Petre Peter April 16, 2019 8:54 AM

Stuxnet, Havex, BlackEnergy, CrashOverride, Triton are indeed examples of cyber-physical threats. Maybe even murderous malware .

Yabba Dabba Don't April 16, 2019 10:16 AM

Stuxnet, Havex, BlackEnergy, CrashOverride, Triton

initialized is:


which unscrambled is


Gotta be the NSA then.

Anon1 April 16, 2019 3:31 PM

Funny, the first two times I read the text I couldn’t figure out why we didn’t know who wrote the older article.

RealFakeNews April 16, 2019 5:25 PM


Proving why grammar matters.


I think it likely that we actually know who is behind it, but all this “cloak and dagger” with code names, mystery, etc. is just playing politics.

Did anyone think: we did it?

Some Guy April 16, 2019 10:05 PM

Attribution is difficult. It matters in overall situational awareness but not as much in identifying and addressing operational and technical vulnerabilities.

Stuxnet used by US/Israel against Iran nuclear sector

Shamoon used by likely Iran for espionage and to destroy Saudi Aramco network.
Havex likely developed by Russia and used against energy sector and defense.for espionage and potentially battlefield prep

BlackEnergy likely used by Russia in Ukraine Distribution attack – only used as one tool as the real attack was theft of VPN user IDs used to take control using legitimate means

CrashOverride likely used by Russia in Ukraine transmission attack

Triton/Trisys used by unknown against Mideast oil (Saudi Aramco??) likely as battlefield prep.

Attack vector
In every case but Stuxnet , the vector has been

Compromise of corporate networks via phishing or similar often using a supply chain victim/partner

Exapansion of Control and lateral movement in corporate net

Theft of credentials including OT credentials

Eespionage or corporate destruction (Shamoon)
Entry into control systems by legitimate means.

The attacks may have been made through supply chain business partners with a higher level of access either through cooperation or exploitation of business partners

To me, the lesson here is that there are too many vulnerabilities and one will always be available to attackers. It’s not the inbound traffic that matters as much as monitoring the outbound communication to detect the attack. Security by patching is necessary but not sufficient. Defensive measures that stop the commobly repeated patterns (the kill chain) is where defense needs to evolve. Monitoring of business partner communication is critical.

Clive Robinson April 17, 2019 6:54 AM

@ Some Guy,

In every case but Stuxnet , the vector has been…

It obviously works or they would have changed tactics…

Which kind of says a lot about not just the technical but human failings of information system security.

It makes you wonder if we have realy progressed from the days when people used to talk about the seesaw of “Usability-v-Security”.

I know Gunner Peiterson from the One Drop blog used to say that nothing had moved forward since perimeter security with statefull firewalls.

Both of those ideas are a couple of decades old now…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.