Stuxnet: An actual Cyber attack weapon

[Triple Zero]

This article on Forbes is very skeptical of the NYTimes article on the previous page:

http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new-york-times-fails-to-deliver-stuxnets-creators/

But the arguments it gives for this seem very suspect to me. It sounds a lot like the author just really wants the NYTimes to be wrong, or merely really badly wants to discredit the idea of the US/Israel beind behind Stuxnet. Regardless of whether this is the case or not. From the writing style alone I get a very strong "grasping at straws" feeling.

First, he only quotes Symantec as computer security experts, who did write a few excellent articles on Stuxnet, but they're just a big anti-virus company, it's the German security research firm Langner that really knows what they're talking about, because they actually have the expertise in house to analyze code that targets industrial controller systems [which are vastly different than desktop PCs--a lot more like the chips in your washing machine or VCR].

Then he quotes some Israeli guy named Shai Blitzblau, and that guy is either lying, full of shit, stupid or all of the above. You can check all this from the Stuxnet Q&A by F-Secure that I posted on the previous page of this thread.

* "Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment" which is nonsense.
- An academic experiment could never have managed to acquire the digital certificates* that Stuxnet used to sign its code, as this certificate was stolen from Taiwanese electronics companies Realtek and JMicron.
- High level industrial espionage against Siemens makes no sense whatsoever, because Stuxnet clearly targets very specific installations, specific factory environment, with a very specific number of certain devices, running at certain very specific frequencies. Which are indeed controlled by Siemens PLCs, but Stuxnet's targeting is quite a bit more specific than just the brand of PLCs.

* Blitzblau explains that the broad, indiscriminate attack on industrial computers launched by Stuxnet is not characteristic to a military operation, where the nation launching the attack tries to minimize collateral damage and focus on a specific target.

- that is bullshit, Stuxnet is one of the least broad, least indiscriminate viruses I have ever heard of and minimizing collateral damage? hell yeah, it just disables and breaks the equipment, and it does so without even having to know where all these installations are. because a lot of these are suspected to be underground, and normally they'd have to drop "bunkerbusters" or something on those things to destroy them, talk about collateral.

Then comes a link to an article by Gadi Evron (Israeli security expert and founder of Israel's CERT) on DarkReading who is a big poopyhead calling the Stuxnet coders "amateurs". I mean, look at this guy's photo. Can you already hear him say it? BUNCH OF FUCKING AMATEURS!! haaahahahahaha

Anyway he says "[Stuxnet] enables an attacker to infect a computer by merely inserting a USB key. This is perfect for attacking a nuclear facility, which isn't connected to the Internet. But operationally it means a person would have to be there physically to accomplish the mission: a spy, a rogue employee, or a commando team." -- F-Secure has a much better idea: "For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target.", that really doesn't sound that hard to do, IMO. And you can do it as many times as you want.

"Further, Stuxnet remained active when, in 2009, one of the zero-day vulnerabilities was reported publicly and patched by Microsoft. Why would its operators risk the discovery of such a costly weapon by keeping it in the field when discovery is now a real risk?" -- I'm not even sure what this means. It sounds like he thinks the "operators" of a computer virus can just recall and disable it whenever they want. Maybe he's confused and thinks Stuxnet is a sort of botnet, but computers infected with Stuxnet cannot "phone home", Stuxnet operates in the dark and cannot receive commands from a central C&C node (unlike, say, Zeus, Conficker or Storm), because its targets are not connected to the internet, DUH.

Then, Mr Evron say, "If we are to believe media reports, then Iran's nuclear efforts have been delayed by three months. These reports are unsubstantiated, but taking them on their word, it doesn't seem likely that Israel or the United States would invest so much for such a small return. It is still within the realm of possibility that some nation-state was behind it, even Iran itself. While in democracies it's the exact opposite, in dictatorial countries most of the intelligence efforts are turned inward." -- Ok, so now Stuxnet suddenly isn't completely useless anymore, but IF it did something, then surely it wasn't America+Israel, because it COULD be, um, Iran itself, because they're crazy terrorists.

"Another option is that this was a corporate rival of Siemens, the vendor whose SCADA systems Stuxnet targets. Siemens reported it has so far discovered 14 clients (read: power plants) that have been infected, a large portion of which are in Germany. Siemens suffered major PR damage as a result of Stuxnet." -- If someone would want to discredit Siemens, they'd probably focus on the fact that Nokia-Siemens built Iran's Deep Packet Inspection systems used to intercept and censor communications during and after the Iran election protests. At the very least they'd probably wouldn't have made it so specific, because without intelligence about the Iranian nuclear facilities, they wouldn't even have known if Stuxnet would eventually hit *anything* (the frequency-ranges it looks for, occur only in one other facility, somewhere in Finland IIRC).

