Forgot your password?
typodupeerror
Security Worms IT

Stuxnet Worm May Have Targeted Iranian Reactor 322

Posted by CmdrTaco
from the stux-on-this dept.
yuna49 writes "Analysis of the Stuxnet worm suggests its target might have been Iran's nuclear program. "Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the Stuxnet worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm's attack. Experts had first thought that Stuxnet was written to steal industrial secrets, but Langner found something quite different. The worm actually looks for very specific Siemens settings — a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device — and then it injects its own code into that system."
This discussion has been archived. No new comments can be posted.

Stuxnet Worm May Have Targeted Iranian Reactor

Comments Filter:
  • by wandazulu (265281) on Tuesday September 21, 2010 @01:09PM (#33652410)

    Sounds eerily similar to the Siberian Pipeline explosion [wikipedia.org] but, had it actually worked, the consequences could have been much much worse.

    • by Wyatt Earp (1029) on Tuesday September 21, 2010 @01:12PM (#33652466)

      Nope, Israel.

      The Saudis, UAE or Qatar have strong interests in Iran not going nuclear, but military computer science stuff is going to be Israel, Russia, China or the US, my money is on Israel in this one.

      • by erroneus (253617) on Tuesday September 21, 2010 @01:37PM (#33652834) Homepage

        Definitely. Using more conventional power generation technologies, they are a target for aerial bombing. If a nuclear power plant were to be bombed, any sort of disaster might occur making the bomber look extremely evil. (The only way they could hope to get away with it is to make the bombing look as if it came from Iran itself.) In any case, enemies would be less inclined to attack a nuclear power plant as opposed to conventional ones.

        As to who is responsible for the targeted malware? I can't imagine.

        • Re: (Score:3, Insightful)

          Unless the plant design is some ghastly soviet relic(and possibly even then) it should be possible to force a shutdown without actually breaching the fuel containment or causing any appreciable contamination of the environment.

          Cooling systems, for instance, tend to be big, and more or less have to be either aboveground(for massive air exchange) or next to a nice cool body of water. And, since they are cooling systems, hiding their IR output is going to be a trick. If you lose your cooling system, you hav
      • by cayenne8 (626475)
        Hey, no matter who did it...all I can say is "cool"!!

        Nice to see a virus at least aimed at some bad guys for a change.

    • by Anonymous Coward on Tuesday September 21, 2010 @01:13PM (#33652480)

      CIA?

      Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker

      doubtful.

    • by camperslo (704715)

      The timing of the natural gas line related explosion in northern California had me wondering if excessive pressure could have triggered it. Very disturbing stuff...

  • by Anonymous Coward on Tuesday September 21, 2010 @01:10PM (#33652428)

    There's one non-secular country in the world that is famous for it's disregard for anyone but itself and its fundamentalist religious belief in their own specialness in the eyes of their own god, which they believe justifies their evil actions.

    The truth is some evil people will do anything for wealth and power.

    • by ByOhTek (1181381)

      Just one?

      What the hell planet do you live on, and how do I get there?

    • Re: (Score:3, Insightful)

      by amicusNYCL (1538833)

      There's one non-secular country in the world that is famous for it's disregard for anyone but itself and its fundamentalist religious belief in their own specialness in the eyes of their own god, which they believe justifies their evil actions.

      Fundamentalist Muslims are not limited to one country.

      Intolerance isn't exactly limited to borders drawn on a map...

      • by bmo (77928)

        Intolerance isn't exactly limited to borders drawn on a map..

        No kidding. Intolerance happens to go on the Sunday Morning political shows and compare muslims with Nazis.

        --
        BMO

  • Smooth (Score:3, Funny)

    by Platinum Dragon (34829) on Tuesday September 21, 2010 @01:10PM (#33652432) Journal

    Brilliant - let's get one up on the Iranians by messing with their nuclear reactor controls! What could possibly go wrong?

    If true, this is reckless endangerment, and the people involved - government-backed or lone wolves - should be prosecuted. Just because the Iranian government is full of militaristic and theocratic jerks does not give anyone the right to endanger the lives of any old (or young) person living or working in and around that facility. Indeed, it's the kind of stunt that can only push their ruling class farther into paranoia and fear, the kind tha leads to... nuclear weapons development.

    • Re:Smooth (Score:4, Informative)

      by Tragek (772040) on Tuesday September 21, 2010 @01:22PM (#33652616) Journal

      Hence why no one knows where it came from.

      • Hence why someone should investigate.

        • by X0563511 (793323)

          ... and you honestly think that isn't already happening?

          I'm going to jump in with the "smarter people than us are already working on it" crowd that usually heckles armchair-$JOBs in scientific articles.

