result of Stuxnet. I recently got an email from my local congressman regarding defense against cyber warfare.

      So, Stuxnet set back the Iranian program a bit. But, it also got Congress thinking about [read: funding] cyber warfare defense [offense is implied].

      "Cyber warfare" [although, perhaps, a legitimate concern in the wake of Stuxnet] also becomes the "bogeyman under the bed" that could provide public justification for more NSA-like intrusion/trickery.

      --
      Like a good neighbor, fsck is there ...
    6. Re: Interesting quote by semi-extrinsic · · Score: 1

      F117s were used in Bosnia as well. One was shot down there. That conflict was decided by our air power.

      It's "useless" to the GP because the GP has a worldview where all US weapon systems are useless, developed for the wrong reasons and used illegitimately in all cases to further our racial and economic imperialism, the military industrial complex, corporate hegemony and all the other crimes of 'murica.

      Obviously.

      +1 Funny.

      Seriously though, the F117 is useless because it was supposed to be a fighter jet. It may be an alright strategic bomber in scenarios where the enemy has much lower capabilities than you do (Iraq, Panama, Bosnia), but so is a B1-B or a B52 for that sake. And as you say, the Serbs managed to shoot down an F117 with the SA-3 and low frequency radar, so "knowing SA-5 missiles cannot hit them" seems a bit overconfident. The reason they were so effective in Iraq is that the Gulf war was won psychologically. I mean, you had T-72 crews surrendering to Apache helicopters. The Hellfire wasn't that good...

      --
      for i in `facebook friends "=bday" 2>/dev/null | cut -d " " -f 3-`; do facebook wallpost $i "Happy birthday!"; done
    7. Re:Interesting quote by Anonymous Coward · · Score: 0

      Turbine != Reactor

      While such a turbine failure sounds spectacular, it would not have destroyed the reactor. Most nuclear power plants utilize a 2 or 3 loop system, this would only affect the final loop if they designed the facility with any competence. If the water in the turbine loop is radioactive, they have bigger problems than Stuxnet. A catastrophic failure in the turbine should cause a controlled shutdown of the reactor, not its destruction. There would be other technical difficulties in causing the failure of the turbine using this method, but even if not fully successful it would probably cause the reactor to be shut down for an extended period.

  9. Stuxnet, the Chernobyl of the 21st Century waiting by __aasehi2499 · · Score: 2

    to happen.

  10. Re:Stuxnet, the Chernobyl of the 21st Century wait by cold+fjord · · Score: 1

    The choice regarding Iran may be between one new Chernobyl versus one or more new Hiroshimas. I doubt Iran will settle for less.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  11. We dont' need to know everything by jbmartin6 · · Score: 3, Insightful

    in order to known how to secure industrial control systems, we need to know what actually happened

    False, we don't need to know everything bad that ever happened in order to secure a system.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  12. Rocket! by Anonymous Coward · · Score: 0

    Rocket!

  13. Re:Stuxnet, the Chernobyl of the 21st Century wait by Anonymous Coward · · Score: 0, Flamebait

    Fortunately, the rest of the world has shown far greater restraint and responsibility than the United States when it comes to causing "Hiroshimas." Despite moderately widespread nuclear proliferation, the US still holds the unchallenged record of being the only country to actually perpetrate mass nuclear murder. I'm not too worried about Iran getting nukes; it's much more troublesome that countries with a proven track record of large-scale violence and terror (like the US, and its buddy Israel) have such weapons.

  14. Where's the fucking proofreader?! by george14215 · · Score: 0, Offtopic

    for fuck's sake...

  15. The malware that rocket the security world by Anonymous Coward · · Score: 0

    w0000000000000000t!

    We gone ROCKET Iran back to the stone age!

    Wait, they're already there, with the exception of the nuclear weapons Russia and China are helping them develop with all those US dollars China is sitting on.

  16. Change of tactics by jiadran · · Score: 4, Interesting

    I know I shouldn't have, but I read the whole document and it's really interesting. Langner thinks that the tactics (and probably the team as well) changed over time. Based on his observations I propose the following (conspiracy) theory:

    The attacks on the enrichment plants have been going on much longer than anyone so far claims, maybe since the beginning. That's why Iran's progress was so much slower than what the Pakistany managed to do (the first generation centrifigues are supposedly extremely tricky). Instead of discovering the initial attack (described in the document), the Iranian's compensated for the seemingly random problems by including additional control measures not present in the design from Pakistan: shut-off valves to quickly isolate a malfunctioning centrifuge and over-pressure valves. It took them ten years instead of the two years of the Pakistany, but they still managed to get enrichement started. Maybe with their added failure-tolerant design the original attacks didn't work anymore, or there was a leadership change (as Langner speculates). Maybe the Iranian's suspected something and changed procedures also for contractors and workers (Langner thinks that the initial attack was with direct access to the system while the later attack had to somehow find a way in). Maybe then the initial team was the Israelis who wanted to remain hidden, and when their approach didn't work anymore they asked the Americans for help who used the NSA's attack library for a way accros the air gap. The Americans would probably also be less worried about remaining hidden and maybe actively wanted to send a message.

    Altought admittely pure speculation, I think this scenario fits the known facts and observations. I'm curious to see what you think of this ;-)

    1. Re:Change of tactics by Anonymous Coward · · Score: 0

      I love a good conspiracy theory, whether or not it's true

    2. Re:Change of tactics by Anonymous Coward · · Score: 0

      LBJ had Kennedy killed

  17. Good writeup on the attack by Anonymous Coward · · Score: 0

    They got in through an air gap and hid their presence fairly well.

    Not sure why it couldn't happen here on our infrasturcture.
        Perhaps running two different, independent control system brands on the same process would have help prevent this?
            Pulling off two completely different hacks should be harder than one.

  18. Re:Stuxnet, the Chernobyl of the 21st Century wait by Anonymous Coward · · Score: 1

    This is probably the most ignorant post I have read on Slashdot in quite a while. How tall of a wall should they build to stop the Palestinians from launching rockets over it? How deep should it go to stop them from tunneling under it? Do you seriously think it is the Israelis who are perpetuating the violence?

    You ask why Israel can't ask Iran to set down at a peace conference, when Iran funds terrorists to attack Israel? When Iran has stated that Israel must be destroyed? When Iran refused to even recognize the current existence of Israel? Seriously? Btw, Israel has thriving trade with some other Arab countries, just not those trying to destroy it.

    Also- take your "you jews" and shove it up your distended exhaust port. Try to be less of a racist POS and learn something about what's going on in the Middle East before you start spouting out ignorant suggestions that a child should realize are ridiculous.

  19. Captured drone by minstrelmike · · Score: 1

    Remember that captured drone in Iran?
    What if someone had 'accidentally' left a click drive on it?
    The Iranian researchers would probably send it to their most secure facility in order to study it.
    That's one way around a secure air gap ;-)

  20. Re:Gidci : Ses Nayuseer Geet Meso by Decker-Mage · · Score: 1

    Wow. Jabberwocky on serious steroids. Perhaps we need a +/-1 Inscrutable here!

    --
    "[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go