Stuxnet: An actual Cyber attack weapon

[Cain]

Well, this isn't a reputable security blog, but the Guardian is now saying it was almost certainly an intelligence agency job.  They have comments from several security firms on the worm

http://www.guardian.co.uk/technology/2010/sep/24/stuxnet-worm-national-agency

Latest figures, from August, show 60% of computers infected by Stuxnet are located in Iran – dramatically up from July, when it accounted for less than 25% of infections, research by Symantec shows, with the graph below (from 4 August) showing the prevalence in other countries by comparison. The company estimates that the group building Stuxnet would have been well-funded, comprising between five and 10 people, and that it would have taken six months to prepare.

Alan Bentley, senior international vice president at security firm Lumension, said Stuxnet is "the most refined piece of malware ever discovered", and that the worm was significant because "mischief or financial reward wasn't its purpose, it was aimed right at the heart of a critical infrastructure".

However Graham Cluley, senior consultant with the online security company Sophos, warned against jumping to conclusions about the target of the attack, saying "sensationalist" headlines were "a worry". Clulely is wary of reports linking Stuxnet with Israel: "It's very hard to prove 100% who created a piece of malware, unless you are able to gather evidence from the computer they created it on – or if someone admits it, of course."

But he said that its characteristics did not suggest a lone group. "I think we need to be careful about pointing fingers without proof, and I think it's more appropriate – if true – to call this a state-sponsored cyber attack rather than cyber terrorism."

Stuxnet works by exploiting previously unknown security holes in Microsoft's Windows operating system. It then seeks out a component called Simatic WinCC, manufactured by Siemens, which controls critical factory operations. The malware even uses a stolen cryptographic key belonging to the Taiwanese semiconductor manufacturer RealTek to validate itself in high-security factory systems.

The worm then takes over the computer running the factory process – which for WinCC would be "mission-critical" systems which have to keep functioning under any circumstance – and "blocks" it for up to a tenth of a second. For high-speed systems, such as the centrifuges used for nuclear fuel processing being done by Iran, that could be disastrous, experts suggested.

US army forces are aware of the threat posed by Stuxnet, general Keith Alexander confirmed this week, saying early indications showed that the worm was "very sophisticated".

Clulely told that Guardian that Siemens has "astonishingly" advised power plants and manufacturing facilities not to change the default password that allows access to functions, despite it being exploited by Stuxnet and being "public knowledge on the web for years".

Alan Bentley, SVP International at Lumension, told the Guardian: "There is a lot of circumstantial evidence to suggest that Iran was the target of Stuxnet. We know that the worm was designed with a specific target in mind – its makeup and the way it executes render the tell-tale signs.

"Combine this with the fact that the worm was identified by a Belarusian security firm working for an Iranian client and the fact that the nuclear power plant was not working properly for months, it is understandable that speculation points towards Iran as the target. But, without being inside the walls of the Bushehr nuclear power plant, we can't be certain."

Rik Ferguson, senior security adviser at Trend Micro, said: "Initially, it looks like a targeted attack. It saw a high percentage of infections concentrated in the Middle East. Iran being one. There's every possiblity that the [other countries affected] may have been collateral damage."

Asked whether a nation state was behind the attack, Ferguson said: "The truth is we don't know. But we can look at the concentration [of the attacks]. I don't think we can call this cyberwarfare, I would call it modern espionage. Countries have been spying on their neighbours for years – as the technology has improved, espionage has always improved, and this is step in that direction.

"It's significant because it's not just the malware but the vulnerability to infect machines – if this had been in more traditional, criminal hands it could have been more widely used, like Conficker was. This was a powerful vulnerability it exploited and usually either you sell it for a lot of money or use it for mass criminality."

David Emm, a senior security researcher at Kaspersky Lab, told the Guardian: "We think that Stuxnet's sophistication, purpose and the intelligence behind it suggest the involvement of a state.

"This is a very sophisticated attack – the first of its kind – and has clearly been developed by a highly skilled group of people intent on gaining access to SCADA [supervisory control and data acquisition] systems – industrial control systems for monitoring and managing industrial infrastructure or facility-based processes. In contrast to the bulk of indiscriminate cybercrime threats on the internet, this has been aimed at very specific targets. It's different also because there's no obvious financial motivation behind the attack – rather the aim seems to be to sabotage systems."

However, John Pescatore, vice president for internet security at Gartner, said it was "definitely not the case" that Stuxnet would have required state sponsorship. "We've seen similarly targeted software going after credit card readers for financial gain in the past," he said. "Governments have no monopoly on the talent. We've seen attacks that looked like they were state-sponsored in the past launched by hackers for attention or citizens' groups. You cannot tell just by looking at where it landed."

The experts agree that Stuxnet marks a shift away from malware deployed for financial gain to controlling critical machinery. We are now moving into a "third age" of cyber crime, Clulely said, where the intention of making money from technical exploits is replaced by an intention to bring down critical infrastructure. "We're entering this third age as well, where there are political, economic and military ways in which the internet can be exploited – and malware can be used – to gain advantage by foreign states.

"I think we will see more and more attacks which will be blamed on state-sponsored cyber attacks. There have been numerous attacks in the past which could be said to have possible military, political or economic motives, but it is very difficult to prove that a hack was ordered by Mossad or instead dreamt up by a Macclesfield student."

[Adios]

Is Turkey capable of this?

[Cain]

Not highly likely, and Turkey is fairly comfortable with the Iranian leadership anyway, as Iran wont allow Kurdish dissidents to use the country as a staging base for attacks on Southern Turkey.

[Triple Zero]

I forgot to mention btw, great analysis on the previous page!

