Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Bug Government Power Security The Military United States Hardware

Stuxnet Infects 30,000 Industrial Computers In Iran 263

Posted by timothy
from the we-all-run-from-i-ran dept.
eldavojohn writes "The BBC and AFP are releasing more juicy details about the now infamous Stuxnet worm that Iranian officials have confirmed infected 30,000 industrial computers inside Iran following those exact fears. The targeted systems that the worm is designed to infect are Siemens SCADA systems. Talking heads are speculating that the worm is too complex for an individual or group, causing blame to be placed on Israel or even the United States — although the US official claims they do not know the origin of the virus. Iran claims it did not infect or place any risk to the new nuclear reactor in Bushehr, which experts are suspecting was the ultimate target of the worm."
This discussion has been archived. No new comments can be posted.

Stuxnet Infects 30,000 Industrial Computers In Iran

Comments Filter:
  • by Anonymous Coward on Sunday September 26, 2010 @12:56PM (#33704280)

    "Siemens has advised its customers not to change the default passwords"
    http://news.cnet.com/8301-1009_3-20011095-83.html
    great....good security there

    • Re: (Score:3, Interesting)

      by thegarbz (1787294)
      Frankly I'm surprised they give people the option. Lots of vendors have hard coded passwords in their software which are there for vendor only and don't even give you the option of changing them.
  • this is it (Score:5, Interesting)

    by bhcompy (1877290) on Sunday September 26, 2010 @12:57PM (#33704288)
    The future of diplomacy.
    • Re: (Score:3, Interesting)

      by buswolley (591500)
      I don't know if it is just coincidence, but this morning, my colleague arrived to use our university's Siemens MRI for research. Overheating, pump malfunction errors were popping up everywhere on the GUI like she's never seen before...probably coincidence.
  • I read somewhere that there are no Siemens systems in Bushehr, making that particular plant immune to this worm. Is that true?

    • by trapnest (1608791)
      Where could you possibly read something like that?
      • Where could you possibly read something like that?

        In the Bushehr Times, the leading state-run newspaper in Bushehr with a full want-ads section and comics as recent as 'The Far Side'. Good reading if you can stomach the heavy-handed use of commas and semicolons.

    • Re:Bushehr as target (Score:5, Informative)

      by Zocalo (252965) on Sunday September 26, 2010 @02:12PM (#33704748) Homepage
      There was a screenshot [upi.com] posted that was purported to be the Bushehr plant's control systems shortly after the claims that it was the target of Stuxnet first appeared. SIMATIC WinCC is Siemens' SCADA front-end tool for Windows clients, so either this image is of another nuclear plant or Bushehr does indeed use Siemens software.

      In any event, in the early analyses of Stuxnet, that the target was Bushehr was speculative based on:
      • The high number of infections in Iran
      • That the software was so complicated and targeted at very specific PLCs within a Siemens SCADA environment implying a particular installation was being targeted
      • That the second point above in turn implied that a nation state that had acquired inside knowledge about the target was behind the worm, although which one wasn't even speculated at
      • Bushehr was believed to have experienced some kind of technical issue within a suitable time frame

      Assuming the screenshot and target of Stuxnet are both Bushehr, then I don't actually know which is worse; that someone would trust apparently pirated software to run a nuclear plant, or that someone would deliberately try to disrupt the operations of one...

      • Re:Bushehr as target (Score:5, Interesting)

        by IamTheRealMike (537420) <mike@plan99.net> on Sunday September 26, 2010 @02:36PM (#33704880) Homepage
        Actually I prefer the theory that it went after the centrifuges at Natanz [geekheim.de].

        On July 17, 2009 WikiLeaks posted a cryptic notice:

        Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.

        ... and from the same article ...

        A cross-check with the official Iran Students News Agency archives confirmed the resignation of the head of Iran’s Atomic Energy Organization.

        According to official IAEA data, the number of actually operating centrifuges in Natanz shrank around the time of the accident Wikileaks wrote about was reduced substantially .

      • Re:Bushehr as target (Score:5, Informative)

        by fava (513118) on Sunday September 26, 2010 @02:37PM (#33704894)

        There is an analysis of the screenshot at http://www.hackerfactor.com/blog/index.php?/archives/396-No-Nukes.html [hackerfactor.com]

        The conclusion is that it is probably a screenshot of a wast water treatment plan, not a nuke facility.