    • by cjb658 (1235986)

      So, I'm wondering, why is the computer that controls a nuclear reactor hooked up to the internet?

      That's just asking for trouble.

      • by Nadaka (224565)

        the stuxnet worm is a usb infecting worm...

        • Re: (Score:3, Interesting)

          by GameboyRMH (1153867)

          Which makes sense. If those guys aren't total retards, the control PC is airgapped from the Internet, it might be on a secure LAN (as secure as they can be with Windows machines on them) but most likely airgapped. So your most probable method of infection is via flash drives.

          Now the nuclear facility is going to have guards so you release it somewhere that it will get on an engineer's PC - on their home file server from the sidewalk, send them an email to a site that will do a drive-by download, or ideally y

    • Re:Smooth (Score:5, Insightful)

      by interkin3tic (1469267) on Tuesday September 21, 2010 @02:10PM (#33653346)

      Brilliant - let's get one up on the Iranians by messing with their nuclear reactor controls! What could possibly go wrong?

      Maybe less than would go wrong if Iran got the bomb?

      I don't know how likely that is, but I'm guessing whoever did this probably has a different calculus than I do for weighing the two, like (Iranian civilian deaths)= 0.1(own civilian deaths). So from their perspective, probably not much could go wrong.

  • by Sonny Yatsen (603655) * on Tuesday September 21, 2010 @01:10PM (#33652434) Journal

    And Iran is probably going to blame Israel and then the shit hits the fan and it's WWIII. And we're all dead. Seriously, this is the kind of stuff that gives me ulcers.

    • Re:World War III (Score:5, Informative)

      by ultramk (470198) <ultramk&pacbell,net> on Tuesday September 21, 2010 @01:24PM (#33652650)

      Iran already blames Israel, for pretty much everything including why the crops fail. I mean, christ, they made the 100th anniversary of the original publishing of "the protocols of the elders of zion" (you know, the anti-semitic forged pamphlet) into a national holiday. It's not like things could get any worse.

      The only reason that Iran doesn't attack Israel is because they know that Israel has nukes, and the will to use them with very little provocation. Even for those countries who would likely come down on Iran's side in any conflict, how many of them have any military to speak of? How many have nukes? Even one?

      Really, it's in Israel's best interest that Iran starts hostilities and the sooner the better, before Iran gets nukes. In many ways it would actually stabilize the region to have Iran beat down somewhat--you know, at least from Israel's perspective.

      Also, you should know by now that ulcers come from infection, not stress. Seriously, there was a Nobel Prize and everything.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Infection is not the only cause of peptic ulcers. Nonsteroidal anti-inflamitory drugs, for instance, are just one example. Further, stress may not directly cause ulcers, but has been found to exacerbate existing conditions that lead to peptic ulcers.

      • Re:World War III (Score:4, Interesting)

        by Anonymous Coward on Tuesday September 21, 2010 @01:44PM (#33652928)

        Iran wants to provoke a conflict with Israel. It doesn't want to start one. There is apparently an Islamic sect that believes in their version of Rapture and they believe it will be triggered by Israel's attack on Iran. Iran cannot be the aggressor here - that's the belief at least. Iran will then be saved by the 12th Imam. And that's the Islamic version of Rapture.

        "Our revolution's main mission is to pave the way for the reappearance of the 12th Imam, the Mahdi," Ahmadinejad said in the speech to Friday Prayers leaders from across the country.
              http://analysis.threatswatch.org/2005/11/understanding-ahmadinejad/

        There are a number of crazzy sites that "predict" stuff about him,
              http://www.satansrapture.com/hitler2.htm

        "Bush said: 'God said to me, attack Afghanistan and attack Iraq.' The mentality of Mr. Bush and Mr. Ahmadinejad is the same here - both think God tells them what to do," says Mr. Mohebian, noting that end-of-time beliefs have similar roots in Christian and Muslim theology."
            http://www.csmonitor.com/2005/1221/p01s04-wome.html

        Really, it's in Israel's best interest that Iran starts hostilities and the sooner the better, before Iran gets nukes.

        Iran will not start hostilities :)

        • There is apparently an Islamic sect that believes in their version of Rapture and they believe it will be triggered by Israel's attack on Iran. Iran cannot be the aggressor here - that's the belief at least. Iran will then be saved by the 12th Imam. And that's the Islamic version of Rapture.

          So religion is going to keep a country from going to war? That's awfully optimistic. With the right spin, rationalization, and perspective, Iran could do anything and still not be "the aggressor".

