The Stuxnet Worm

It's impressive:

The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.

"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team.

"I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google's network and those of dozens of other major companies, were child's play.

EDITED TO ADD (9/22): Here's an interesting theory:

By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.

But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

The article speculates that the target is Iran's Bushehr nuclear power plant, but there's not much in the way of actual evidence to support that.

Some more articles.

Posted on September 22, 2010 at 6:25 AM • 134 Comments

Comments

process control girlSeptember 22, 2010 8:31 AM

Perspective: A 32-bit processor is advanced, "groundbreaking" technology for many in the process control field. (I'm allowed to make fun of my own kind, right?)

Since I'm in the process control business, I've been following the news and looking at it with some depth. I could have written something like it in high school, and I'm not claiming to have any exceptional programming talents.

The consultants and anti-virus companies want to make it sound like TEOTWAWKI and so advanced that the average human cannot understand what's going on. Interesting that they are the ones who get financial and notoriety boots with such talk.

MiramonSeptember 22, 2010 9:14 AM

Oh come on, it's software. Anyone can write good software, it just needs effort, and a pretty basic education. Admittedly most software is bad, and most malware is written by morons, but I'm sure there are plenty of better one-man programming jobs out there in the world. So it required deep knowledge of certain control systems to write it. Big deal.

I'm not saying this wasn't the work of some government, but keep in mind that government programmers, even at NSA and GCHQ, are not generally renowned for their expertise.... so the quality of the software is absolutely no evidence of its source. The intentionality and targeting of the worm, maybe yeah, that suggests a government source, but not the software's quality.

DavidSeptember 22, 2010 9:14 AM

As I wrote here, http://sharpesecurity.blogspot.com/2010/09/... intelligence services cannot wait for a time of active conflict to penetrate and exploit the infrastructure of potential adversaries. That type of offensive penetration and espionage activity happens all the time. What is unusual is to see the details written up so publicly.

ArkhSeptember 22, 2010 9:36 AM

Worms used to control factories ? Time to find and destroy Skynet before it starts building robots.

JamesSeptember 22, 2010 9:39 AM

It will take control on the 23rd of september and launch a preemptive attack on its enemy: humans.

I sure do hope to find John Connor soon.

NobodySpecialSeptember 22, 2010 9:49 AM

Can anyone think of another area of software development where you would say "my god this a work of breathtaking ingenuity and fiendish cunning - it could only have been written by a civil servant" !!

JustMeSeptember 22, 2010 9:59 AM

Where did that genius piece of software named ICQ originate?

What nation - state - has a need for such a piece of weaponry??

Am I the only one who will name the elephant in the room?

Israel!

....and good for them!!

JamesSeptember 22, 2010 10:04 AM

@JustMe: I've never read about any government involvement with the creation of ICQ. There might have been some in the later stages, but I doubt initially the israelis had anything to do with it.

@Arkh: I didn't see your message before I wrote mine. I guess we have the same view, that it's a bit strange for people to call this program all these names. It's just a piece of software. The interesting aspect is that it might indicate some government involvement in the creation, but that only verifies what we've all known for a long time, that govts want to use any and all tools to get the information they want.

Mark RSeptember 22, 2010 10:04 AM

Where's that guy who used to post some non-sequitur comment about Foxdie on every one of Bruce's articles? This is the one time it would actually be relevant.

Clive RobinsonSeptember 22, 2010 10:07 AM

Hmm,

State sponsored... probably no more than any other "tailored malware".

And that's the old bluff double bluff game.

What we do know is the person who designed it knew which patches had most likley been ignored by the SCADA systems.

All this actually tells us is that they likley have significant experiance of SCADA or they where a lot closer to the target than people are admitting.

The problem with Iran as has been pointed out by their Premier The US "talks deplomacy" but "threatens war" Bot Potus and the UK foreign Sec have repeatedly said that attacking Iran is not of the table. Iran has consiquently upped production of their military capabilities which has just caused their neighbors to place very significant arms orders with both the US and the UK as well as France.

The problem is both Saudi and the UAE already have significant arms but they do not have the skilled personnel to operate them.

So the arms trade from the usuall suspects is doing very nicely in this time of recession and public sector spending in Europe.

So you could add the following suspects onto the list for the worm,

1, Iran it's self.
2, US / UK / French arms manufactures
3, Israeli interests fostering a distraction.
4, Certain other middle east countries who want to buy weapons systems they would not otherwise get the OK for.

The US and UK invading Iraq has always been a disaster in just about every aspect, removing Iraq as the natural balance to Iran was a big mistake.

On balance of probability if it was a nation state sponsor my money would be on Israel simply because whatever happens they are going to get a win out of it.

And yes I would agree that it is a weak argument, but as I said I personaly don't think it is directly state sponsored as I'm sure a number of others will also be thinking.

ShockJockSeptember 22, 2010 10:14 AM

It is impressive, in design, in the degree of vulns it used, but it should be remembered theory did not work so well in practice with this. It was caught. So, it failed.

People may argue the biggest fish in the sea is the biggest one anyone ever caught, but this is short sighted and lacks imagination... it lacks the sensibility of reality.

There are hacks that go on all the time no one ever sees or catches.

Geek ProphetSeptember 22, 2010 11:00 AM

There seems to be a misunderstanding here. No one has claimed the software itself was anything incredible. Nobody said the code *had* any particular quality that I have seen. What makes it unprecedented is the number of ways it performs its attack.

According to the discussions, what is unusual is that it uses 4 different zero-day vulnerabilities, and also uses two stolen security certificates to appear legitimate.

This is what makes it "unprecedented", not the quality of the code. Very few hackers could manage four zero-day vulnerabilities and two stolen certificates, and even fewer would waste all that on one worm. Supposedly it has never been seen in the wild.

It is the resources and focus that make it more likely to be a government job, not the quality of the code. Not only could the attacker afford to find or buy four unpatched vulnerabilities and two stolen certs, but then proceed to write code that checks for certain settings before attacking that are likely unique, and thus targets *one particular* SCADA system.

This implies espionage (national or corporate) to determine the exact settings that fingerprint the particular installation, then the finances and wherewithal to obtain four unpatched attack vectors and two certs, and the willingness to waste all of this on a single target. Along with the nature of the attack, that implies a dedicated and focused attacker with significant resources, and it isn't a bad bet it is a government.

kashmarekSeptember 22, 2010 11:06 AM

This is just public postering by the security firms, which leads to new marketing efforts lest their efforts go unrewarded. There aren't many that want to attack Iranian facilities so if there is big money behind the effort, we probably know who.

wumpusSeptember 22, 2010 11:32 AM

http://www.theonion.com/articles/...

myth: undecided?

On a whole, attacking critical devices that have utterly woeful security seems to be the ideal target of the "old school hacker". Checking to see if the worm writer(s) helped themselves to code found in a honeypot would likely get in the way of the hype.

Count me as one of the ones who needs more proof of "well written code" ever coming from a government project [furiously ignores twofish, skein, etc.]

LouisSeptember 22, 2010 11:55 AM

@Process control girl

Someone once told me this interesting philosophical bit:

If you read a Consumer Report within your field and find it is not worth the ink, why would you consider reading it about any other field.

Thanks for your insight, nonetheless, it goes to show that virus development is still based on quick return.

Hopefully, no one is planning an architectural review with functional diagrams and long term vision... yet.

Clive RobinsonSeptember 22, 2010 12:30 PM

@ wumpus,

"Count me as one of the ones who needs more proof of "well written code" ever coming from a government project [furiously ignores twofish skein, etc.]"

I don't think twofish or skein have "come from a government project"...

And Bruce might get upset with you confusing his "labour of love" with working for Grubymint's 40 pieces of silver.

AncientGeekSeptember 22, 2010 1:20 PM

Looks to me like a marvelously-crafted FUD Missile.

Look at all the places the story has been planted, and how much it is getting picked up. What a lot of scary features it has. Must be really baaaad.

I wonder who the target is, and just what they're being pressured into buying?

Antimatt3rSeptember 22, 2010 1:36 PM

I think the Malware what everyone is talking about here is only a small piece to point the finger at state sponsorship. Its more the fact that their were 4 0-days and 2 stolen certificates that makes you say this is not just Joe Blow hacker working on this but a team of highly skilled people.

WinterSeptember 22, 2010 1:54 PM

AncientGeek
"I wonder who the target is, and just what they're being pressured into buying?"

Why not sow some doubt about the machining of the Uranium enrichment factory?

Lan ColshawSeptember 22, 2010 3:49 PM

2 stolen certificates? The US government doesn't have to steal certificates; under the Patriot Act, it can coerce a CA to provide a copy of any certificates that it has issued. I would assume that other governments enforce a similar arrangement. In any case, the security value of certificates is often wildly exaggerated, especially since the number of CAs has exploded in recent years.

Richard Steven HackSeptember 22, 2010 4:18 PM

I'm more interested in why people think Bushehr was the target. Just because it takes over SCADA systems doesn't seem to be enough. Just because Bushehr supposedly runs the same Siemens software that the worm targets doesn't seem to be enough.

However, the fact that apparently a lot of infected systems were in Iran DO point the finger of guilt at either Israel or the US. Despite the EU support for unilateral sanctions, it seems unlikely that EU intelligence agencies would want to be caught causing a nuclear reactor incident in Iran.

It's not clear the US would, either, ALTHOUGH it is known that Obama is continuing the Bush policies of conducting covert operations against Iran and its nuclear energy program.

Israel, on the other hand, couldn't care less about the consequences of possibly causing a nuclear reactor incident in Iran.

Since this was a WORM, it seems possible it was intended to map Iran's nuclear-energy-related SCADA systems preparatory to a military strike on those systems. Contrary to Obama's protestations yesterday, the reality is that the US has no where to go with sanctions and will be boxed into a military attack at some point. Israel, of course, champions such a course.

So it's very likely either the US or Israel is behind this worm, although other parties, such as Iranian dissident terrorist groups like M.E.K. can't be ruled out entirely.

Nick PSeptember 22, 2010 5:29 PM

The worm definitely seems state sponsored. I don't think this is FUD, although they'll add some in there. It's quite a lot of resources and targeted. It's attackware. It's waiting for one target. The target appears to be Iran, which US and Israel have long hit with covert operations. One of them likely designed and fielded it. The second link Bruce provided, the "Knowledge Brings Fear" blog, provides solid evidence that it was an attack on Iran enrichment. This evidence needs to be independently verified and I haven't done that yet.