"It could also be criminals, with a goal as simple as ransoming these power plants. As unlikely as this scenario sounds, it is as sound a guess as any of the others." -- No it's not. Not at all. Organized cybercriminals can that kind of money in a lot easier and a lot safer ways, plus, who's claiming ransom? And for what? Again, it's not like they can remotely disable the virus.

"Among the many guesses as to who built Stuxnet, fingers were also pointed at Israel. As an Israeli [security expert and founder of Israel's CERT], I hope such sloppy work wasn't ours. Yes, Stuxnet is advanced, but no military or intelligence organization should be this careless. It is just too amateurish from an operational standpoint." -- Uuhuh, yeah.

Back to the Forbes article, he says the timeline is suspect. I don't see how.

I gotta give the author (Jeffrey Carr) one thing though, "David Albright and his co-researchers at ISIS concluded that the Stuxnet worm most likely was designed to destroy a limited number of centrifuges and temporarily set back Iran's fuel enrichment program.  Does that sound like a strategy that Israel would agree to? Not to Benjamin Netanyahu, Israel's PM. After expressly stating his disagreement with Dagan's 2015 date, he said that "sanctions should be strictly enforced and materially strengthened..., and that if they don't achieve their goal, they would be followed by a credible military option." -- this is actually quite a reasonable argument. Not one that discredits the entire theory, but yeah, I can indeed imagine Netanyahu not just wanting it delayed but entirely stopped.

I'm not 100% convinced it has to be Israel+USA that did it, but the arguments against it in this article just don't hold any water IMO. I'm interested in his writeup about a Stuxnet Finnish-Chinese connection, though


(* http://en.wikipedia.org/wiki/Public_key_certificate is basically an encryption public/private keypair, the private part of which only a the owner of the certificate is supposed to have. The certificate owner can then use the private key to digitally sign a piece of data, thereby certifying that this piece of data can be trusted. Other people (programs) can then use the public part of the certificate to check whether the data is indeed signed and by whom, and based on that information decide whether they trust it or not. Because you can also sign and certify certificates themselves, a so called "chain of trust" can be created. The very first certificate in this chain, is called the "root" certificate. Examples of Root Certificate Authorities are companies such as VeriSign, DigiCert, GeoTrust, GoDaddy, etc

[Triple Zero]

Re: Stuxnet Chinese-Finnish connection, never mind, these Forbes people are obviously retarded and mostly interested in pointing anywhere except the USA/Israel. Finland is mentioned once at the beginning of the article and China is suspect because guess what, ... that's where the electronics were made

[Cain]

And of course, why would China want to attack Iranian nuclear facilities in the first place?  What's the motivation?  To ensure more oil is used for Iranian internal consumption than sold on the international market, raising the price of oil and ensuring there is less oil overall for power-hungry Chinese factories to use? 

China has blocked most UNSC attempts at proscribing Iran exactly because it wants Iranian nuclear power to work, because that means more oil for its companies.  The idea that China would shoot itself in the foot in such a flagrant and determined way is ridiculous in the extreme.

[Triple Zero]

It's because uh, something about rare earth metals, and that another country with a bomb is never a good thing, BUT China wants to stay on good terms with Iran so it developed Stuxnet in order to thwart its nuclear program SECRETLY while publically supporting them, so they could pin it on the poor USA and Israel.

Not making this up, that's what the article said ...

[Cain]

That's insanely complex.  Good premise for a Tom Clancy novel, poor premise for, you know, actual policy analysis.

[Disco Pickle]

bump for new virus found:

http://english.aljazeera.net/news/middleeast/2011/04/2011425163710464916.html

Iran has been targeted by a new computer virus in a "cyber war" waged by its enemies, according to a senior military official of the Islamic republic.

Gholam Reza Jalali, commander of civil defence, told the semi-official Mehr news agency on Monday that the new virus, called Stars, was being investigated by experts.

"Certain characteristics about the Stars virus have been identified, including that it is compatible with the [targeted] system," he said.

He said that Iranian experts were still investigating the full scope of the malware's abilities.

Jalali played down the impact of Stars, but said it is "harmonious" with computer systems and "inflicts minor damage in the initial stage and might be mistaken for executive files of governmental organisations".

He did not say what equipment or facilities the virus targeted, or when experts first detected it.

Stars is the second serious computer worm to hit Iran in the past eight months.

Iran was hit with another computer worm, Stuxnet, last year, reportedly designed to hurt Iran's controversial nuclear programme.

The country has accused the US and Israel of launching Stuxnet, which was publicly identified last June and reportedly mutated and infected at least 30,000 computerised industrial equipment in the following months.

The existence of Stuxnet became public knowledge around the time that Iran began loading fuel into Bushehr, its first nuclear reactor, last August.

Iran said in September that staff computers at Bushehr had been hit but that the plant itself was unharmed.

Bushehr is still not operational, having missed several start-up deadlines. This has prompted speculation that Stuxnet damaged the plant.