        • Re: (Score:3, Interesting)

          by ColdWetDog (752185)
          Interestingly, the photographer (or at least someone logging in under his name) states that the photo is real. Hard to tell. It's in English, but that isn't all that surprising given that the contractor is Russian and the Iranians don't necessarily speak Russian - English would be the usual 'common' language. It does seem to be a water treatment process, but nuclear reactors located in the middle of nowhere might include such functions.

          The fun part about the picture is the popup "Your software license
      • Re: (Score:3, Informative)

        by thegarbz (1787294)

        Assuming the screenshot and target of Stuxnet are both Bushehr, then I don't actually know which is worse; that someone would trust apparently pirated software to run a nuclear plant, or that someone would deliberately try to disrupt the operations of one...

        As someone who is involved with these kinds of systems, there's no way you would pirate software like this. Typically you can't buy this gear in isolation without a complete support agreement which often includes a lot of software to go with it. Some vendors even give away the software for free knowing it'll only run on their hardware. This kind of licence key issue is more likely due to a cock-up during the commissioning stage. God knows I've seen plenty of those, or maybe just an IT issue. I wasn't able t

  • by DoofusOfDeath (636671) on Sunday September 26, 2010 @01:02PM (#33704314)

    If Iran really is trying to develop a nuclear weapons ability, then they're heading for a nasty conflict one way or another.

    If conflict is inevitable, then it's probably far better for their computers to catch a nasty flu, than for people do due in a U.S./Israeli airstrike.

    • by Dan667 (564390) on Sunday September 26, 2010 @01:19PM (#33704410)
      intersting it is totally ok for israel to have nukes. When is israel going to have weapon inspectors and give them up? If there really was interest in getting this stopped that would be the first step.
      • by Ironsides (739422) on Sunday September 26, 2010 @01:37PM (#33704504) Homepage Journal

        When is israel going to have weapon inspectors and give them up?

        When Israel signs the Nuclear Non-Proliferation Treaty.

        • Re: (Score:2, Insightful)

          by Beelzebud (1361137)
          I love the double standard! So, if that's the case, then people should STFU about Iran building anything, considering they haven't signed that treaty either...
          • by Ironsides (739422) on Sunday September 26, 2010 @01:47PM (#33704584) Homepage Journal

            I love the double standard! So, if that's the case, then people should STFU about Iran building anything, considering they haven't signed that treaty either...

            Iran signed 1 July 1968 [un.org]. What was that about a double standard and STFU?

          • by phantomfive (622387) on Sunday September 26, 2010 @02:42PM (#33704918) Journal
            It's not a double standard, it's a self-centered standard. I am opposed to countries like Iran, who have special holidays for hating my country, getting nuclear weapons. I don't want people who have declared themselves enemies of my country to have nuclear weapons. Unfair? Yes. Do I care, not really. Sometimes there are more important things than fairness (and real fairness in life is impossible anyway).
      • intersting it is totally ok for israel to have nukes.

        If you think I was implying that it's okay for Israel to stop Iran's nuke problem, that wasn't my point at all.

        My point was much more generic and simple: all things being equal, I'd rather computers get viruses than that people die in an airstrike.

  • by erroneus (253617) on Sunday September 26, 2010 @01:10PM (#33704356) Homepage

    Yeah, that'll teach'm to open up emails and PDFs titled "Death To America!" while running an OS and applications software written and controlled by a U.S. company.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      ... on Intel processors designed in Israel.

    • Re: (Score:3, Informative)

      by lennier1 (264730)

      Just for the record:
      Siemens = German

      • Actually Siemens is a pretty globally dispersed corporation, although you are correct in that it's based out of Germany. So they're dancing to many drummers.
    • by Grishnakh (216268) on Sunday September 26, 2010 @01:43PM (#33704548)

      Yep, this is the part that's so funny to me. Iran is so anti-America, Ahmadinejad is spouting conspiracy theories at the UN saying the US orchestrated 9/11, but then they're trusting Microsoft Windows (an American product known for security problems) to run their industrial computers? How stupid can you get?

      The Chinese are the complete opposite of these buffoons. They know that relying on another country's secret, proprietary software is foolhardy, so they've adopted Linux for governmental uses and have even developed their own Linux distro, Red Flag. Maybe it can't run all the latest applications or whatever, but trusting a product made by your enemy to run your country's infrastructure is just dumb.

  • Leaps of logic (Score:5, Insightful)

    by Anonymous Coward on Sunday September 26, 2010 @01:19PM (#33704402)

    I have a hard time taking it seriously that a "Nation State" is the most likely source of the infection and I have an even harder time that it is the Untited States behind it. Siemens is a huge (German) manufaturer of control systems, their equipment is installed throughout the industrialized world. The Bushehr reactor is being built with help from Russia but I am sure there are engineers from many different countries involved (notably absent would be Israel and the U.S.). These engineers should include people responsible for the security of both the Windows and the Siemens systems.