          "Countrymen, believe me, nuking Israel, Iraq, all of Europe, the US, Canada, Japan, China, Russia, South AND north Korea, Australia, and Israel again was the LAST thing I wanted to do, but I had no choice. You see, God told me to. He said they had ALL already launched nukes at US but these were really slow nuke

      • by elrous0 (869638) *
        Yeah, but you're forgetting Saudi Arabia in your equation. They most definitely DO NOT want such a conflict. And their oil gives them even more say than the Israelis and their money/lobby. No way does the U.S. want Israel provoking a conflict. And Israel needs the U.S. (who do you think gave them the nukes, guns, and fighter jets to begin with).
      • Re: (Score:3, Insightful)

        by mr100percent (57156)

        In many ways it would actually stabilize the region to have Iran beat down somewhat--you know, at least from Israel's perspective.

        That was the thinking by the Neocons and the far right in Israel when the choice was made to attack Iraq, but it wound up backfiring. Israel felt and probably is much less safe now, since it galvanized the Arab world to cooperate with Israel even less and support "reisistance" groups like Hamas even more (Iraqi politicians like Muqtada Al-Sadr are now supporting them), and swung Iranian public opinion toward throwing out the moderate Khatami and voting for Ahmadinejad (the first time at least), and the expa

      • Iran already blames Israel, for pretty much everything including why the crops fail.

        Brawndo has what plants crave. It's got electrolytes.

      • Re:World War III (Score:4, Insightful)

        by alexo (9335) on Tuesday September 21, 2010 @02:42PM (#33653754) Journal

        The only reason that Iran doesn't attack Israel is because they know that Israel has nukes, and the will to use them with very little provocation.

        Assuming that the Wikipedia article is correct, Israel has had nuclear capabilities (~20 bombs) during the '73 war and did not use it, even though the Arab military success at the beginning of the war was definitely more than "very little provocation".

    • I'm hoping the Mutually Assured Destruction clause they taught me throughout social studies holds true in this day and age as it has throughout the past decades.

      Worst case scenario though, recent video games and pop culture have taught me how to handle a post apocalyptic world. I mean, if I survive the blasts, I'm sure Book of Eli, The Road, and Fallout 3 have shown me that I can live with radiation.

    • by X0563511 (793323)

      It's only a world war if the world gets involved.

      If everyone stands back and lets the middle-east glass itself, that's not a world war.

      Not saying it wouldn't be a catastrophe, but just sayin' it wouldn't be WWIII.

      Unless someone decides to nuke a superpower for some (retarded) reason in the fray.

  • Oh Noes! (Score:3, Funny)

    by ByOhTek (1181381) on Tuesday September 21, 2010 @01:11PM (#33652448) Journal

    The worms in the reactor will eat the fuel rods, become radioactive, mutate, and destroy/dominate the world!

    * Preemptive defense against the person who will take this post seriously: I realize most mutations have no significant effect, most of the remainder are harmful, and the chances of a slightly beneficial mutation, let alone a highly beneficial mutation is highly negligible. This post is for humor sake only.

    • Re: (Score:2, Funny)

      by tacarat (696339)
      That's not entirely true. Scientists have found that most creatures with radioactivity induced mutations take on an applewood bacon smoked flavor. The intensity of the flavor peaks when they start glowing, though.
  • by Rashkae (59673) on Tuesday September 21, 2010 @01:13PM (#33652490) Homepage

    Looks like national cyber security is about to get a much higher priority than copyright protection.

  • by IonOtter (629215) on Tuesday September 21, 2010 @01:15PM (#33652512) Homepage

    Why in the Hell is Iran connecting their nuclear reactor to the Internet???

    Either Iran is unbelievably stupid, or they've got some blindingly incompetent IT people working at that plant. And considering the international attention that plant is getting, you'd imagine that any incompetent operators would have been sent into the desert to look for minefields while wearing clown shoes long ago.

    • by makomk (752139) on Tuesday September 21, 2010 @01:21PM (#33652602) Journal

      Which is why this malware has multiple infection routes, including USB sticks.

      • by Caerdwyn (829058) on Tuesday September 21, 2010 @01:44PM (#33652916) Journal

        One of the most effective ways to penetrate a company is to drop a couple of USB sticks in their parking lot with some "special" autoinstalled software. Someone sees it, picks it up, takes it in side and plugs it in to see what's on it. A few boring things, maybe a naked picture of someone, and a rootkit.

        I've worked for a couple of companies which have had security audits performed on them that included hiring outside firms to do "social engineering" penetration tests to see how good the employees are about that sort of thing. It's strange... someone who won't be fooled by "we're from IT and need your password" sweet-talk and who would never open an attachment to an email will happily stuff a flash drive into their computer. The penetration testing firms tell me they almost always get a hit with the USB drive trick. (And, for the record, one of my companies passed the test, 100%. Woot! Let's not talk about the other, though...)