All in all, this is "cyberwar" for real. The real FUD will come as more "cyberwar" proponents combine this attack with boundless speculation and solutions that further centralize the power and profits of the "cyberwar defense" industry into military and defense contractor hands. And, as usual, these solutions won't really help us that much. I expect more initiatives like Perfect Citizen and more cash into the pockets of the likes of Booz Allen Hamilton. My only hope is that some real security enhancements end up on these systems as a result. The least bit should be the use of transparent Layer 2 or 3 encryption devices between SCADA reporting devices and those watching them wherever possible. This should kill remote attacks, at least. USB malware can be beaten with careful design and the use of guards on trustworthy RTOS's. However, retrofitting legacy SCADA systems against local attacks will be hard and sometimes impossible.

Anyone else feel like it's time to issue a recall on our whole infrastructure and start replacing it with stuff designed to resist malice rather than accidents? Is a strong infrastructure worth the huge investment in the Information Age? I'm personally all for it.

wumpusSeptember 22, 2010 5:46 PM

re: twofish/skein

They might not be paid for/run by/interfered with by any government agency, but they seemed to be written for a request for algorithms sponsored by a US government agency.

Ignoring obvious counterexamples due to narrow interpretation seems foolish.

I also doubt that blowfish (which as far as I know was written before any competitions existed) has been subject to quite as much cryptanalytic testing as twofish and threefish*. A cryptographer can labor as long as his love will let him on an cipher, but it will take a great deal other of labor from outside cryptanalysts before it is ready. Submitting ciphers to these contests is a great way to get the cipher "proven" (winning one is even better).

* Since there were far less public crypto algorithms when blowfish was published, this might not be strictly true. I suspect that even so, later analysis of twofish and skein is stronger.

johnhSeptember 22, 2010 6:37 PM

what's the deal with stuxnet anyway? i downloaded it once. then i analyzed the dissassembly, deduced that the rest of the attack would be taking control of siemens automation systems and sat my laptop down.

i head there is something to do with iranian bombs later? sounds hilarious and repetitive.

i guess i just don't understand being addicted to groundbreaking malware.

Grande MochaSeptember 22, 2010 7:09 PM

@Nick P: "Anyone else feel like it's time to issue a recall on our whole infrastructure and start replacing it with stuff designed to resist malice rather than accidents? Is a strong infrastructure worth the huge investment in the Information Age? I'm personally all for it."

I believe there is a huge push right now for a "smart grid" to control power distribution. However, I haven't heard much about any incentives to design security into the new grid. Imagine if, 5 years from now, every home and business in a major city is using a "smart meter". A successful attack could easily bring down the power distribution network and effectively keep it down for months while the utility companies have to run around replacing the infected meters. I certainly hope that whoever is organizing this power grid update takes a serious look at securing the grid.

JamescagneySeptember 22, 2010 7:30 PM

Well, something with four zero days and certificates would be written for either financial or nation-state motives. And it doesn't seem likely to me that financial motives would be served by targeting just SCADA plants alone, or by focusing the majority of infections in Iran. So state sponsorship doesn't seem that impossible to me.

Seems you've got people simultaneously arguing that "stuxnet isn't that good, and besides, governments don't write good code." Those arguments contradict each other, and support state sponsorship rather than exclude it.

NigelSeptember 22, 2010 9:34 PM

Having spent a few decades working with a range of PLC's, industrial controllers and SCADA systems in factories one things springs to mind. To be able to take over and make a PLC do something specifically damaging, rather than just trash the ladder logic or take it offline you also need some extra information. Even if can gain access to the IO card configuration (this described which IO cards on the backplane or industrial network controls inputs/outputs, which are digital, which are analog,etc) you actually need the electrical drawings used to wire up the plant. Even by stealing the ladder logic and grabbing the comments and descriptions, to be able to do something specific and controlled, as opposed to random out-of-control sabotage like forcing motor and valve outputs on or off, I would have thought you need a fair understanding of the process and mechanical construction?
This information may not be on the SCADA computers, it is highly likely it wasn't when the system was designed but might have been added after to help with fault diagnosis. As such the engineering companies (Who are?) who put in the Iranian plants and commissioned them would have been involved in this potential attack as a source of the electrical design drawings although their complicity would be unknown. Find these companies and check their electrical engineering people and you'll uncover if they willingly helped. If not they might want to tighten their security, both physical and information, in future in the engineering offices.
The ability to take over a PLC/SCADA plant and make it do something specific is going to take inside knowledge, not just of the networks and SCADA, but of the actual process, wiring and components and so the question is, do the attackers have this information?

Nick PSeptember 22, 2010 10:30 PM

@ Grande Mocha

There are many contenders for that smart grid. One that at least has a security proposal is Boeing. If you have an ACM account, you can read their very thorough presentation. Some of this is regular assurance good architecture and some can be implemented using high assurance devices.

"High assurance smart grid"
http://portal.acm.org/citation.cfm?...

AC2September 23, 2010 12:32 AM

From the ComputerWorld article:
"... when Microsoft confirmed that the worm was actively targeting Windows PCs that managed large-scale industrial-control systems in manufacturing and utility firms.
"

Now why does that sound all wrong to me??

If we have Windows PCs (presumably 'hardened' Win XP boxes) managing manufacturing and utilities then Stuxnet could be just the tip of a very large iceberg...

hoodathunkitSeptember 23, 2010 6:04 AM

The conclusions linked to are based on speculation without a shred of evidence from which anyone else could deduce their conclusions. It’s inductive garbage, spread by (hooda thunkit) purveyors of antivirus software.

Just because it’s sophisticated doesn’t mean it took a government to write it, in fact that makes it less likely. It could be some nation trying to infect another. It could be aliens, too or a 12 year old nerdy kid in Alabama. All three are equally likely, but then I am not selling security software.
[If I was a nation/state, I might want these antivirus purveyors to think I wrote it, and I would definitely want other nations/states to think that was a possibility.]

The most complex, far-fetched explanation —the explanation Occam inevitably rejects— is to ‘disrupt a nuclear power plant’. There is only one way that could even theoretically work: with perfect circuit-by-circuit, wire-by-wire, module-by-module knowledge of the plant wiring. That points only to the initial construction contractors, or the current plant operations and maintenance.

The simplest explanations —those that Occam would say ‘yes, start with this'— are that it’s malware designed to disrupt something so that the distributor can either reap a benefit from that disruption or extort the victims of that disruption. Look toward Siemens’ competition (Fanuc, Allen-Bradley) to start with, to unexplained patterns of stock market investment (Al Queda’s modus operandi) on otherwise unknowable production volumes.

There could be a lot of reasons for Stuxnet, but ‘disrupt a nuclear power plant’ is the least likely.

HenSeptember 23, 2010 6:37 AM

"actively targeting Windows PCs that managed large-scale industrial-control systems"

Are "large-scale industrial-control systems" really managed by Windows ? LOL

AutolykosSeptember 23, 2010 6:48 AM

I think Franks theory (second link in the end) is the most plausible concerning the target. And looking at the current geopolitical situation, my money is on Israel for the author. Mainly because they are most threatened by Iranian nuclear weapons, probably won't be able to disrupt the Iranian nuclear program with air strikes on their own (and the US won't do jack to help them - too much risk, diplomatic disaster, and they don't feel that threatened by Iran), and because they are known to have an intelligence service competent enough to acquire detailed plans of the plants software.

bob (the original bob)September 23, 2010 6:51 AM

@Hen: Im with you on that one - why would you need to attack a large-scale system if it's already hobbled by Windows? That should pretty much prevent its ever being of value.

I always got a kick out of the user license for NT 4.0 - it explicitly stated that it could not be used on nuclear submarines. I hadnt realized nuclear submarines needed to run solitaire.

ebcdicSeptember 23, 2010 6:52 AM

This reminds me of comments in the USL/BSD and SCO/Linux cases, where the large companies claimed - and the media believed - that such sophisticated code must have been stolen because a bunch of hackers couldn't possibly write it themselves. Who is it in this case that has an interest in exaggerating the difficulty of building the worm, with the corresponding implications about the nature of the attacker?

WernerSeptember 23, 2010 7:23 AM

You don't need a precision attack to cause mayhem. Very often, adding uncertainty to the existing procedures and weakening the safety measures leads to disaster before too long.

We know this from how real accidents happen. If people regularly ignore alarms or unusual readings because they're all false anyway, they won't catch the one warning of imminent disaster either. If people have to deviate from standard procedures and improvise all the time because of unreliable equipment, they make a lot more mistakes and the communication burden increases, encouraging even more mistakes.

- Werner

HarrySeptember 23, 2010 7:43 AM

Let's get some Red Team analysis going here!

The press has jumped on the idea that Stuxnet was created by a government and is targeted at something, perhaps Iran since 60% of infected machines are there. The press also likes sensational headlines.

How about this as an alternative: 60% of infections are in Iran because it happened to start there and the virus limits itself.

Option 1:
So why would it start in or near Iran? Maybe because sanctions cause Iranian systems to be even more vulnerable.

Option 2:
Perhaps this incarnation is a large-scale test, using Iran as a test subject because geopolitics provide so many possible sensational theories about Iran - cf this is an Israeli attack.

Other possibilities?

DreamlineSeptember 23, 2010 11:09 AM

FWIW, I've provided contract IT support at a number of manufacturing facilities with a variety of plant control systems. In many cases, their floor PCs could be categorized as the following:
1) Unpatched (often running stock 'out-of-the-box' patch levels)
2) Running legacy OS (XP and Windows 95/98 are common; however, many run DRDOS, MS-DOS or OS/2 Warp)
3) Not running ANY AV or security software
4) Multi-homed on several networks (often misconfigured with multiple default gateways)
5) 'Secured' with blank or easily-guessed passwords
6) Often running WORKGROUP/standalone with no central auditing or credential/authentication management.
7) Without any use policies for regulating moving files via USB/floppy/CD/etc.

I would hope that the systems involved in military-grade production are a little more locked down than this, but so far I'm not heartened by what I've seen...

hoodathunkitSeptember 23, 2010 11:10 AM

Just a reminder to the speculators here:
Programmable logic controllers and their logic are distinctly different from computer logic where anything goes. There is no generic ‘power plant design’, not such thing as ‘a nuclear plant’ design. So anyone who claims Stuxnet targets “a plant” points the finger ONLY at that particular plant’s contractors or current operators.¹

Every plant is an ‘as built’, so even its original designers don’t know the actual circuits. It is a FACT that every petrochemical, power, nuclear plant is A) different than every other plant, even those exactly like it, and that B) every plant’s wiring, plc labels, order, timing, and logic changes from week to week; you cannot seriously argue of ‘targeting’ one particular place.


I understand that many, many, many people desperately WANT American or Israeli operatives to be the Stuxnet designers, writers, or underwriters. Numerous comments here are compulsive in that regard; but it doesn’t make it true. Arguing for 'a target’ requires deliberate, willful disregard of the facts that we do know.