But Iran said its scientists discovered and neutralised the malware before it could cause serious damage.

[Triple Zero]

bump, because Wired has written a very in-depth summary of the entire StuxNet saga:

http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

it's quite a long article, but very interesting, and it covers pretty much the entire story from Symantec and Langner's viewpoints.

[Cain]

Another Iranian nuclear scientist has been assassinated

http://www.bbc.co.uk/news/world-middle-east-14263126

An Iranian nuclear scientist has been shot dead outside his home in Tehran, Iranian media sources say.

The Isna news agency named him as Daryoush Rezaei, 35, adding that his wife was wounded. His identity has not been officially confirmed.

In 2010, nuclear scientist Massoud Ali Mohammadi was killed by a remote-controlled bomb in Tehran.

Iran blamed that attack on Israeli secret service Mossad. Israel has long warned about Iran's nuclear programme.

Yes, Mossad has warned Iran is three years away from nuclear weapons....since 1992.  Every year.

Mossad: great at whacking people, but never ask them for the time.

[Freeky]

Another Iranian nuclear scientist has been assassinated

http://www.bbc.co.uk/news/world-middle-east-14263126

An Iranian nuclear scientist has been shot dead outside his home in Tehran, Iranian media sources say.

The Isna news agency named him as Daryoush Rezaei, 35, adding that his wife was wounded. His identity has not been officially confirmed.

In 2010, nuclear scientist Massoud Ali Mohammadi was killed by a remote-controlled bomb in Tehran.

Iran blamed that attack on Israeli secret service Mossad. Israel has long warned about Iran's nuclear programme.

Yes, Mossad has warned Iran is three years away from nuclear weapons....since 1992.  Every year.

Mossad: great at whacking people, but never ask them for the time.

Other than, you know, WAR and stuff, what's the big deal with Iran having nuclear capability?  Isn't there other uses for nuclear science?

Freeky,
politic herp derp.

[Cain]

Iran uses a lot of oil it produces internally.  If it has nuclear power, it can export more oil and gas.  Most of that oil and gas will go to China.

If, however, it's government were to fall and a new, pro-American elite could be installed...well, contracts may have to be rethinked.

Also, if Iran gets the bomb, it means every state inbetween it and Israel will have to choose sides.  Saudi Arabia may seek the bomb themselves and the region could fall under Iranian hegemony in the meantime.  Also, Pakistan wont like it, as India and Iran have an understanding when it comes to their violent neighbour, which is "if push comes to shove, we both invade and raze Islamabad to the ground".  So long as Iran only has conventional arms, Pakistan can probably persuade them to back off.  But in a conventional fight, Pakistan is doomed if both countries work together, and if Iran has nukes it will be a conventional war.

[Disco Pickle]

It's like a boys club that doesn't want to allow new members.  No one with any authority in Iran would actually be stupid enough to launch a nuke at Israel because Israel would turn that country into glass but the saber rattling serves to distract people from the fact that Iran is the Iran it is now because of British and US meddling in the 50's, 60's and 70's.  The problem is if they DO get nukes and keep with the crazy president saying crazy things then at some point it could turn into a middle eastern cold war standoff of mutually assured destruction.

Of course then Israel might have to publicly admit to having nukes, something they don't want to do because it's against several nations laws to give aid to countries with nukes.  Under the nonproliferation treaty I think.

Cain's probably more versed on this than I am and I'm nursing a bitch of a hangover and don't feel up do doing the research atm.

[Freeky]

Iran uses a lot of oil it produces internally.  If it has nuclear power, it can export more oil and gas.  Most of that oil and gas will go to China.

If, however, it's government were to fall and a new, pro-American elite could be installed...well, contracts may have to be rethinked.

Also, if Iran gets the bomb, it means every state inbetween it and Israel will have to choose sides.  Saudi Arabia may seek the bomb themselves and the region could fall under Iranian hegemony in the meantime.  Also, Pakistan wont like it, as India and Iran have an understanding when it comes to their violent neighbour, which is "if push comes to shove, we both invade and raze Islamabad to the ground".  So long as Iran only has conventional arms, Pakistan can probably persuade them to back off.  But in a conventional fight, Pakistan is doomed if both countries work together, and if Iran has nukes it will be a conventional war.

So it's mostly a "turd in the punchbowl" situation?  Like, everyone else gets inconvenienced (at best)?

[Triple Zero]

New news on Stuxnet.

Stuxnet Loaded by Iran Double Agents

I haven't gotten around to reading the whole article yet btw.

[Triple Zero]

Ars Technica says:
Confirmed: US and Israel created Stuxnet, lost control of it--Stuxnet was never meant to propagate in the wild.

[Doktor Howl]

http://investigations.nbcnews.com/_news/2013/06/27/19174350-ex-pentagon-general-target-of-leak-investigation-sources-say?lite