    I would argue that these engineers are the likely source of the information used to create the 'worm'. They have to be. Nobody else should have the information available to them to program the specific scenero to meet all of the inputs required to cause the mayhem the worm is intended to cause.

    Perhaps over a couple of beers they decided they didn't like some of the things they were seeing? Maybe they wrote the worm or maybe they just provided the information to the people that did. But either way, it reeks of being an inside job.

    • Re:Leaps of logic (Score:5, Insightful)

      by IamTheRealMike (537420) <mike@plan99.net> on Sunday September 26, 2010 @01:47PM (#33704582) Homepage
      The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot. Given what this virus does, it's very hard to believe it's the work of one or two guys. The whole thing smells strongly of a highly skilled and well financed team assembled for a specific reason. After all, it apparently is searching for a specific device or type of device and then tries to sabotage it - presumably this code was thoroughly tested, which means whoever wrote it is likely to have a small recreation of parts of the target factory somewhere. Not cheap or easy to set up.
      • Re:Leaps of logic (Score:5, Interesting)

        by seanadams.com (463190) on Sunday September 26, 2010 @04:23PM (#33705478) Homepage

        The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot.

        That's like saying, the skills "sweating copper pipe" and "hydraulic engineering" don't overlap a lot. It's true, but if you can do the latter, you're probably smart enough to figure out the former. And please, don't tell me how hard SCADA is... I've done it (as well as much harder things eg kernel work, VHDL, and analog circuit design), and it's all gluing together simple logic blocks and control busses. The equipment may be specialized, but that only makes it an obscure skill set, not an advanced one.

        I don't necessarily disagree with your conclusion though. The aspect of actually making this an _effective_ attack would call for some specific knowledge of how the plant operates. That is of far more interest to me than the technical skills needed to code it. I'm not convinced that this really was an _effective_ hack, in terms of intelligence gained, operations halted for a long time, etc - but who knows the exact objective.

      • Re:Leaps of logic (Score:4, Interesting)

        by Angst Badger (8636) on Sunday September 26, 2010 @04:29PM (#33705500)

        The most telling detail for me is that everyone involved or potentially involved is issuing denials at multiple levels.

        My guess -- and it's only a guess -- is that the Germans created it, hoping to throw a spanner into the works at the Iranian reactor because someone in their intelligence community got wind of Russian (and not only Russian-made) SAMs being moved into position to protect their investment, and while no one could predict the exact outcome of an unexpected direct US-Russian clash, the Germans were pretty certain it wouldn't do them any good. (The reason for this guess -- and I emphasize guess -- is the recent change in message from one of the Russian number stations, recently noted here on Slashdot.)

      • by russotto (537200)

        The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot. Given what this virus does, it's very hard to believe it's the work of one or two guys.

        If it weren't for the stolen private keys, two guys would not be unlikely (one Windows, one industrial control) and one guy would be possible, IMO. But given the stolen private keys, some sort of larger espionage operation seems likely. Even if an unethical individual managed to get those private keys, they'd be

    • Re:Leaps of logic (Score:5, Interesting)

      by gad_zuki! (70830) on Sunday September 26, 2010 @02:00PM (#33704668)

      Bored engineers came up with 4 zero-day exploits and two stolen keys to sign Realtek and Jmicron drivers? Whoever did this had some serious black-hat resources at his disposal. Most likely a nation state as an individual or group would be able to sell these exploits for a tidy sum.

      Its also important to realize that revealing these exploits and compromised keys to the public is a huge opportunity cost. Someone decided that attacking Iran was worth it. That seems like a decision a government would make.

      • by melikamp (631205)
        IMHO, it could easily be industrial sabotage by a competitor of Siemens. Iran just got in the way. The linked articles indicate that the worm does not seem to be harmful at the moment, so, really, Siemens is worse off than Iran right now.
      • Re:Leaps of logic (Score:5, Insightful)

        by EdIII (1114411) on Sunday September 26, 2010 @03:52PM (#33705332)

        You've completely ignored idealism here. The U.S and Israel are not the only governments with an interest to destabilize the Iranian government. I can see Russia, China, and Jordan having an interest as governments to destabilize Iran, especially, when the U.S and Israel are such convenient scapegoats. Perhaps, even just causing the U.S and Israel some problems would be the end goal of the whole project.

