Stuxnet Infects 30,000 Industrial Computers In Iran 263
eldavojohn writes "The BBC and AFP are releasing more juicy details about the now infamous Stuxnet worm that Iranian officials have confirmed infected 30,000 industrial computers inside Iran following those exact fears. The targeted systems that the worm is designed to infect are Siemens SCADA systems. Talking heads are speculating that the worm is too complex for an individual or group, causing blame to be placed on Israel or even the United States — although the US official claims they do not know the origin of the virus. Iran claims it did not infect or place any risk to the new nuclear reactor in Bushehr, which experts are suspecting was the ultimate target of the worm."
I think Seimen's comment is funny (Score:5, Interesting)
"Siemens has advised its customers not to change the default passwords"
http://news.cnet.com/8301-1009_3-20011095-83.html
great....good security there
this is it (Score:5, Interesting)
Not so bad of a result (Score:5, Interesting)
If Iran really is trying to develop a nuclear weapons ability, then they're heading for a nasty conflict one way or another.
If conflict is inevitable, then it's probably far better for their computers to catch a nasty flu, than for people do due in a U.S./Israeli airstrike.
Interesting (highly speculative) link to Israel (Score:5, Interesting)
Re:Interesting (highly speculative) link to Israel (Score:5, Interesting)
from here [digitalbond.com]
Or, from the Guava wikipedia page [wikipedia.org], the fruit is part of the Myrtle family. Furthermore, From http://en.wikipedia.org/wiki/Myrtus#Uses_in_myth_and_ritual [wikipedia.org],
In Jewish liturgy, it is one of the four sacred plants of Sukkot, the Feast of Tabernacles representing the different types of personality making up the community - the myrtle having fragrance but not pleasant taste, represents those who have good deeds to their credit despite not having knowledge from Torah study. Three branches are held by the worshippers along with a citron, a palm leaf, and two willow branches. In Jewish mysticism, the myrtle represents the phallic, masculine force at work in the universe.
Re:strange conclusion. (Score:5, Interesting)
Really? How big do you think the team that created Stuxnet is then? Or do you really think that one guy found 4 new zero days, wrote a P2P control mechanism, a custom kernel mode rootkit, a bunch of PLC code in an obscure form of assembly language and a shim DLL to hide the PLC infection from the operator?
The Stuxnet team is the closest thing to the Hollywood stereotype of a small team of omnipotent superhacker gods the world has seen.
Re:Not so bad of a result (Score:5, Interesting)
There was a little revolution between then and now: the CIA-created Shah regime signed that treaty. And, of course, parties are free to leave the NNPT whenever they like: that's how treaties work.
Iran is one of the best examples of "blowback" out there.
Re:Leaps of logic (Score:5, Interesting)
Bored engineers came up with 4 zero-day exploits and two stolen keys to sign Realtek and Jmicron drivers? Whoever did this had some serious black-hat resources at his disposal. Most likely a nation state as an individual or group would be able to sell these exploits for a tidy sum.
Its also important to realize that revealing these exploits and compromised keys to the public is a huge opportunity cost. Someone decided that attacking Iran was worth it. That seems like a decision a government would make.
Re:I don't even see how (Score:3, Interesting)
Re:Not so bad of a result (Score:2, Interesting)
Re:strange conclusion. (Score:5, Interesting)
So we're arguing about the definition whether the team was "small" or "large" then :-) Given that Stuxnet is around half a megabyte in size, I'd guess the code itself was written by a team of around 5 people, probably with each person owning an area of functionality. Say another 5 for project infrastructure, eg, building testing environments, finding the zero days and doing whatever was required to steal the digital certs.
I'm sure there is a fairly large supporting cast for this "Myrtus/Guava" project, but I'd wager a crisp benjamin the bulk of the work was done by less than 10 people. Now whether this sort of effort is "small" or "large" is a matter of perspective - for a state sponsored military project it'd be very small, for a computer virus project it'd be pretty large.
By the way, if the authors of Stuxnet are reading this - nice work, but I seriously hope you know what the hell you are doing. Remotely sabotaging industrial facilities in a part of the world that's on a political knife edge can go wrong in so many ways I don't even want to think about it.
Re:strange conclusion. (Score:5, Interesting)
There are some strange things that the state-sponsor theory of Stuxnet is at a loss to explain.