[Dalek]

This left butterflyes in my stomach. I think I'm inlove with the Stuxnet coders. I fucking hope they don't prevent it from taking over the target, or atleast if that would mean that we'll never know what the target was.

[Dalek]

Reading the replyes to the thread this came to mind

[Igor]

The Iranian government agency that oversees the country's nuclear facilities reported today that engineers are attempting to defend against "Stuxnet," a Windows-specific worm attacking industrial plants throughout the nation.

http://www.boingboing.net/2010/09/25/iranian-nuclear-faci.html

[Dalek]

Ok, who the hell uses windows on a fucking nuclear power plant?!

[Requia ☣]

Not highly likely, and Turkey is fairly comfortable with the Iranian leadership anyway, as Iran wont allow Kurdish dissidents to use the country as a staging base for attacks on Southern Turkey.

While I can't see a Turkish motive, I have to imagine most countries have the capability to make this.  You don't really need a huge amount of infrastructure, you just need people capable of doing it, and I'm sure the various cybercrime gangs would be happy to do it if 7 or 8 zeros were involved in the paycheck.

[the last yatto]

Ok, who the hell uses windows on a fucking nuclear power plant?!

Windows 3.11 is the most stable operating system out there

[the last yatto]

http://www.bbc.co.uk/news/world-middle-east-11414483

Wow they are lagging behind in the news cycle

[Triple Zero]

Schneier wrote about it and his links lead to some more technical articles, which I will read later:

http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html

[Triple Zero]

hahaha I love this comment from Schneier's blog:

"Can anyone think of another area of software development where you would say "my god this a work of breathtaking ingenuity and fiendish cunning - it could only have been written by a civil servant" !!"

[Triple Zero]

Ok, who the hell uses windows on a fucking nuclear power plant?!

Iran does. They also used other unlicensed software, and apparently don't understand computer security as screenshots of their control software were posted in the news a while ago.


Anyway, the important thing is, Langner (some German security corp) seems to think (with good reasons, see his article) that the target of the Stuxnet Worm was indeed the nuclear facility in Bushehr, Iran. They also believe that it has already done its job :

Ralph's analysis

Now that everybody is getting the picture let's try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?

1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).

2. The attack involves heavy insider knowledge.

3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.

4. The target must be of extremely high value to the attacker.

5. The forensics that we are getting will ultimately point clearly to the attacked process -- and to the attackers. The attackers must know this. My conclusion is, they don't care. They don't fear going to jail.

6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently.


Ralph's theory -- completely speculative from here

It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange -- they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year (http://www.upi.com/News_Photos/Features/The-Nuclear-Issue-in-Iran/1581/2/) I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half year before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells.

Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Than, on the other hand, probably not. (click to read the rest of the article)

So, on the one hand, Stuxnet is probably not a direct threat anymore. That really makes perfect sense, after all once a worm is discovered and analyzed, removal and protection against it is pretty trivial. 0day vulnerabilities only work as long as they're not patched. This goes for most large worms that infect regular computers as well*.
So when a worm is targeting such high-value systems, it doesn't take long before it's neutralized. The attackers knew this (unless they were really stupid and put in all this effort hoping the worm would wonder around unstopped for months) so the worm must have done its job before it got discovered.

(*except for botnets which run on hacked computers in Africa running unlicensed windows versions which are a lot harder to patch--I'm not making this up but most African Windows machines have "computer AIDS" )


What IS a threat, however is this:

Stuxnet logbook, Sep 17 2010, 1500 hours MESZ

Press release – for immediate release

Langner sees increased threat level as Stuxnet analysis progresses

Ralph Langner, who successfully analyzed that Stuxnet is a directed attack against industrial control systems sees an increased threat level as the analysis of Stuxnet progresses. Langner points out that not only security researchers will analyse Stuxnet but also the underground. The analysis that Langner has conducted shows that it is not technically difficult to inject rogue ladder logic into PLC programs. It is important to understand that this vulnerability cannot be considered a bug, either technically or legally, so it should not be expected that vendors would be able to release a "patch". Langner expects that exploit code for this vulnerability within several months in the known frameworks such as Metasploit [ http://en.wikipedia.org/wiki/Metasploit ]. While Langner does not assume to see an attack as sophisticated as Stuxnet soon, he points out that the Stuxnet story will raise a lot of attention in the hacker community where people may now start to try using the attack vector for much more trivial motivations than we must assume for the Stuxnet writers. Langner suggests equipment vendors, asset owners and integrators start developing strategies to cope with this scenario quickly.

and the latest article on the page:

Stuxnet logbook, Sep 28 2010, 1100 hours MESZ

While it feels good to be proven right, we would have wished it had happened somewhen later. In respect to the latest news from Iran we recommend to start IMMEDIATELY with developing countermeasures against post-Stuxnet malware. We suggest to follow Melissa Hathaway's advice as expressed in her NYT interview (www.nytimes.com/2010/09/27/technology/27virus.html):


"Proliferation is a real problem, and no country is prepared to deal with it," said Melissa Hathaway, a former United States national cybersecurity coordinator. The widespread availability of the attack techniques revealed by the software has set off alarms among industrial control specialists, she said: "All of these guys are scared to death. We have about 90 days to fix this before some hacker begins using it."

So the problem is not Stuxnet itself, which has done its job in Iran, but the fact that the code is out there for other hackers* to copy and play with and use for "fun and profit", as they call it

(*I was gonna write "scriptkiddies" at first, but that's not fair, they're going to copy the technique and parts of the code, but it won't be point-and-click--not for a few years at least )

[Cramulus]

It looks like you want to sabotage a power plant. Would you like to watch the movie Wargames?
                              /