1) For those who are interested in pursuing the ‘targeting Iran’ theory, look at Bruce Schneier’s article on Haystack http://www.schneier.com/blog/archives/2010/09/... At least that could explain why there was Stuxnet v1.0 and nothing further.

Clive RobinsonSeptember 23, 2010 12:08 PM

@ Nigel,

"The ability to take over a PLC/SCADA plant and make it do something specific is going to take inside knowledge, not just of the networks and SCADA, but of the actual process, wiring and components and so the question is, do the attackers have this information"

Yup that's my reasoning as well (but I did not put it in my comment above because some people think I say to much as it is (No Nick P I'm not pointing the finger :-)

It's why I questioned the origin of the worm with,

'All this actually tells us is that they likley have significant experiance of SCADA or they where a lot closer to the target than people are admitting.'

Which is one of the reasons I sugested that Iran it's self could have been the "state sponsor".

Every time I hear about "cyber warfare" and how "crackers could bring down the world" I think 'yup when they learn to be engineers with domain knowledge and that ain't goner happen any time soon'.

To have more chance of success than luck as a cracker you have to,

1, Locate your chosen target.
2, Enumerate it for weaknesses.
3, Exploit weaknesses without tripping alarms.
4, Enumerate the internal network without tripping alarms.
5, Locate host controler.
6, Enumerate the host for weaknesses.
7, Gain access to host controler without tripping alarms.

To get this far there are three ways I know,

A, Have "insider knowledge".
B, Have focused intel and "domain knowledge" to direct the attack.
C, Have "domain knowledge" and use a "fire and forget" attack methodology.

On the face of it this worm appears to be C and similar to the PDF/DOC harvest version of Zeus that went for the .mil network.

However when you look at what would be required to move forward with a real warfare attack then it comes a long way short as you said.

As you dig a little deeper you realise as you said that domain knowledge alone is insufficient to get a real warfare result.

Which means that either,

D, It was trying to close the intel gap.
E, It was a fund raiser / saber rattler.

Personaly from some experiance I would doubt that D would actually get you any where as near as direct human intel. Also D is quite costly compared with direct human intel. Further there is the issue of "footprints and fingerprints" burglers try very hard not to leave signs of "reconosaance" such as footprints, and further they try even harder not to leave positive incriminating evidence such as "fingerprints".

This worm leaves both footprints and fingerprints, all of which is a little to obvious and makes me start looking for a rat.

Again on the face of it four Zero Day does seem a little extragavent, or does it?

Personaly I think not but my reasoning is long winded.

Which leaves us with shock horror access to code signing keys.

But again how significant is this... we have recently seen the HDCP master key being revealed and not so long ago the keys to TI calculators.

So the question becomes how many other code signing keys have become vulnerable and the answer unsurprisingly is ask how much security is used around the keys...

Generaly not a lot. That is lowley "code cutters" get lowley pay and getting code cranked through the code signing process is a lot easier than people think as the lowly code cutters do not regard it as security just part of the code cutting "handle cranking".

And often neither do the managers etc, some "bought in" tallent may well have slipped code through the process without any body noticing.

All of which is just as easy for "state sponsored" as it is for "non state sponsored"...

This then brings in the question of "plausible deniability", by the use of an intermediate party to a third party between a state player and the third party malware cutter.

I could go on but...

hoodathunkitSeptember 23, 2010 12:18 PM

Perhaps some readers should stop speculating about Stuxnet infections in places where we don’t even know if they use Siemens software, and concentrate on places we KNOW suffered from malfunctioning systems, places we KNOW suffered immense damages from the software malfunctions Stuxnet causes:
____
Williams testified that a computer used to monitor and control drilling operations intermittently froze -- a problem that became known as "the blue screen of death." Despite attempted repairs, the issue remained unresolved at the time of the blowout, he said.

Earlier in the drilling operation, one of the panels that controlled the blowout preventer -- the last line of defense against a gusher -- had been placed in bypass mode to work around a malfunction, Williams said. http://www.washingtonpost.com/wp-dyn/content/...
¯¯¯¯
Get real people! The Deepwater Horizon explosion and oil rupture was probably not caused by Stuxnet, but from the information currently available it is a million times more probable than ‘Israel targeting Iran’s nuclear capability’ or the America-is-evil counterpart.

Nick PSeptember 23, 2010 12:48 PM

@ hoodathunkit

You're missing a few obvious possibilities. Most of the evidence points toward a state-sponsored effort, so we start there and look for holes. Before the analysis goes further, we must address an assumption. You and most others assumed a state-sponsor would only try this if they thought they could take the plant down. That's a bad assumption: there are many potential reasons to attack the power plant.

They might know how its wired and intend to shut it down. They might be using it as a psy ops campaign to make Iran think they can damage the plants to cause shutdowns and paranoia in general. US covert ops particularly have used this tactic repeatedly on many regimes throughout history, so it's very plausible. They also might not know if the attack will work or not and are just doing it anyway because it's not really hard work for *them* and can't be directly traced back if it fails. "Why the hell not?," they might say.

So, even with your claims, there's plenty of ways it can work out for them without much risk. It's consistent with their historical behavior, even the risks, they have motive, they have resources, and they are the most likely suspect. For me, that's case closed. Circumstantial evidence just doesn't get better than this in online attacks. It might be propaganda or a false flag operation, but that's an extra step without evidence backing it yet.

Let's look at your idea anyway, though. Even Clive backs your "too custom and specialized for black-box penetration" claim. Can you prove that though? US and Israel have subverted many companies' systems and got cooperation from others. Who says Siemens, one of their employees, a contractor or maintenance guy didn't give an intelligence agency the specs? Are they that hard to get? Mossad and CIA have no operatives or sources close to that nuclear plant? That would be difficult but you can bet they've been working on it since the project started and it's likely they at least have a source there, if not an outright agent. A MITM attack could also be used during distribution to do a quick analysis of the hardware, explained away by shipping delays. These are just a small sample of methods a well-funded agency would use to get those specs. There are others.

Point being, the too custom to hit argument holds up against regular attackers but intelligence agencies have been dealing with that successfully for a long time. If the tactics and objectives in my 2nd paragraph weren't used, then tactics like those above could have been used to overcome obstacles. I can't prove they did but it's a possibility and again pretty routine stuff for well-funded covert ops against high value targets. My key assumption is that the US or Israeli governments are funding covert ops against the Iranian nuclear program. Based on available info and historical behavior, it seems like a reasonable assumption. If it's true, then all of these tactics are on the table and would render your objection either a non-issue or a small obstacle. That's why I stick with the nation-state claim in spite of this objection.

ETSeptember 23, 2010 12:52 PM

How did they test this?

Since they went to so much effort to build this, and wanted it to remain hidden, they would have had to have access to the types of systems they were attacking.

How common and costly are the specific control systems this software attacks.

If the target systems are expensive, it indicates a state-run project as well. Your average hacker doesn't have access to these types of systems.


Davi OttenheimerSeptember 23, 2010 2:24 PM

@process control girl

I think you have it right. We should not lose perspective.

SIEMENS has stated no one should change the default password on their systems. From that point alone any claim to this being a "sophisticated" attack should be heard with caution.

It's hard to know the motive of someone who declares this a "military-grade cyber missile" but the consequences will probably be a political push for more military influence over communications.

hoodathunkitSeptember 23, 2010 5:49 PM

@Nick P - the only assumptions are yours, you even write about "My key assumption..."

My posts contain no assumptions whatever, they're from 1st principals. However, unlike Nick P, Symantec, security experts etcetera; I have decades of PLC experience. From the processors and code inside each the PLC, all the way to PC level translations and transfer of PLC instructions. And that may lead to the current crop of fear-mongering.

Nobody at Symantec or Kaspersky Labs has experience with PLCs. They don't know what a PLC really is, and so they do what other people do . . . they speculate. Rather than admit "I don't know", they ASSUME things and give answers based on worst case scenarios.

Nick PSeptember 23, 2010 8:03 PM

@ hoodathunkit

Ok, I'll acknowledge you know a ton about PLC's, their design and implementation. I haven't really said anything about that though as it's largely irrelevant. It wouldn't seem so, but it is. I say so out of over ten years experience in security engineering and counterespionage divided over research, pentesting, development, and deployment. They aren't trying to defeat, decode, mysteriously predict, etc. the PLCs and wiring and such. Intelligence agencies use espionage tactics to gain that kind of information, then use the information to create attacks.

You claim that your theory contained no assumptions. First principles? No. You make a claim that the complexity and customization of the installation prevents all necessary knowledge on the part of the attacker. That assumes the attacker has no way of acquiring enough of that knowledge to formulate a successful attack. Considering the many options, you are in fact making *many* assumptions about the attackers capabilities. Here they are in a few different variants:

1. There's no way for a top notch intelligence agency to get information on a specific industrial setup through bribery, extortion, industrial espionage, or moles in the company or industrial site. (That's a big claim by itself.)

2. Siemens, contractors, PLC guys, etc. involved couldn't have aided any intelligence agencies due to bribery, blackmail or other motivations.

3. People who operate or maintain the equipment at the location can't and wouldn't give useful information to operatives that could aid the attack.

4. The Iran-hating intelligence agencies weren't conducting surveillance on those involved in the construction of what they thought might be used to develop nuclear weapons.

5. Intelligence agencies never intercepted any code, devices, etc. None were ever "lost." (You think it make Iranian news?) No damaged units were ever disposed of in untrustworthy ways that could lead to analysis by intelligence firms. Dumpster diving was never useful.

Your theory that it would be impossible to subvert the PLC's due to lack of knowledge assumes all five of these points are true. If any one of them (or even part of one) is wrong... that is if intelligence agencies pulled off any of this... then they'd have a certain amount of actionable intelligence. If they could do more than one, they'd have quite a few chances to get the needed information. It would then be passed to the technical guys that could use it offensively. And you can be sure the CIA's Technical Directorate, NSA hackers, or DIA's engineers and reverse engineers can handle any PLC or schematic information they get. They've been doing it for decades.

Have you ever known the CIA or Mossad to do any of these things? If you think we can't get moles in enemy plants, you might want to look into how Germany's synthetic oil plants were found and bombed repeatedly. US and British double agents got double agents in many spots in enemy countries. Chinese spies hit us with heavy surveillance, theft, use of Chinese-born insiders and shady deals with companies for confidential equipment, schematics, software and information. Russians got info from our embassies using emanation attacks and bugs built into walls by doubles during construction process. US covert ops people intercepted and subverted software that caused a Russian pipeline to explode and NSA backdoored products from a certain Swiss crypto vendor ended up in sensitive places all over the world. This is far from an exhaustive list of exploits.