The first of these is the P2P update cycle of the worm. One important element of this is that to update the one has to re-seed the network with a new version. However anybody with appropriate skills can do this, so the worm could be easily retooled to strike back at the creator. The idea that a nation would be incompetent enough to allow such a weapon as this to be redirected back at their critical infrastructure doesn't sit well with me.
The second major problem has to do with the fact the virus tends to be digitally signed via stolen private keys of reputable companies from around the globe many of which have no presence in the Middle East. Theft of these private keys is suggestive of a long-term effort probably involving past viruses and trojans.
Also while Iran is a major hotspot of infections they aren't the only ones. Indonesia is a close second.
These things are easy to explain from perspective that assumes a criminal syndicate but hard to explain from the perspective of a theory of state sponsorship.
Stuxnet is groundbreaking in a large number of ways. It's also an interesting question as to whether the malfunctions in the SCADA systems expected under Stuxnet could be similar to those experienced by Deepwater Horizon before the tragic explosion. While it might not be stuxnet in that case, it raises important questions about possible consequences of such a virus. These consequences are significantly more severe for a state sponsor than for a criminal one.
Re:Bushehr as target (Score:5, Interesting)
Re:and why would that be a problem, exactly? (Score:4, Interesting)
The problem is that as far as I know, international law doesn't know how to deal with national cyber-attacks. Are they the equivalent of a physical attack? If they do large scale financial damage (loss of services)? If they do large scale physical damage (destroy a factory of power plant), if they kill a few people (factory accident), kill a lot of people (chemical plant explodes)?
If a cyber-attack on financial institutions costs billions of dollars is that an act of war?
If a cyber-attack from country A caused a Bophal like disaster in country B, is country B justified in launching a physical attack on population centers of country A?
Words are one thing - attacks (physical or cyber) that cause damager are another.
Re:and why would that be a problem, exactly? (Score:4, Interesting)
No you don't. Show me a quote from an Iranian leader currently in power who said "We will hit Israel with a nuke." US Republicans and Israeli Likudniks have said to nuke Iran, but do you have a statement showing the reverse?
Iranians do see Israel and the US as enemies, since the US overthrew the democractic government of Iran in the 1950s, and tried to do it again after 1979. The amount of warmongering from Bush and Rumsfeld in both statements and actions (bombing Iranian embassy in an airstrike) only put them further on edge.
Your claim that their nuclear program can ONLY be for weapons and not energy is a silly claim, and you make it without proof. The IAEA and academics disagree with you.
Re:strange conclusion. (Score:5, Interesting)
Well. Let's ignore the problem of motive for now (there are far easier ways for criminals to turn a profit than this) - one has to wonder why Stuxnet is written as a traditional self-propagating virus.
Apparently it has some kind of self-kill logic which tries to ensure it doesn't spread after three "hops", which suggests whoever wrote it didn't want it to become a totally uncontrolled worldwide infection.
Presumably whoever wrote this knew they wouldn't be able to obtain actual physical access to the facility they wanted to damage, nor would they be able to insert an undercover agent, nor would they be able to compromise an existing employee. If you wanted to attack a high security facility and your intelligence agency wasn't able to penetrate it using more traditional techniques, creating a virus that spreads indiscriminately and hoping you get lucky seems like a pretty reasonable strategy.
The truth may be somewhere in the middle. The top candidates are the US and Israel based on "who dislikes Iran the most". Israeli intelligence has proven several times before they apparently don't care about being detected or involving other nations as collateral damage, see the recent UK passport forging that was a part of an assassination. A guy who used to be a director of anti-proliferation strategy for the US government has remarked that the style doesn't seem like a US operation given how much noise the approach would inevitably create, and the tremendous impact outside of the intended target.
Now obviously he is biased, but I'd tend to agree with him. It seems kind of unlikely the US would do something so dramatically non-covert. The way Stuxnet works practically guaranteed it would be eventually detected and subjected to intense scrutiny. The fact that there's so many clues and possible evidence trails lying around also suggests that whoever did it wasn't too concerned with being caught, eg, it's possible the stolen digital certs or the C&C servers will provide a trail that can be investigated.