        So yeah, physical devices > air-gap.

        • Where are all the posts, after parent, reminding us that the USB memory stick trick doesn't work on Linux? (or Apple)?

          * Regarding title: real /.ers generally have more substantive things to say.
          • by HiThere (15173) <charleshixsn@@@earthlink...net> on Tuesday September 21, 2010 @03:05PM (#33654050)

            That's because it does. You just need to be a *little* slyer. (Not much.)

            This is one point where it really does matter what the target OS is. If your USB is vfat, then you can't have allow execute set to true. But if you use a properly targeted file system (say ext3), then you can set execution permissions. Or even just make it a tar.gz file, and when it's expanded, it ends up with execute permissions set. So you open a jpeg, and actually execute a script that opens the jpeg while executing something else in the background.

            (Allowing tar files so set the execute permission is a big weakness...and a vast convenience. But that should require running a separate script or chmod with root permissions.)

    • Re: (Score:2, Informative)

      by daremonai (859175)
      They're not connecting it to the Internet, so far as I know. The speculation in the article is that the Russian contractor building the facility brought in infected PCs for the control system. Coincidentally(?), the contractor (AtomStroyExport) had its own website hacked recently.
    • by OzPeter (195038)

      Why in the Hell is Iran connecting their nuclear reactor to the Internet???

      Where have you been hiding out. There has been uproar in the US over recent months with public awareness of how much of the US infrastructure is connected to the internet. This is not anything new.

  • Taking the tin foil hat off, it almost sounds like a "Siemens Patch" for the PLC device - then that got me thinking, wouldn't this be an interesting way to patch other (zero day) vulnerabilities in MSFT, Adobe Reader, and other products? Maybe that would only help for Joe Public who is not patching their software anyway...
  • ...why ANY nuclear reactor or power plant needs to be directly connected to a computer network. I can see it having say a USB port for upgrades of controller firmware but a network connection? Nope.

    And even with a USB connection have a failsafe ROM backup so if it starts acting strange after the update then smack the "Default" button to bring it back under control.
    • by chill (34294)

      The reactor and/or plant is part of a network itself. I doubt it is directly connected to any external network, like the Internet. It might be part of a separate, secure network that monitors multiple plants remotely.

      Most likely the infection was brought in manually.

    • Re: (Score:3, Interesting)

      by amicusNYCL (1538833)

      I'm still having a problem with......why ANY nuclear reactor or power plant needs to be directly connected to a computer network. I can see it having say a USB port for upgrades of controller firmware but a network connection? Nope.

      So you're saying that you can't see any use for having the two reactors on site both connected to the same control room? I mean, why the hell would people in one central location want to monitor both reactors at once, in real time, right? That's crazy!

      What do you think, that when someone needs to shut down or modify the parameters of a reactor or centrifuge that they actually walk up to the component and hit a button on it? What if they need to start 100 centrifuges at the same time, do they have 100 tec

      • I'm still having a problem with......why ANY nuclear reactor or power plant needs to be directly connected to a computer network. I can see it having say a USB port for upgrades of controller firmware but a network connection? Nope.

        So you're saying that you can't see any use for having the two reactors on site both connected to the same control room? I mean, why the hell would people in one central location want to monitor both reactors at once, in real time, right? That's crazy!

        What do you think, that when someone needs to shut down or modify the parameters of a reactor or centrifuge that they actually walk up to the component and hit a button on it? What if they need to start 100 centrifuges at the same time, do they have 100 technicians standing there all on a giant conference call waiting for the "go" signal? If they want to check the current core temps or fuel levels, what do they do, call each one and ask them what the gauge says? What the hell do you think all of this equipment is for:

        http://www.upi.com/News_Photos/Features/The-Nuclear-Issue-in-Iran/1581/19/ [upi.com]

        What I'm saying is that there should be no "write access" from an outside network.

        In fact I'll even go one further. Any computer system that is connected to the control circuitry of the reactor should have no connection whatsoever to ANY standard network. It should be isolated from both the internal desktops AND the outside. AND you shouldn't be able to put in any device like a USB drive or floppy without the reactor being shut down.

        In the case of a central monitoring location install a second set of s

  • by superstick58 (809423) on Tuesday September 21, 2010 @01:21PM (#33652606)

    Ugh, what a terrible article. There's no firm conclusions at all, just mindless speculation. Here's some gems: "The only thing I can say is that it is something designed to go bang" and "'If I had to guess what it was, yes that's a logical target' he said, 'but that's just speculation'"

    This could be an interesting topic, but unfortunately, it is turned into a pointless article spewing wild guesses. And the findings are to be submitted in a closed door security meeting? WTF? I guess we'll never know.