So, when you say they couldn't have the information, you're actually saying the people who pulled off all of the above, who have better technology than ever, couldn't get information about some PLC's from a Western company, a Russian contractor, some Iranian workers, their computers or communications? You saying *those* skilled operatives had no way of getting the necessary information. And your saying that's not an assumption or opinion, but a "first principle."

You might have years of PLC experience, but your not in that world here. This is not a plant development project: this is an act of espionage that involved tons of planning and expensive execution. This is the world of security and espionage. In this world, the only "first principle" or "fact" is that everything must be considered a threat if your enemy is smart, determined, numerous, pervasive and well-funded. If you haven't put good countermeasures on something, they may find a way to use it against you. Saying they can't is far from fact... it's usually fiction. The question isn't "could they have done this?" The question is "did they do it?"

Always harder to prove if they have any skill, as they protect long-term sources like those they have in Iran. The world of covert ops is murky. The second link in Bruce's "edited to add" provides evidence of successful sabotage if the claims are verified. That's what I'm waiting on to make my decision. Meanwhile, you should read Ross Anderson's "Security Engineering" and Navy's "Subversion as a threat in information warfare" (free online PDF). You'll see how hard it is to counter a fraction of the threats I listed. Other PLC experts say the installations and software usually have little to no security or protection from malice, just regular faults. No protection + high value + top notch attackers at it for long time = sabotage success likely. Saying it's impossible or extremely unlikely is not only a big assumption: it defies common sense and historical precedents.

NigelSeptember 23, 2010 9:31 PM

For those claiming a lack of evidence for the more out-there claims here is some interesting information.

http://www.langner.com/en/

anyone going to VB2010?

(and yes , I realise Langner might be trying to drum up business)

gunselSeptember 23, 2010 11:16 PM

I'm not a code expert, by any means, but I am a Cognitive Psychologist. If I were drawing any conclusions, I'd be worried about why this was actually deployed, and what the real target is. If a weaponized piece of code, I'd be looking at something big, and given the fact that this has a known function, is there any possibility that there is something deeper embedded in it, like the potential to deploy in the financial sector?

Marcos El MaloSeptember 24, 2010 1:45 AM

You know what? I find all this wild ass speculation fun. If I come up with a really good theory, can I become a security consultant, too?

OK, how's this? A super super super super secret criminal organization, similar to the fictional(?) SPECTRE, KAOS, COBRA, or The Erisian Movement (real), has kidnapped our best computer scientists who happened to be vacationing all at the same time at various exotic and tropical locales? The reason? To force them to create THE WORLDS FIRST MILITARIZED SOFTWARE!!!™ aka Stuxnet. Once they have the Stuxnet worm in place where it can do massive damage to the world's sewer and waste processing plants, they will call the world's leaders and demand ONE MILLION DOLLARS!!! or the shit literally hits the fan. So, it's just extortion being carried out on an unprecedented level, that's all. Put that in your fnord and smoke it.

Marcos El MaloSeptember 24, 2010 1:48 AM

Or if that's not scary enough . . . hold on, a florist van with the windows blacked out and a little satellite dish on the roof just pulled up in front of my house. BRB

Anyone?September 24, 2010 2:59 AM

Does anyone else read Bruce's comment ", the German researcher," as a bit of a slight?

Or is that just me being British...

ShawSeptember 24, 2010 5:22 AM

As one of those hopeless people who got their BA in History - I have to agree with Mick P.

The espinoge (sp) game has been going on for centuries literally, and this is an anticipated wrinkle.

What is interesting is that the powers that be are hyping up the conflict with Iran, and Iran is ramping it up higher - Witness "Maddog's" speech at the U.N. and our delegation walking out. This worm is a small part of a much larger picture if it is aimed at Iran. (But I'm not convinced that Iran is the target.)

Reads kina like a clancy novel

Shaw

Anyone?September 24, 2010 7:58 AM


@ Phil

True, school boy error on my part.

The point still remains though... you German researcher!

hoodathunkitSeptember 24, 2010 8:23 AM

Funny thing is . . . what about Indonesia? Cloak-n-dagger types can't make the case for 'targeting Iran' without ignoring facts; a lot of facts. One of those facts is Indonesia.

Of all Stuxnet infections, about 60% are in Iran, 20% in Indonesia, less than 10% in India, and all other nations total 15%. This large number of infected Iranian machines has led to claims Stuxnet was an attack on Iran. But those figure ignore inconvenient truths.

The attacks on computers —the ATTEMPTS to infect— are very different. The brunt of Stuxnet attacks are against Indonesia, which is taking 25% more attacks per computer compared to Iran.

Iran wasn't targeted; Iranian computers use less anti-virus and are getting infected at 4X the rate of Indonesian computers. The brunt of attacks are happening in Indonesia, not Iran.

speculative September 24, 2010 11:23 AM


2 things I find really interesting which, unless I'm massively wrong (fair chance!), also appear to point to the Israel v Iran scenario.

Siemens are happy to leave the factory standard passwords in place, in fact they are advising people not to change them at all. So is it safe to assume, that Stuxnet either got to its 'specific target', or the target managed to protect itself in time. Going by the distinct lack of promised nuclear progression in Iran and the speculation of those who have actually seen the Stuxnet up close and personal (plus wikileaks and a notable resignation), it appears that the target was hit and that Siemens, who are saying nothing at all, know what the target was because they clearly understand that every other custom they have in a similar position is completely safe.

If the above is acceptable and the target would not want to announce that it had been attacked/compromised, anyone capable of doing this could have covered their tracks too. Given that those who have looked over Stuxnet say that the designers were confident of hitting their target and quickly. And that the worm itself was set up to spread quite slowly, then why not give it a self destruct time? Why did the creators not give Stuxnet a set period of time to deliver strike its intended target before deleting itself? If unsuccessful they could have tried another in/vector and without alerting the world to all those zero days. You could draw the conclusion that who ever designed it was a) confident it would work and b) wanted to leave a fairly impressive and extravagant calling card pointing out what they'd done, that zero day exploits are ten a penny to them and that they did what they did whilst safe in the knowledge that they will remain immune to prosecution.


hoodathunkitSeptember 24, 2010 12:16 PM

Another funny thing is . . . what about Iranian nuclear plants? Cloak-n-dagger types cannot make the case for 'targeting Iran' without ignoring facts; a lot of facts. One of those facts is that Iran bought no Siemens equipment, and that Stuxnet ONLY effects two specific models of Siemens equipment.

____
" A spokesperson for Siemens, the maker of the targeted systems, said it would not comment on "speculations about the target of the virus". He said that Iran's nuclear power plant had been built with help from a Russian contractor and that Siemens was not involved.

"Siemens was neither involved in the reconstruction of Bushehr or any nuclear plant construction in Iran, nor delivered any software or control system," he said. "Siemens left the country nearly 30 years ago." " --BBC
http://www.bbc.co.uk/news/technology-11388018
¯¯¯

Of course it's possible that Iran bought counterfeited PLCs from somewhere (China or Russia —assuming not only that China or Russia could, but did, counterfeit these complex, low volume controllers) and then Iran used pirated Siemens SCADA software; and then they violated all global security standards by using (pirated also?) Microsoft software, which "may not be used to operate critical processes in plants".

So before you *start* to make the case of 'spook agencies targeting Iranian nuclear facilities', you must assume that the oil state is too cheap to buy two copies of brand name software (and the needed updates and support), that its nuclear physicists are as dumb as rocks, and a long, improbable string of other assumptions.

Nick PSeptember 24, 2010 3:07 PM

@ hoodathunkit

"So before you *start* to make the case of 'spook agencies targeting Iranian nuclear facilities', you must assume that the oil state is too cheap to buy two copies of brand name software (and the needed updates and support), that its nuclear physicists are as dumb as rocks, and a long, improbable string of other assumptions."

Not really. You could just assume they were doing what most people do in industrial projects and focusing more on getting the work done than securing every aspect of the operation. That is, they weren't applying costly and cumbersome high assurance techniques to design, communication, storage of design, distribution, etc. That's a reasonable assumption as very few organizations act with that much security. The reason is that such security is extremely expensive and kills efficiency, usability, and certain functional requirements. Just ask anyone working with Top Secret/SCI information about the security requirements for systems, personnel and equipment. Then ask yourself if the contractor installing things possesses this level of security. Unlikely. This is why espionage succeeds. Market forces lean towards maximizing profits and minimizing costs. High assurance greatly increases costs and is often unprofitable. This is why only defense contractors, the public sector, and regulated industries use these methods. Even *their* info gets stolen on occasion. How much more vulnerable are these plant schematics?

My previous post wasn't geared toward proving it was an attack on Iran, it was intended to show the fallacy in your claim that it couldn't have been an attack because they lacked information. Getting information is what spies do best and that was the point of the last post. For some of the reasons people think its Iran, look at "speculative"'s comment and the second link in Edited to Add. No other nation that I've seen so far has these kinds of correlations to the worm's activity. This might imply causation. It might not. My past two posts weren't really about that though. Just getting rid of your ridiculous claim that basically assumes espionage isn't happening in the world and isn't even an option. That's laughable. You should probably avoid doing business in Israel, Russia or China until you get a better grasp on the realities of espionage.

Nick PSeptember 24, 2010 3:13 PM

@ speculative

Good points. The evidence is admittedly circumstantial and probably wouldn't hold up in court. But that's usually the case of covert ops by professionals. We typically find out about their actions, if at all, years to decades afterward. The only recent covert op that I've seen that had concrete evidence on the operators was the Mossad assassination that made news. That's one in a thousand (or ten thousand).

Btw, the lack of a killswitch may not indicate a calling card or anything like that. Viral infection is sometimes an uncertain process: maybe the machine will execute the code properly and maybe something unexpected will happen. So, they probably just didn't include any extra code or risky design elements. They tried to solve this problem using the infection limit but they likely weren't putting a lot of effort into stopping infections: they were focused on hitting the target and wanted no extra risk. That's my hypothesis as to why there's no built-in kill switch.

hoodathunkitSeptember 24, 2010 7:37 PM

Here's another interesting factoid that counters the 'targeting Iran' theories. Recent speculation about Stuxnet has ignored the C&C components of the Worm. But its C&C communication —its Malay servers now in ICAN(?) custody— is the only way we have accurate data on infections: once on a machine the Worm phones 'home' and the IP reveals another infection. This means that we have good data on infection of network connected machines.