So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of random other nations or organizations? If I had to pick an intelligence agency in the world that most resembled a criminal syndicate, the Mossad would be pretty high up the list. Speculation is fun isn't it.
Re:Bushehr as target (Score:3, Interesting)
The fun part about the picture is the popup "Your software license has expired". A commenter on the blog noted that use of non licensed software was common before the system was completed and turned over to the customer. Maybe we should alert the Iranian version of the Business Software Alliance [bsa.org] and arrange for an 'inspection'.
Re:this is it (Score:3, Interesting)
Re:Must be reading that line wrong (Score:3, Interesting)
Don't rule out either China or Russia. Yes, they 'support' Iran in some limited sense but they both have their own (differing) views of how things should play out. Neither might be terribly interested in a nuclear armed Iran. Of course, the Russians would be playing a very fine line both building and destroying the plant - however, there may well be many forces at work in both countries that are at odds with other groups inside their own country.
It's not like the US isn't both simultaneously supporting and seeking to destabilize the same regime in Afghanistan (Karzi's fruit loop of a family).
Re:strange conclusion. (Score:3, Interesting)
We can't know for sure can we. But we might as well apply Occams Razor. Indonesia doesn't have any enemies that are both technically sophisticated and extremely aggressive. Nor does it have any industrial facilities of obviously high value. Iran has all these things.
It's a good question how so much Stuxnet ended up in Indonesia, but I suspect it's simply bad luck. If the initial infection vector was some kind of industrial contractor, it's easy to imagine that "hop zero" copies of the virus occurred in whatever countries that contractor happened to work in. The virus tries to limit its own propagation but its C&C system is really weak - only two nodes both of which are now offline. Most modern malware has much stronger C&C infrastructure than that. It can do P2P updates as well but that's got to be a slow and flaky way to update the virus. So it appears that the virus was created for a specific task and what happened after that wasn't a big concern.
it was targeting the enrichment centrifuges (Score:4, Interesting)
just read
http://frank.geekheim.de/?p=1189 [geekheim.de]
Re:strange conclusion. (Score:3, Interesting)
Do you have a cite for this? Also is it still this way (given the P2P component discussed in a paper on that subject by Symantec)?
Yet Indonesia has a very large number of infections too. Why are you so focused on Iran? It's not like the virus isn't prevalent in other countries as well. It's also hit India a lot harder than Pakistan.
The fact is we could build conspiracy theories out of this any number of ways. However, the fact is that the virus is programmed to REPLACE ITSELF [symantec.com] with a new executable if it finds a newer version. Given the fact that Pakistan has not been hit much but India and Iran both have, we might suggest Pakistan the sponsor. However, I'm still assuming Russian cyber-criminals are behind this.
Re:strange conclusion. (Score:3, Interesting)
Re:Leaps of logic (Score:5, Interesting)
That's like saying, the skills "sweating copper pipe" and "hydraulic engineering" don't overlap a lot. It's true, but if you can do the latter, you're probably smart enough to figure out the former. And please, don't tell me how hard SCADA is... I've done it (as well as much harder things eg kernel work, VHDL, and analog circuit design), and it's all gluing together simple logic blocks and control busses. The equipment may be specialized, but that only makes it an obscure skill set, not an advanced one.
I don't necessarily disagree with your conclusion though. The aspect of actually making this an _effective_ attack would call for some specific knowledge of how the plant operates. That is of far more interest to me than the technical skills needed to code it. I'm not convinced that this really was an _effective_ hack, in terms of intelligence gained, operations halted for a long time, etc - but who knows the exact objective.
Re:Leaps of logic (Score:4, Interesting)
The most telling detail for me is that everyone involved or potentially involved is issuing denials at multiple levels.
My guess -- and it's only a guess -- is that the Germans created it, hoping to throw a spanner into the works at the Iranian reactor because someone in their intelligence community got wind of Russian (and not only Russian-made) SAMs being moved into position to protect their investment, and while no one could predict the exact outcome of an unexpected direct US-Russian clash, the Germans were pretty certain it wouldn't do them any good. (The reason for this guess -- and I emphasize guess -- is the recent change in message from one of the Russian number stations, recently noted here on Slashdot.)
Re:strange conclusion. (Score:5, Interesting)
You just need to get the hollywood fabricated ideas about teams of small teams of omnipotent superhacker "gods" out of your mind, because they don't exist.