    I have programmed many PLC's in my day, but unfortunately not Siemens. Does anyone have experience with siemens that can comment on the mysterious operational block 35?

    • by shadowrat (1069614) on Tuesday September 21, 2010 @01:35PM (#33652814)
      i have analyzed windows running on an isolated machine. While it's seemingly random crashes seem harmless enough, if this were to happen on the right system under the right circumstances, the results could be devastating! My conclusion is windows was engineered to be installed at norad and thwart a nuclear counterstrike by presenting inaccurate progress bars representing the ETA of incoming soviet warheads.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      OB35 is a an interrupt function which is periodically called by a timer, generally every 100ms.
      If you were to inject malicious code into OB35, it would be periodically executed, assuming that OB35 was loaded onto the controller in the first place.
      No idea what this code might be expected to do. Crash the software running on the PLC maybe.

    • Re: (Score:3, Informative)

      by peacefinder (469349)

      The mere fact that it's speculative does not make it a terrible article.

      Considering the nature of the malware, the apparent difficulty of extracting information from it, and the sensitivity of the information already disclosed, I'd say it's a pretty fine write-up. It tells you what they know and can disclose, tells you there's more they can't disclose, and that there's still mroe that they know they don't know.

      I mean seriously, hooray for forthright honesty here. No one is pretending to certainty that they

    • This could be an interesting topic, but unfortunately, it is turned into a pointless article spewing wild guesses.

      yeah, the writer should have called up the Mossad, and asked to talk to the author so he could get some solid facts...

      Really, what do you expect from a story about what is obviously a covert operation?
  • The Taliban is responsible for this, and it is a threat to the infrastructure of the United States. We'd better send troops immediately.
  • Rrrriiight. (Score:5, Insightful)

    by bmo (77928) on Tuesday September 21, 2010 @01:32PM (#33652774)

    Siemens PLCs are everywhere. Same with GE and others. They run everything from nuke plants to little benchtop lathes and aerospace applications. How this person decided that it *had* to be the Iranian nuke plant baffles me.

    How does he know that it wasn't targeted at various military targets? Iranian medium and short range missile installations also come to mind. Does he *have* the Siemens PLC configuration from the nuke plant in his hot little hands? Or does he even have the model numbers?

    Reading TFA, no.

    Peterson believes that Bushehr was possibly the target. "If I had to guess what it was, yes that's a logical target," he said. "But that's just speculation."

    Well, there you go. Nothing to see here.

    That's not to say that actual cyber-warfare is not happening, but to come out with wild-ass speculation and present it as newsworthy reminds me of Fox "News" and the rest of the Murdoch "empire."

    --
    BMO

    • Re: (Score:3, Informative)

      by amicusNYCL (1538833)

      They run everything from nuke plants to little benchtop lathes and aerospace applications. How this person decided that it *had* to be the Iranian nuke plant baffles me.

      That's exactly what I first thought, that a country would use its resources (you RTFA'd, right?) to attack benchtop lathes around the world. It must be just a coincidence that the infection started in Iran and that 60% of infected computers are in Iran.

  • by swschrad (312009) on Tuesday September 21, 2010 @03:45PM (#33654586) Homepage Journal

    this was a high-level inside hack. somebody is going to go missing. where they came from or end up will tell you who really orchestrated this one.

    oh, and by the way, note that it was a broadcast inside hack, going all over Iran and elsewhere to get to the prize.

    tells you two things. one, Iran has the nuclear stuff very highly compartmented. the originators did not have access to ring 0 of the secret program despite presumably working for the contractor.

    two, there should not be any commodity stuff hanging on the side of any sensitive system. the worm got all over because there were Best Buy laptops running open market software.

  • by PPH (736903) on Tuesday September 21, 2010 @04:21PM (#33655144)

    The Bushehr reactor is operated under an international agreement, allowing Iran to operate it and generate power, but keeping the fuel under control of Russia. This was negotiated in order to allow Iran the capability to operate power generating facilities but keep the fuel cycle under control, avoiding diversion to weapons development.

    If anyone (outside of Iran) gets caught sabotaging the reactor, it supports Iran making the argument that outside powers (under control of the West and/or Israel) can't be trusted. It is in our best interests to see this plant suceed. It will support the idea Iran can deal sucesfully with the IAEA and others in the development of nuclear power facilities and medical uses.

"Out of register space (ugh)" -- vi

Working...