So although Iran may have the most PC infections from Stuxnet, there is not one single reported —known, self-reported, or otherwise— case of SCADA system infection in Iran. [This makes sense given that Seimens pulled out of Iran 30 years ago and hasn't done business with them since] To date, all SCADA infections known (15) have been in Germany.

confused confused confusedSeptember 24, 2010 11:53 PM

I'd like to play Devil's advocate if I might. I don't have any iron in the fire on this, but three things have made me wonder about the 'target is a single plant, probably in Iran' scenario. The three things are:

1. The four 0-day vulnerabilities used.

2. The P2P update facility (in addition to the C&C server model).

3. The use of the very complex signal signature to activate the worm.

1. If there were only a single target, and if there were, as some believe, a high level of on-the-ground espionage, wouldn't 1 or say 2 0-day vulnerabilities be enough? Why 4? Now I don't either love or hate Microsoft, but surely there aren't that many 0-day Microsoft security vulnerabilities that even a sophisticated intelligence service would have in its back pocket. Even if we suppose that some plant--say Natanz--had a plethora of PLC's to run the centrifuges, wouldn't the software systems all be clones one of the other?

2. The use of P2P communications to make sure that the worm has the latest update seems to say that the author expected the worm to be operational for a while (not a one-off attack) and that there might be reason to want to change the code. This seems to fly in the face of the 'evil genius writing a masterpiece for a one-off attack' hypothesis. Moreover, if you're going in just to blow up Natanz or Bushehr, why would you bother with the C&C apparatus at all? Just blow the plant up and laugh.

3. Nick P in an earlier comment referenced an article from 2004 on "Subversion as a threat in information warfare" (free online PDF). Google; it's easy to find and small to download; worth reading. In the article they suggest that using a complex key to activate the hidden subverted code (or backdoor) would be feasible and prevent discovery of the subverted code. The very complex signature that Langer I believe remarks on is thought by Langer and others to have been a means of identifying the right plant for the purposes of destroying it. But the article cited gives another plausible explanation. The constellation of readings is merely the perp's key to activate the worm. He or she or it would CREATE the conditions in the plant to produce the constellation of readings in order to activate the worm. I haven't seen the worm's code, so I can't say; it might be that this scenario is impossible. However, it's worth considering as a possible explanation of why such a complex constellation of signal events is necessary to activate the code.

I'm interested in comments on these thoughts, but no, I don't have an axe to grind. It's just an interesting puzzle.

Nick PSeptember 25, 2010 12:49 AM

@ hoodathunkit

Will have to verify the new information. If I could find a counter, the first one that comes to mind would be the local nature of the Iran infections (USB, remember?). We don't even know if the machines in Iran were online: the infections were by contractors' USB sticks. Why would we assume they could phone home from industrial computers in a sensitive site? Maybe they could and maybe they couldn't. The most basic firewall policies should keep control computers from talking directly to Internet computers.

Another possibility is firewalls. It's one security measure Iran uses a lot. I'm not talking about the kind I just mentioned but others. They have firewalls that control their nations access to outside information. They might have policies that would keep sensitive sites from talking to random Internet computers and firewalls enforcing these at many locations. Many governments, from US to UK, have guards and firewalls to keep sensitive internal networks from talking to Internet hosts. Should we assume Iran's secretive nuclear plant has this basic capability or that it doesn't?

M.V.September 25, 2010 8:39 AM

Like others i don't buy the it must be a state sponsored worm.

The arguments given for this are:

1. Using of 4 zero days.
2. Using 2 stolen certificates.
3. Well written piece of software.
4. It targets industrial systems.

About 1:
One of these have been known in certain circles for more than a year:
http://www.h-online.com/security/news/item/...
I bet the others aren't that new too.
(Note one of the links in the artical points to a hacker news site, be careful)

About 2:
I am sure there is a black market for those.

About 3:
So the assumption is that only big organisations have the programmers who can create well written software. Get real.

About 4:
This says nothing. In my opionion this is the logical next target for the lonely talented hacket with to much self esteem. While the information you need for these type
of attack isn't published by Amazon, but google can help, just needs the right search phrases and a starting point.


My conclusion:

A: If it is really a state sponsored attack on Iran's reactor, it is already a fail.
B: If it's purpose is to increase the market for anti virus software and push up the market value of McAffee and Co, it is a success.
(Isn't McAffee on sale?)
C: If it is some lonely hacker, also a BIG success. But he will be caught, as he probably can't keep his mouth shut.

My money is on C.

Nick PSeptember 25, 2010 11:39 AM

@ M.V.

Did you intentionally leave out some of the key evidence for Iran or did you just fire off your theory without reading all the evidence? The claims that pointed toward Iran were:

1. Claims that Iran had most of the infected PC's and the first infected PC's.

2. The worm doesn't just target industrial computers: the way it sits, analyzes and waits indicate its looking for a specific plant or plants. This indicates its a weapon, as hoodathunkit has pointed out plants are generally pretty unique. The designers have insider knowledge of their target or want us to think so.

3. Wikileaks leaked a report saying that Iran's enrichment plant at Natanz suffered a serious nuclear accident, leading to the resignation of one of their top officials. No explanation was provided.

4. Official data confirmed a huge reduction in the number of centrifuges operating during the time the Wikileaks article claimed.

5. An Israeli newspaper reported on this and mentioned infected USB sticks. The author of the second blog link who provided this research speculated it could be a covert announcement of victory, as Israel is among the top two suspects.

6. Unlike general plants, where there's tons of different components, the enrichment center has tons of centrifuges that are identical in operation. The worm would only have to be calibrated to their centrifuge design, then it would take out any it spread to. If the news reports are correct, it apparently did.

7. Many intelligence agencies have been trying to stop Iran's nuclear program for a while and have the resources to do something like this. Over the past few years, US and Israel both developed a strong information warfare capability and are known to do covert ops in Iran.

8. Finally, it was programmed in a few ways to stop spreading after a certain period of time. This isn't good for organized crime or notoriety. If it was an intelligence agency placing it in the target area, this would be a valid design choice that would prevent blowback.

Taken together, *these* claims support the idea that Iran was the target and an intelligence agency created the worm. Interestingly, none of the detractors of the Iran theory have addressed any of this.

Dave BSeptember 25, 2010 2:56 PM

BP is framing a government agency to reduce its legal obligation to clean up the golf. My guess is a team of lawyers sat down and one said "Hey, does Toyota's software control the breaks on the oil rig" and a programmer said "No, but we I could make it look like the the US government accidentally broke it".

The complex analysis the worm is doing could just be bullshit. Everything else that is amazing could be bought for a lot less than what BP is going to have to pay out.

I would hope the US government has software that could be distributed with more precision than a 5000lb bomb. Otherwise, what's the point.


M.V.September 25, 2010 4:03 PM

@ Nick.P

I still don't buy it. Most of that Natanz connection is pure speculation of a poor Security Expert pressed by the Media for some high profile phrases as "precision, military-grade cyber missile ". (The german main stream media is notorious for this)

What you call key evidence i call just some hints. Maybe they are correct, but again i don't think so. Even if your are right about Natanz, the attack failed. All the Iran suffered is a slight setback. And unlike a real missile you can't just fire the same cyber missile again.

Actrually I agree with you about some of your items.
The complexity of plant wiring doesn't provide any protection. Also Siemens not selling any Systems to Iran doesn't mean anything. I doubt Siemens can control what happen with every sold system.


But so far this is all speculation, and yes this includes my theory as well.

Clive RobinsonSeptember 25, 2010 4:55 PM

@ Nick P, M.V.,

"4. Official data confirmed a huge reduction in the number of centrifuges operating during the time number of centrifuges operating during the time the Wikileaks article claimed"

Since you brought it up (and yes it is part of my long winded reasoning).

The "centrfuge" design is something which has a "Pakistan" link as well as "North Korea".

If you look back a while you will see that one of Pakistan's top nuclear scientists went rouge and started selling "Nuke tech know how". Due to the fortunes of war and the US now regarding Pakistan as "one of the good guys" these days the centrafuge plant design became well known even outside the intel community.

That is there are quite a few places (around 24) the rouge scientist flogged the designs to.

It is one of the reasons the US are in my top three suspects for "state sponsor" (in alphabetical order Iran Israel USA).

Because the worm would (if it had not been seen) have very likely have "air gap jumped" all the other places the rouge scientist had sold the centrafuge plans to.

The problem with this is it also means that any one of the other states buying the technology could have produced the worm likewise so could India all as a way of removing the capability from potential enemies.

Further there are many ex CCCP nuclear scientists who might well be interested with "Russian Mafia" interest in "trashing the market" to then sell their own "system" in as replacment.

I have a subjective measure when looking at these things, I call it the "Tom Clancy Test", that is if the idea looks like a valid plot line for one of his novels then it has the capability of reality.

However at the end of the day it showes for real that "air gap crossing" is now in amongst the low hanging fruit. It's happened in considerably less than the eight years I predicted when I thought up a way to do it a couple of years ago. And importantly it has very real security implications for defenders using the physical issolation model.

I guess based on this that we should start thinking in terms of the "embeded in chip" attack vector (from the likes of China etc) as being the next candidate to join the low hanging fruit in the next couple of years...

It might be worth watching who goes "back in house" with the likes of the NSA in the next couple of years, and what silicon level "secure by design" hardware mask micro code checking programs apear...

Clive RobinsonSeptember 25, 2010 5:48 PM

@ Dave B,

"BP is framing a government agency to reduce its legal obligation to clean up the golf"

Have a look and see who actually had responsability for the blow out preventor, (for instance was it a US owned and operated platform?).

I think you will find the current POTUS and various Representatives are going to find their posturing on this disaster come back to bite them. The best they can hope for is if it does go to court it will drag on past their terms of office.

I realy feel sorry for the very many people in the US with pension funds with BP shares in, as the Politicos for a few seconds of ill founded posturing sound byte to deflect the home truth of the issue have robbed them of a very large chunk of their funds needlessly.

The political policy of "Drill baby Drill" over deep water drilling was ill founded and was known to have disproportionate risk attached to it. It was why the current POTUS like other politicians had actually opposed it.

Some of the documentation already made public shows that parts of the US Government where negligent and I suspect a good deal more will (if properly investigated) come out.

The problem with this sort of operation is many companies are involved and many get used for political reasons (pork and back scratching). Likewise many Government organisations fight for turf over it. Just arbitarily saying X is to blaim before the evidence is collected is silly at best.

Parties concerned will find my name anywaySeptember 25, 2010 8:14 PM

The issue with this malware.....or is it "mal", is the ease for one to be able to infiltrate a facility such as a nuclear facility. Who it came from is irrelavant, but the ability to do it without raising any direct suspicion is magnificient.
Conspiracy etc. is just bla bla bla.....the fact that it was done is what matters and shows great strategical ingenuity.
Don't put too much thought into it!!!!!!!

MatthewSeptember 25, 2010 10:44 PM

Something about this makes me chortle.