Not quite in the Hollywood image they don't, no. But assuming that such hacking is beyond the efforts of one or two highly intelligent, knowledgeable and motivated individuals is a big mistake. You just need someone with an IQ in the 150 range who reads manuals and code for fun and thinks so far outside the box he can barely see it from there.
(Some 35 years ago I routinely pwned the campus mainframe, a Burroughs B6700, through a combination of inspired guesswork (giving me access to allocated but unused accounts), dumpster diving (hey, a listing of the OS, that looks interesting. Gee, what's this string "&:*" being passed to a call that expects the [root-equivalent] password?), social engineering (me at a Burroughs sales office: "I'm a student at X, can I get some B6700 manuals?" They: "We don't have any for sale here, but [checks in back] here are some old ones I'll just give you." Systems programmer back at X: "How'd you get those? We can't even get those!") and plain outside the box thinking (Sys programmer: "but you can't edit a Burroughs backup tape!" Me: "not on the Burroughs, no. But on the IBM 360/50..." He: "Oh, shit." Being able to edit a Burroughs backup tape let you (or me) get around the fact that only a program tagged as a compiler could tag a binary file as executable, and only an operator console command could tag a program as a compiler. But if you could create your own arbitrary executable binaries, you had access to all kinds of system calls normally reserved to the OS.) Of course those were more naive, innocent times, pre Morris worm, and terms like "dumpster diving" and "social engineering" hadn't been coined yet. It's a little harder these days (back then I was barely even trying), but there are better tools available, so don't fool yourself. Script kiddies are one thing -- it's the folks inventing those scripts, or rather, the ones who invent scripts the kiddies never see, that you need to worry about.)
Re:strange conclusion. (Score:3, Interesting)
That's true but sort of the converse of what I was trying to say. Sorry for the confusion. I agree that a government could do this, but I don't see how it's necessarily too complicated for a group of skilled and motivated activists.
What I meant was, hacking doesn't take particle accelerators or other expensive components. Even if you had the information from the manhattan project, you'd need roomfuls of specialized and dangerous equipment and materials and a large diversely trained staff.
All you need for something like stuxnet is a smaller group of the "right" people and the right information, and maybe a hatful of money for PCs and some specialized hardware. I mean, I personally know people who do static analysis of computer viruses for fun. This doesn't make them virus writers - it makes them better than virus writers, if given enough time to adapt their reverse-engineering skills to reverse-reverse-engineering. Put them in a room with one or two hardware and microcode engineers with knowledge of the target Siemens chip, and I don't see how this project would not basically write itself in a month or so. What am I missing here?
It doesn't require state or massive corporate investment, so I don't see the basis for ruling out the hypothesis of a group of hacker/security activists.
Re:"Bushehr" named in reference to the Bush era? (Score:3, Interesting)
My Dad went to Andover with him and listened to the "stick ball" speech, later he majored in history at Harvard, got a law degree from Columbia and a JD so I think he is entitled to his opinion both personal and historical on Bush. He says "Bush was the worst president since Harding" and "...did 100 years of damage to the US economy."
My opinion is that Bush was a kakistocracy (government by the least qualified or most unprincipled citizens) created by the dominists to defame the federal government an encourage ass-clowns the tea bag express. I think Bush was not only the worst president in living memory but more importantly he was a "domestic enemy" of the constitution who signed a law that directly attacked the 4th amendment. Harding merely allowed the secessionist southern senators to allocate money to the south after secession, a crime of inaction rather than a premeditated attack of the Constitution.
Carter, are you kidding? Not great, or even good but he didn't cause the energy crisis, he didn't cause the helicopters to flip on the way to Tehran, he sure as hell didn't negotiate, then delay the release of the hostages in an arms deal with our enemies like the Reaganites. He didn't buy into the John and Allan Dulles model of political change through CIA sponsored overthrows of democratically elected governments in Iran. Did you know that buying "Firewall: The Iran-Contra Conspiracy and Cover-up" by the Iran Contra prosecutor Lawrence Walsh used to get you on the federal watch list? I wonder why?
I am pretty sure you are repeating other people opinions without critical thought with a flippant nod to conservatives so I'll forgive you, but only barely.
Re:I think Seimen's comment is funny (Score:3, Interesting)