        Keep in mind that opportunity costs only matter to criminal organizations... and governments. Criminal organizations would be concerned with lost profit, while governments are concerned with losing an attack vector.

        What about the idealism? Out of all of the engineers that have worked on that equipment in Iran, NONE of them had any idealism or conflicts with the Iranian government?

        Burning a huge opportunity cost to sabotage a nuclear reactor in Iran certainly sounds like something an idealistic group of "terrorists" would do to stop the Iranian government from becoming a nuclear power.

        Note I keep saying Iranian government. There are millions of young people in Iran right now, some of them fairly well educated, sophisticated, and access to funding, that don't consider themselves on board with the current Iranian leaders.

        We can speculate all day who really might have done this, but we can't rule out home grown terrorism here either.

        • Re: (Score:3, Insightful)

          by moortak (1273582)
          We also can't rule out regional players other than Israel. The UAE has deep pockets a no desire for a nuclear Iran, same deal for Saudi Arabia.
  • by CarpetShark (865376) on Sunday September 26, 2010 @01:25PM (#33704450)

    although the US official claims they do not know the origin of the virus

    "Hey, we just want them fucked up. We don't give a shit about the details."

  • by devphaeton (695736) on Sunday September 26, 2010 @01:29PM (#33704460)

    "Talking heads are speculating that the worm is too complex for an individual or group, causing blame to be placed on Israel or even the United States "

    How does "too complex for an individual or group" equate to "must be Israel or the United States"? I hope I'm reading this wrong.

    Otherwise I might have to troll about "German companies blaming the US and the Jews for everything" or something.

    • People hack Windows for Fun or Profit. Script kiddies don't hack to cause Sabotage, and they don't hack expensive industrial control systems. I'm pretty sure whoever was this sophisticated didn't just get an equipment manual and write a virus for an embedded processor, they most likely got their hands on one to dissect and test a virus on, which some hacker kiddie can't do. It seems very likely someone bankrolled this with lots of money and resources. China is out since they are supporting Iran, and Russia

      • Re: (Score:3, Interesting)

        by ColdWetDog (752185)

        China is out since they are supporting Iran, and Russia is profiting from Iran as well. With the usual suspects out, it's time to look at Iran's enemies for this.

        Don't rule out either China or Russia. Yes, they 'support' Iran in some limited sense but they both have their own (differing) views of how things should play out. Neither might be terribly interested in a nuclear armed Iran. Of course, the Russians would be playing a very fine line both building and destroying the plant - however, there may we

  • by IamTheRealMike (537420) <mike@plan99.net> on Sunday September 26, 2010 @01:29PM (#33704462) Homepage
    from here [digitalbond.com]

    I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.

    • by Kozz (7764) on Sunday September 26, 2010 @01:37PM (#33704502)

      from here [digitalbond.com]

      I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.

      Or, from the Guava wikipedia page [wikipedia.org], the fruit is part of the Myrtle family. Furthermore, From http://en.wikipedia.org/wiki/Myrtus#Uses_in_myth_and_ritual [wikipedia.org],

      In Jewish liturgy, it is one of the four sacred plants of Sukkot, the Feast of Tabernacles representing the different types of personality making up the community - the myrtle having fragrance but not pleasant taste, represents those who have good deeds to their credit despite not having knowledge from Torah study. Three branches are held by the worshippers along with a citron, a palm leaf, and two willow branches. In Jewish mysticism, the myrtle represents the phallic, masculine force at work in the universe.

    • by Thing 1 (178996)
      Interesting. "b:" is generally a floppy drive as well (although can be remapped, if one is running low on drive letters).
  • From Slashdot: The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft's Windows operating system, according to a startling disclosure from Microsoft. Two of the four vulnerabilities are still unpatched.

    Servers you right using Windows for anything critical. Are they waiting one month for a fix as the rest of the Windows users?

  • So assume the US or Israel were at direct fault for this, ignoring the fallacy of "no single group" for a moment.

    Why is that a problem, exactly?

    We've got many, many quotes from the Iranian leaders (many of them) which are along the lines of:

    * death to Israel
    * we will hit Israel with a nuke
    * we wish to see Israel as bright as the sun
    * we can hit Europe with our ballistic missiles!
    * America is our Enemy

    This, all in light of their nuclear program having no explicable goal at this point aside from nuclear weapo

  • by CreamyG31337 (1084693) on Sunday September 26, 2010 @03:44PM (#33705280)

    just read
    http://frank.geekheim.de/?p=1189 [geekheim.de]

Some people carve careers, others chisel them.

Working...