If the news about Iran being hit hadn't come to light, Iran would be the one in "the frame" (amongst the chattering classes) for having written the thing. Iran has trouble, oh well - "logically" it must be an attack on iran by israel. But if Iran HADN'T had trouble, it would have "obviously" been attack on the west ... probably by Iran.

What a difference one piece of gossip can make!

Clive RobinsonSeptember 26, 2010 12:53 AM

With regards the Deepwater Horizon event in the gulf there are three companies involved.

BP : who are paying the bill.
Transocean : Owner designer and operator of Deepwater Horizon.
Halliburton : responsible for cementing in the well.

BP, are paying the bill due to legislation brought in in 1990 after of the Exxon Valdize disaster. But BP where not actually drilling the well their subcontractor Transocean where as where and Halliburton was responsable for ensuring that the drill site on the bottom of the ocean was properly constructed (cementing in). In the normal course of events BP would be expected to recover any costs from Transocean and Halliburton by standard littigation proceadures.

However Transocean, have sought to limit their liability for (economic) damages to just 26.7 million USD by using an 1851 law. Which supposadly has brought down the wrath of the Department of Justice, not that you would know it from the US press.

Now what goes for Transocean also goes for Halliburton as Transocean effectivly stand between Halliburton and BP.

Now as some of you know the US agency with overall responsability is the DHS who resulted from a political decision by a man who had come from Halliburton and was a major participant in Halliburton even while standing in public office with the previous administration. And there appears from various reports that he still mainatains close ties with those still in public office within amongst other US departments the DHS...

Interior Secretary Salazar said in context with a meeting with BP,

"Our Joint Investigation with the Department of Homeland Security will have every tool it needs -- including subpoena power -- to get to the bottom of what went wrong,"

Thus notifing BP criminal action was being investigated and thus preventing BP starting in on any civil proceadings against Transocean and Halliburton untill the criminal investigation has concluded at some indefinate time in the future.

Now what again has not been well reported is what made the current POTHUS kick off...

Well he made the following statment,

"I did no appreciate what I considered to be a ridiculous spectacle… executives of BP and Transocean and Halliburton falling over each other to point the finger of blame at somebody else. The American people could not have been impressed with that display, and I certainly wasn't."

But the cause the finger pointing went fairly unreported as it is crucial to who picks up the bill for the environmental damage.

Well it revolves around an 11AM meeting on Deepwater Horizon about 11 hours before the explosion that killed 11 people, not all of whom where Transocean employee's.

It appears that BP had requested a very standard procedure in the industry to close the well, so that work could progress. All of which is quite normal and routien for the selfstyled number one deepsea drilling organisation in the world that charges top dollar for it's services.

Obviously when you are paying between 0.5 and 1 million USD a day for the services of Transocean's Deepwater Horizon in a short weather window activity you want to procead as quickly as you safely can.

And this is the crux of the issue, Transocean where apparently draging their heals and delaying and did not want to perform the standard procedure for reasons they had not fully communicated to BP. Thus the BP man on the spot made the decision to order them to carry out the standard proceadure.

Now the question arises why where Transocean personnel so reluctant to communicate why they did not want to do the procedure to the BP man on the spot. That is why where they hiding it from BP and for what reason.

Well we know post the initial disaster event that the down hole blow out preventor failed.

The blow out preventor is a very large very heavy device that is mounted on the sea bed cementing in (done by Halliburton) that should close the well by driving hydrolic shears through the well pipe and sealing it shut.

It's the last line of defence should something go wrong and it is a well known and well tested technology that is very deliberatly made as simple as possible to increase it's reliability.

However correct operation relies on it's correct instalation (Halliburton & Transocean) and maintanence (Transocean).

If you look on line you will find that Transocean has "previous" for poor maintanence of blow out prevention systems ( http://www.hse.gov.uk/notices/notices/... ) in very recent times. Also Transocean have slipped down the industry league tables on safety and maintanence issues since their "swiss incorperation" in 2008 to avoid US taxation and other fiscal liabilities.

Now it appears that Transoceans drilling "chief engineer" on Deepwater Horizon was at the meeting but cannot even remember the BP persons name... Which considering the nature of the work relationship is odd to put it mildly. Further why would he not remember it if the BP man was pushing him hard to do something he was reluctant to do (the story Tranesocean is pushing) Especialy as some of the critical BP people at the meeting are amoungst the 11 missing presumed dead personnel.

Now interestingly BP have effectivly had a gagging order put on them. Deepwater Horizon was a Transocean vessel opperaated by Transocean staff. However the relatives of one of those in the disaster are suing BP not Transocean for reasons that are not currently clear (it may simply be the lawyers consider BP to be the softer touch or to have deeper pockets etc).

Now as some readers will know I used to work in the offshore industry on the likes of well safety and telemetry systems and other instrumentation. And I've been told that information circulating in the industry points very very strongly at the failure of the blowout preventer as being more than just a maintanence issue.

So the question arises again why where Transocean reluctant to carry out a standard procedure, and further why where they very reluctant to make their reasons known to BP.

Then of course there is another issue of why the only data from Transoceans instrumentation was from five hours before the disaster started. Apparently Transocean only uploaded the critical data to their Houston operation occasionaly...

Which is in of it's self is very odd these days due to the recomendations made after the Piper Alpha disaster and what is thus industry normal (not best) practice.

It's even odder when you consider it's offshore to a first world nation and even third world nations have 24x7 telemetry feeds back to the onshore facilities and managment as standard.

It would be interesting to see what a lawyer specialising in regulatory compliance would have to say on this "little oversight" to what is a major asset to Transocean and thus might fall under the likes of US legislstion for fiduciary responsability and accountability post Enron...

Nick PSeptember 26, 2010 1:56 PM

@ M Simon

Kind of late on that one. The second link in Bruce's blog made the same claim. That more people are coming to the same conclusion is a good thing: it means the theory is a good one and might be true. I'm still undecided on which country designed it, though. With Clive's new information, it sounds more like US. Before, I was thinking Mossad.

Nick PSeptember 26, 2010 2:05 PM

@ Clive Robinson

Well, the info on the rogue scientists is new to me. If true, it means US is more likely to have done this. I've also been thinking the worm was a good idea and quite successful use of infowar capabilities. Some say it was unsuccessful because it was a mere setback. However, nearly every effort to derail a state's nuclear program ends up being just a setback, just like the sanctions on Iran. The sanctions just hurt the citizens rather than the nuclear program and military.

Regarding air gaps, I also find it disturbing that air gaps are low hanging fruit. But this has always been the case: unprotected systems that contain input devices with execute privileges and poor physical security have always been vulnerable. That's why the old security kernels were supposed to be "always invoked" and mediate every resource. We don't need anything fancy to solve this problem. We just need to limit what comes in on USB ports and maybe authenticate devices.

One more thing, could you provide links to back your claims on the oil spill regarding Transocean and Halliburton? I find it interesting, but claims like that need a public and reliable source.

M. SimonSeptember 26, 2010 3:45 PM

Nick P.,

I design control systems. I'm still a roll your own RTOS kind of guy. An anachronism to be sure. But it eliminates (greatly reduces?) common vulnerabilities.

And from a security standpoint I HATE wireless control systems. Wires in conduit for me (I get over ruled by management frequently for the usual reasons - costs - deployment speed). But what is one plant shut down worth vs the extra cost of wires?

This little adventure should wake up management - at least at the better run companies.

As to centrifuges - I write for general consumption. Bushear is the word in the general press.

M. SimonSeptember 26, 2010 4:16 PM

Security.

The purpose of a safe is not to keep what is stored in it safe. The purpose is delay. But "safe" is an easier sell than "delay".

So there is no such thing as safety. Just more or less delay. Also there is the matter of evidence.

Some one who has to go into a plant to tamper with the wires is likely to leave more evidence than a passing jamming truck. Or worse an eavesdropper.

deathnoteSeptember 26, 2010 11:46 PM

While we will never know the true identity of the person & sponsoring organization, with 80% probability it was a contractor working in the USA - here's why:

Country of origin: USA
Israel is the most likely country but they are more careful. Israel has been able to break into every communications system in the Gulf & not get caught (they have real time access to all comms). The European Intel guys don't have the motivation. And forget China, no motivation & would have written the code in Java. Which leaves the US.

Coder: Contractor
The mistakes were too big for a professional. Anyone with experience would have hidden the code among lower level functions. Real intel guys would have done this in microcode. Thus the coder is someone with 2 years (or less) experience in hacking but enough experience to be assigned. Perhaps 30-35 years of age.

D. DieterleSeptember 27, 2010 6:39 AM

Israel has to be the creator of Stuxnet. They have had a very active campaign of stopping other Mid-East coutries from gaining nuclear weapons.

This includes bombing Syrian and Iraq plants. They have also warned Iran several times that if sanctions did not work, that they would strike.

With diminishing international support for a physical attack, especially with the White House, Israel created the perfect weapon.

potatoSeptember 27, 2010 8:51 AM

mal·ice (noun \ˈma-ləs\)
Definition of MALICE
1: desire to cause pain, injury, or distress to another.
2: intent to commit an unlawful act or cause harm without legal justification or excuse.

Regardless, writing was already on the wall:

"If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization"
- Weinberg's Second Law

"There is no programming language, no matter how structured, that will prevent programmers from making bad programs"
- Larry Flon

Nick PSeptember 27, 2010 2:01 PM

@ deathnote

Your reasoning is unfortunately flawed. There is no evidence to support your claims that the US and China would use those specific tactics. Contractor is plausible, but so is employee with experience. Allow me to demonstrate.

1. The US Marine Corp, CIA, and DIA have been recruiting civilian hackers for offensive purposes for a long time. The skill level of the hackers varies but most of them could learn to build worms thanks to abundant kits available online.

2. Mossad is pretty professional but they've done infowar attacks before using traditional means. You're assuming just because these intelligence agencies have some brilliant engineers they only employ the most brilliant methods. This is far from the case: all the intelligence agencies mentioned employ whatever tactic works. The worm, as designed, achieved the originator's goals. Hence, it was a valid attack strategy.

3. Chinese attackers have a very strong force of programmers who do assembler, C, C++ and OS work. Did you not notice that the Chinese recently designed and deployed a processor, firmware and FreeBSD-based OS? There's also a significant number of programmers thanks to outsourcing efforts.

In other words, you're making some big claims that aren't consistent with the data we have on these countries and organizations.

Clive RobinsonSeptember 27, 2010 3:36 PM

@ Nick P,

"One more thing, could you provide links to back your claims on the oil spill regarding Transocean and Halliburton?"

Which bits?

Most of it is readily available on various newspaper and trade websites. Also Government and other official records, thus it's mainly a matter of public record.

Transocean has it's own website with the address www.deepwater.com on which you will find some details of their claims to be the worlds number one, as for their pricing or daily rate it averages about 600,000USD/day based on trade information BUT varies quite a bit depending on the job specifics.

It is no secret the blowout preventor failed and it has been said that the "control pannel was bypassed" for some reason (see comment by hoodathunkit at 12:18 PM on the 23 for a Washington Post link).

I provided a link to an Official UK Gov site where Transocean had had their knuckles severly rapped for poor maintanence on a blow out preventer pannel just a couple of years back from the Deepwater Horizon blowout.

As for Halliburton I belive there is a transcript available on the web of the event that caused the costic remark from the current POTUS. You caan google for [halliburton "cementing in" gulf] however there is a nice WSJ article,

http://online.wsj.com/article/...

As for Halliburton's connection to the previous administration the web is loaded down with it.

Info on the 1990 Oil Polution Act passed after the Exon Valdez can be seen at,

http://en.wikipedia.org/wiki/...

As for the 1851 Limitation of Liability Act and Transocean have a look at Bloomberg's News item,

http://www.bloomberg.com/apps/news?...

Anything else you want info on let me know and I'll dig it out.

Jack BauerSeptember 27, 2010 3:56 PM

OK, so here we go... This piece of code would work nicely with the "Critical Infrastructure Chip" that we so cleverly designed to operate - nay - own any SCADA system in the country!

StuzorSeptember 27, 2010 5:18 PM

I really want to see the source code.
What does state sponsored multi-pronged codez loo like?

Monica UrrSeptember 27, 2010 7:53 PM

Hats off to AC2 for using the "...'hardened' Win XP boxes" thing. Coffee out my nose on that one, dude!

JonSeptember 28, 2010 10:06 AM

Hmmmm....just a thought. How do you attack a competitors software? By writing malware for it, exploiting its vulnerabilities, & cause irreparable harm to that software companies consumer base. UNIX/POSNIX systems are unaffected. This malicious piece of code has the fingerprint of a major software vendor and not a governmental agency. If I wanted more people/agencies/industries to steer away from Windows & use my software systems, then what better way to advertise my unaffected software, than to bring my more successful, less secure competitor to his knees.

cyberbubbaSeptember 28, 2010 10:10 PM

I too was a little skeptical about "State" involvement. However, it's reported that "Step 7" in the Siemens control SW has been modified to reinfect scrubbed HW, this is surely a big time Corporate or Gov involvement.

vmsSeptember 29, 2010 2:25 PM

"Moreover, if you're going in just to blow up Natanz or Bushehr, why would you bother with the C&C apparatus at all? Just blow the plant up and laugh."

You are wrong. If you just blow up a plant, they will build next one, this time much safer. They will feel attacked and become united.

If, however, you delay and disrupt their operation, you achieve something much deeper: internal mistrust. Example: engineer A says it will work tomorrow, but for some reason, it doesnt. It's not broken, it just needs more spare parts, expensive parts. It's engineer's fault now - is he not good enough? How many more budget overruns will be there? do we have any more engineers? How can the project managers be trusted now?
See, by inducing small inefficiences, you create a systemic crysis, which eventually might convince even the Iranian president that nuclear industry is just a hoax by his peers.

sinotizedSeptember 29, 2010 3:58 PM

I'm no expert, but I've noticed some anomolies that bother me. If I'm wrong, it would make a good movie plot at least.

Fact 1) It would appear Siemens PLC's are routinely used on deepwater oil rigs for blowout prevention and control of mud pumps.

http://www.subsea.org/company/listdetails.asp?...

http://www.oilandgasonline.com/article.mvc/...


Fact 2) Deepwater Horizon's BOP was manufactured by Cameraon Int'l but had been modified from original. Using what, a different PLC maybe?

Fact 3) Debriefing illustrations and examinations I've seen on the web have talked about the DH Horizon's BOP hardware and discussion of the deadman switch failure, but no schematics of the control system. Is it based on a Siemen's S7 perhaps?

Fact 4) Perfect citizen and Uscybercom which monitor domestic cyber attacks came into existence within months after DH Horizon, indicating DH Horizon was a surprise.

Question: Was the DH Horizon explosion the accidental result of Stuxnet spreading beyond its intended target range? Was DEADF007 humorously chosen by it's author because it turns off a deadman switch?

Nick PSeptember 29, 2010 8:04 PM

@ sinotized

It's possible, but the worm was designed for a specific target. The evidence leans more towards the Natanz enrichment plant being the target. I haven't seen any data indicating that the highly restrictive parameters it was looking for were present in both Natanz and the oil rig. If you find more solid evidence, then do post it.

GhilmeiniSeptember 29, 2010 8:51 PM

The fact Iran was the target is 1#- most other exploits, hell all other exploits, hit the US first.

#2 A weapon that does not kill but hits the enemy and saves lives. As some who knows a fair bit about Jewish law, this software seems kosher.

#3 We are not getting the full story, Iran is not being quick to talk. I believe the worm was designed not just to attack the Busheir reactor or the Nantanz enrichment site, or the heavy water plant, I think it is designed to destroy Iran itself. The entire infrastructure of an entire country has been COMPROMISED.

Iran has had at least 2 major gas or oil refinery explosions in the last couple months. You are smart people here, do you think if you tamper macroeconomically with an entire country that you might be able to produce chaos?

Iran's choices are to trust a few outsiders (who may be spies or targeted by western intelligence to expand the attack) or shut down and "clean"/replace their ENTIRE infrastructure.

Imagine you are Iran's leaders: you now face a future where you don't even run your own country. Oh and all your major nuclear capabilities just got leaked to an enemy.

Lastly there is the happy thought that Stuxnet will mutate and keep attacking for some time. Iran should ask when they can get their free upgrade!

The downside of this is rogue states will protect themselves better in the future, but Stuxnet might finally destroy the clerical regime once and for all without firing a single shot.

rspSeptember 29, 2010 10:14 PM

I don't think Iran was the target nor that Stuxnet only is limited to one specific site -- it is designed to attack systems. Like all virus and worm "pandemics", some countries and IPs will be hit first and thus those areas will have more "infections" and from these the infections spread. In Stuxnet's case it is looking for hosts and hides its trail as to where it may already have been ... Think "sleeper cell" ...

rspSeptember 29, 2010 11:38 PM

Also wanted to point out that, from what i read, Stuxnet is not trying to take over a single nuclear reactor ... it only has to screw up a line or two of code controling the opening or closing of a single generic dime store valve to destroy a reactor, BP oil rig BOP,, a California pipeline, an Air France Airbus, a DC metro rail train, etc. Might be beneficial to compare such disaster caused since early 2009 when Stuxnet was first spotted and verify that no such generic valves or switches were common to each of these control system failures, rather than focusing on the software souurce or a single reactor.

confused^3 and mostly unansweredSeptember 30, 2010 1:13 AM

@vms

""Moreover, if you're going in just to blow up Natanz or Bushehr, why would you bother with the C&C apparatus at all? Just blow the plant up and laugh."

You are wrong. If you just blow up a plant, they will build next one, this time much safer. They will feel attacked and become united."

I might be wrong but I was responding to Langer's proposed scenario and critiquing it: IF, as Langer says, the scenario was to go in, ID a particular plant (say, Natanz) using a complex signal signature and blow it up, why would you want the C&C apparatus? What you describe as a methodology might be good, might be bad, but it's not what Langer was saying the worm was written to do.

Also, a new article from the NYT. Seems the NYT takes the worm seriously. Some interesting points in the article, especially the 'wilderness of mirrors' argument that you never know who's left a calling card and who's left a fake calling card in a false flag op.

http://www.nytimes.com/2010/09/30/world/...

Nick PSeptember 30, 2010 9:48 AM

@ confused^3

Nice information. I'm leaning more toward Israel now. Note that the article says all of that, then mentions other countries were hit first. This fact is neutral for any theory: it may detract from "Iran is the target", but it may also just indicate a test run of the worm's functionality before it was deployed against the real target.

Common SenseSeptember 30, 2010 10:02 AM

Anybody should understand that PLC arrays that are reprogrammable by the software installed the system that they control, should never be used in critical systems.It amazes me that they are used in critical systems.
The critical control software should be burned into Eproms or fixed Proms that can only be programmed by physically taking them out from the system and reprogramming them in an external device, or by replacement. Yes this is less flexible but so much more secure.

confused^3September 30, 2010 10:36 AM

@Nick P

Nick, there seems to be some fundamental confusion about just what the worm was intended to do--there seems to be more functionality (auto update both from C&C server and P2P; C&C) than you would expect for a one-off hit on a specific plant. Any comments?

Nick PSeptember 30, 2010 10:10 PM

@ confused^3

Well, it's the limiting functions that make us think its more one-off. How many times it could spread was limited. My mind brings up two possible reasons for the C&C network in state-sponsored hands: update the worm with new zero days or fix bugs (esp. targeting info, as more might come from intel sources); retarget the worm to another industrial plant.

They also didn't do as much effort to keep the worm concealed. I haven't heard of the state-of-the-art obfuscation and steganography techniques present in some worms. This worm was discovered in mass within a year and is being dealt with. The USB targeting scheme and the fact that many SCADA systems are offline (not all by far, but many) indicates its highly targeted and the C&C network is auxillary. It's hard to be sure, though. It is indeed confusing.

bennieOctober 1, 2010 3:32 AM

Another clue. Which country hosts the world largest stick memory manufacturer? Ever notice how much software comes with the Cruzer? There is no better way to mass deliver the worm to computers off line. The attack on the centrifuges is in all our interests and will someday be hailed as a major victory ala the destruction of the Iraqi reactor in 1981. By the way, the fact that India, Indonesia and other countries were hit indicates that some on the memory sticks were diverted (probably stolen) from shipments to Iran. The proverbial "fell of the back of the truck". But there is no danger since the actual attack (as opposed to the infection) is clearly directed.

MarkOctober 1, 2010 8:38 AM

@vms

If they blow it this battle will be over and it will start from the beginning. But, If they control the device's the other side will spend enormous efforts to try to stop this control.

Look's like someone lost control of his vital devices.

A brilliant implementation in a complete new battlefield to the "The art of war" by SunTzu.


confused^3October 1, 2010 10:59 AM

@Nick P

Thanks for your reply.

I've been reading some of Symantec's analysis of the way the worm works. It seems clear to me that Langer's judgment that it was a one-off attack was very premature.

For example, the four (now five) exploits used weren't all there at first. They were added one by one over time. You'd have to go to the Symantec blog to follow all the ins and outs. F-Secure Weblog has a good summary based on their discussions with a number of security analysts at other companies.

Moreover, although Stuxnet was completely undetected for a whole year, from June 2009 to June 2010 (!), once the first certificate was no longer any good, they installed a new binary using a second certificate, which says that as of March 10, 2010 or July 17, 2010, depending on how you count, either they hadn't reached their one-off target and accomplished their blow-up-the-plant task or else they still wanted to keep the worm active.

Moreover, when the worm gets around to infecting the Step 7 control program on the PC connected to the PLC, it chooses, based on what it finds, one of three different patches to the PLC code. Given that everyone says that the perps had in depth knowledge of SCADA, this sounds like the target is a number of industrial plants--or at least a number of PLC's.

Moreover, the one-off blow-up-Natanz scenario wouldn't really require using rootkits to hide the PC Step 7 Controller code on the controlling PC and the PLC code on the PLC (two rootkits). That sounds like you want to be around for a while tampering with the plant. The plot thickens.

The more I read about what it does, as little as they've been able to figure out and/or publicize, it sounds like the perps, whoever they were, wanted the ability to affect a number of industrial plants on an on-going basis.

The security analysts tend to the view that it is state-sponsored--although they say there is no real evidence which state. The judgment which state it might be would have to be circumstantial.

Best wishes.

sinotizedOctober 1, 2010 11:34 AM

@confused^3

That's my thinking as well.

@rsp agree completely, I see a need to look at this at a worldwide macro level.

Laws of probability (smallness of the return variable after the PLC environment check vs largeness of the worldwide PLC pool) point at even the most targetted of worms infecting on some false positives, regardless of who is behind the C&C or how often the worm is mutated. In fact, the greater the number of mutations, the higher the probability of hitting oneself in the backside, it seems to me.

I seriously doubt the Insat-4B was on the intended target list either. It makes me wonder what else ou

sinotizedOctober 1, 2010 11:41 AM

can't type today..

tried to say Makes me wonder what other critical systems using those controllers are suffering unreported failures due to people not connecting the dots since the profile is lower .

Medical radiation equipment,
traffic lighting/hov control systems,
large audio/visual/fireworks displays
etc

John StevesonOctober 1, 2010 12:12 PM

A one-off attack wouldn't need to use so many avenues of ingress, nor would it be so large. This is just a likely a modification of early malware done by someone with some knowledge of SCADA systems using 'what they know'. The actual targeting could easily be a coding error.

VinnieOctober 1, 2010 12:57 PM

I find it fascinating that people who have not disected the worm in the depth that Symantec has are so quick to comment how easy it would be to create one of this sophistication. If you're so good at figuring these out, why don't you work for Symantec? Why are computer geeks are so jealous and quick to discount another geeks work? As the saying goes, get a life.....

mnxOctober 1, 2010 3:17 PM

there was a short news blip on this on NPR this morning....

I think it's more about who actually created it than it is about who could benefit....there are many parties that could and will benefit...including the Iranian government who can feed further rhetoric and paranoia into their people about "the West"

one can't directly attribute an entity with "blame" (either partial or complete) for the creation of this based solely on the benefits of its spread or success

Clive RobinsonOctober 1, 2010 9:05 PM

@ Vinnie,

"I find it fascinating that people who have no disected the worm in the depth that Symantec has are so quick to comment how easy it would be to create one of this sophistication."

That is possibly because you do not understand the processes involved.

As an overly simple analogy making a meal with an egg.

There is an almost infinate number of ways you can take an egg and turn it into a comestable some of which involve basic cooking techniques some basic ingredients etc, others the strange ways of the likes of Heston Blumental and his lab equipment and such rare incredients as white truffle oil. However you don't need to be a world class chef with 1000USD ingredients to make a meal from an egg, just a little knowledge and some practice.

However being given a cold half eaten meal and then being told to work it backwards to it's ingredients and the verious cooking stages riquires a whole different set of skills and knowledge, that you would only find in a specialised food research laboratory.

Then being told to figure out who the chef was in what kitchen and what motivated them to come up with the recipe...

Each steps you take back from the discarded comestable gets more problematic as the error function increases to a power law. Thus it is something that you would not do unless there was a significant need.

However due to the nature of this particular nasty it is important to work out not just the ways but the whys and the motivations.

The use of atleast four possibly more 0-day in a framework that alows further to be added whilst not new is certainly not common. What it attacks (SCADA systems) has been a fairly rare niche, even a few years ago Bruce did not rate attacks on SCADA systems as a realistic threat (I remember because I strongly disagreed with him).
The use of "signed code" to break the trust model is something I repeatedly go on about because I know how easy it is to get rouge code signed by a supposadly secure process (been there done that as they say).

But technicalities aside this nasty was ment to do real world harm that could as a side effect have given rise to another chemical or oil plant in a residential area killing and maiming many inocent people.

The simple and brutal truth is chemical and oil plant security both physical and informational is a sad joke. We simply cannot aford the cost of making them secure to any acceptable level. For obvious reasons people in the idustry rarely talk about it to outsiders.

The question of why is important, because there are very many similar setups around the world controling cascades of one form or another that are not in the nuclear industry.

And the who is important otherwise we could get a very real war result. The number of times for instance Pakistan and India have steped up to the line is scary when you consider both sides have nukes and delivery systems.

The problem however is as I said the error function, if only one set of eyes looks at the issue their conclusions could be well of base. The result could be the wrong people being attacked. If however many independent eyes look at it independantly then the chance that the wrong party gets blaimed goes down for two reasons. The first is concensus is reached through many paths, the other is that it is shown no individual can be reliably blaimed.

Either way it provides a much needed safety margin. Remember we have atleast one real war in progress over false assumptions (Iraq) we don't need the politico's doing it again, because it has created way to much instability in the region already.

Now you or others might say "yeah but we knew last time but it did no good", I would counter that the politicos would not be alowed such an easy passage this time because most people now know what a crock of s41t most of the closed process analysis by the "Politicaly driven intel community" is.

The fact that people want to discuss the issues as they see it is upto them, if a few more people did it they might very well learn a few important facts in life.

I will leave you the task of contemplating your last statment as others might view it in repect of yourself.

ChaseOctober 3, 2010 11:18 AM

Bruce,

Per your Science Friday comment about reverse engineering motives, the intelligence organization that funded Stuxnet had two design goals in mind : stop Iran (primary) and induce global infrastructure manufacturers to rectify security-compromised products.

Akin to a wild-fire's environmental cleansing action, Stuxnet's authors ensured the primary lightning strike succeeded in Iran … and *desired* Stuxnet flame on, following the natural fuel source of operational consulting groups and their interconnections linking Siemens' compromised product in a global context.

Stuxnet's authors ensured its payload *only* compromised a specific environment (e.g., Iranian assets), but their secondary motive was to become a public spectacle -- a wildfire of discussion to clear out dead and unproductive operational attitudes -- by awakening industrial infrastructure manufactures to an increasing specter of liability suits by civil and federal entities in law-abiding democratic countries where such lawsuits can gain a foot hold.

Stuxnet is presently a benign message from a government organization to Siemens that the cost-avoidance strategy of "security through obscurity" threatens national interests. Failure by Siemens (and other infrastructure manufactures) to heed the message of today's Stuxnet will go badly when the next Stuxnet appears -- and a public review of what happens then will dive deep into every aspect of Siemens product development process to find that (ultimately) there are product managers and development leads who had sufficient knowledge of product design defects to prove that Siemens "knowingly" foisted risk without proper disclosure to customers … whose operations were later compromised by Siemens product management decision making.

PeterOctober 5, 2010 4:23 PM

As Bruce noted, there is a tremendous amount of speculation. It is being driven by 'evidence' that is ridiculously insubstantial and by circular press reporting with more qualifiers being dropped and more 'evidence' being fabricated out of thin air in each successive retelling.

It may well eventually turn out that STUXNET targeted Iran. But right now, that is not even remotely in evidence.

It is amazing to me that so much attention is being given to all the technical gee-whiz of STUXNET, but that the basic lesson is completely ignored. STUXNET attacked the unprotected development and maintenance environment of an industrial system.

The indirectness of the attack to circumvent the physical and operational security mechanisms, including air-gapping, of a production industrial system is the truly impressive part. The rest is just semi-interesting techie garbage that isn't even novel, just novel in its aggregation and coordination.

Clive RobinsonOctober 5, 2010 7:09 PM

@ Peter,

"The indirectness of the attack to circumvent the physical and operational security mechanisms including air-gapping, of a production industria system is the truly impressive part."

For my sins I have been predicting "air gap crossing" malware for some time and even worked out ways to make "fire and forget" malware that would do it.

Likewise I've pointed out on many occasions how code signing is such an unreliable trust mechanism (been there beat it and walked away).

However I've been banging on about insecure SCADA systems for so long now it feels like a life time.

Yup I can even remember being one of about three lone voices back when Bruce did not rate attacks on SCADA systems.

The real scary part for me is that Stuxnet was only discovered by accident (supposedly when a signing certificate was changed)....

Thus I suspect a lot of the noise you see about Stuxnet is part of a Cover Yer 455 excercise on behalf of all those people who "dropped the ball" on this one.

People realy need to wake up on this, we know how to make images of clean systems and compare production systems to them, thus a big traunch of extra and unknown code should sit there like a ripe boil on a pigs backside.

The simple fact is we just don't design systems in a reliable let alone secure way, we use one of the least reliable OS's because that's what we think the customer wants...

Saddly I can see no lesons being learned off of this incident and thus it will happen again probably closer to home and possibly real people will get hurt. Maybe then (but probably not) people will wake up to what the consequences are of having brittle systems with little or no security in charge of major environmental impact threatening plant.

In the UK we dodged a bullet a short while ago with the Bunsfield Oil Depot, there are literaly millions of equal or higher risk sites in surburban areas all over the world...

Major VariolaNovember 16, 2010 10:51 AM

16 Nov 2010

Stuxnet intermittently drops the speed of the centrifuge motors variable-frequency drive from over a 1000 to 2. Like shifting into first on a highway. Your rotor is now shrapnel.

An intermittent PLC glitch that's rootkitted would be very hard to find. And cost a centrifuge with each debug.

Gary HinsonFebruary 21, 2011 10:46 PM

Symantec's updated Stuxnet Dossier http://www.symantec.com/content/en/us/enterprise/... makes fascinating reading for us geeks who can comprehend the technical issues. Helping management make sense of it is a different matter though but I get the distinct impression that Stuxnet marks the start of an altogether more sinister phase of malware use. Maybe I'm just a risk-averse-going-on-paranoid security geek who sees the worst in every situation. Maybe we won't see malware deployed for cyberwarfare and cyberterrorism. Maybe pigs *will* fly ...

G.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..