Stuxnet Infects 30,000 Industrial Computers In Iran

eldavojohn writes "The BBC and AFP are releasing more juicy details about the now infamous Stuxnet worm that Iranian officials have confirmed infected 30,000 industrial computers inside Iran following those exact fears. The targeted systems that the worm is designed to infect are Siemens SCADA systems. Talking heads are speculating that the worm is too complex for an individual or group, causing blame to be placed on Israel or even the United States — although the US official claims they do not know the origin of the virus. Iran claims it did not infect or place any risk to the new nuclear reactor in Bushehr, which experts are suspecting was the ultimate target of the worm."

I think Seimen's comment is funny

[Anonymous Coward]

"Siemens has advised its customers not to change the default passwords"
http://news.cnet.com/8301-1009_3-20011095-83.html
great....good security there

Re:

[thegarbz]

Frankly I'm surprised they give people the option. Lots of vendors have hard coded passwords in their software which are there for vendor only and don't even give you the option of changing them.

this is it

[bhcompy]

The future of diplomacy.

Re:

[buswolley]

I don't know if it is just coincidence, but this morning, my colleague arrived to use our university's Siemens MRI for research. Overheating, pump malfunction errors were popping up everywhere on the GUI like she's never seen before...probably coincidence.

Bushehr as target

[Jurily]

I read somewhere that there are no Siemens systems in Bushehr, making that particular plant immune to this worm. Is that true?

Re:

[trapnest]

Where could you possibly read something like that?

Re:

[WrongSizeGlass]

Where could you possibly read something like that?

In the Bushehr Times, the leading state-run newspaper in Bushehr with a full want-ads section and comics as recent as 'The Far Side'. Good reading if you can stomach the heavy-handed use of commas and semicolons.

Re:Bushehr as target

[Zocalo]

There was a screenshot [upi.com] posted that was purported to be the Bushehr plant's control systems shortly after the claims that it was the target of Stuxnet first appeared. SIMATIC WinCC is Siemens' SCADA front-end tool for Windows clients, so either this image is of another nuclear plant or Bushehr does indeed use Siemens software.

In any event, in the early analyses of Stuxnet, that the target was Bushehr was speculative based on:

• The high number of infections in Iran
• That the software was so complicated and targeted at very specific PLCs within a Siemens SCADA environment implying a particular installation was being targeted
• That the second point above in turn implied that a nation state that had acquired inside knowledge about the target was behind the worm, although which one wasn't even speculated at
• Bushehr was believed to have experienced some kind of technical issue within a suitable time frame

Assuming the screenshot and target of Stuxnet are both Bushehr, then I don't actually know which is worse; that someone would trust apparently pirated software to run a nuclear plant, or that someone would deliberately try to disrupt the operations of one...

Re:Bushehr as target

[IamTheRealMike]

Actually I prefer the theory that it went after the centrifuges at Natanz [geekheim.de].

On July 17, 2009 WikiLeaks posted a cryptic notice:

Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.

... and from the same article ...

A cross-check with the official Iran Students News Agency archives confirmed the resignation of the head of Iran’s Atomic Energy Organization.

According to official IAEA data, the number of actually operating centrifuges in Natanz shrank around the time of the accident Wikileaks wrote about was reduced substantially .

Re:Bushehr as target

[fava]

There is an analysis of the screenshot at http://www.hackerfactor.com/blog/index.php?/archives/396-No-Nukes.html [hackerfactor.com]

The conclusion is that it is probably a screenshot of a wast water treatment plan, not a nuke facility.

Re:

[ColdWetDog]

Interestingly, the photographer (or at least someone logging in under his name) states that the photo is real. Hard to tell. It's in English, but that isn't all that surprising given that the contractor is Russian and the Iranians don't necessarily speak Russian - English would be the usual 'common' language. It does seem to be a water treatment process, but nuclear reactors located in the middle of nowhere might include such functions.

The fun part about the picture is the popup "Your software license

Re:

[thegarbz]

Assuming the screenshot and target of Stuxnet are both Bushehr, then I don't actually know which is worse; that someone would trust apparently pirated software to run a nuclear plant, or that someone would deliberately try to disrupt the operations of one...

As someone who is involved with these kinds of systems, there's no way you would pirate software like this. Typically you can't buy this gear in isolation without a complete support agreement which often includes a lot of software to go with it. Some vendors even give away the software for free knowing it'll only run on their hardware. This kind of licence key issue is more likely due to a cock-up during the commissioning stage. God knows I've seen plenty of those, or maybe just an IT issue. I wasn't able t

Not so bad of a result

[DoofusOfDeath]

If Iran really is trying to develop a nuclear weapons ability, then they're heading for a nasty conflict one way or another.

If conflict is inevitable, then it's probably far better for their computers to catch a nasty flu, than for people do due in a U.S./Israeli airstrike.

Re:Not so bad of a result

[Dan667]

intersting it is totally ok for israel to have nukes. When is israel going to have weapon inspectors and give them up? If there really was interest in getting this stopped that would be the first step.

Re:Not so bad of a result

[Ironsides]

When is israel going to have weapon inspectors and give them up?

When Israel signs the Nuclear Non-Proliferation Treaty.

Re:

[Beelzebud]

I love the double standard! So, if that's the case, then people should STFU about Iran building anything, considering they haven't signed that treaty either...

Re:Not so bad of a result

[Ironsides]

I love the double standard! So, if that's the case, then people should STFU about Iran building anything, considering they haven't signed that treaty either...

Iran signed 1 July 1968 [un.org]. What was that about a double standard and STFU?

Re:Not so bad of a result

[Lemmy Caution]

There was a little revolution between then and now: the CIA-created Shah regime signed that treaty. And, of course, parties are free to leave the NNPT whenever they like: that's how treaties work.

Iran is one of the best examples of "blowback" out there.

Re:

[Ironsides]

I'm missing where it says the US did anything until well after the Shah was already removed.

Re:Not so bad of a result

[phantomfive]

It's not a double standard, it's a self-centered standard. I am opposed to countries like Iran, who have special holidays for hating my country, getting nuclear weapons. I don't want people who have declared themselves enemies of my country to have nuclear weapons. Unfair? Yes. Do I care, not really. Sometimes there are more important things than fairness (and real fairness in life is impossible anyway).

Re:

[phantomfive]

Ironic, really, this is ironic.

It would be, if it weren't so commonplace. Do I feel bad about deposing Mosaddegh in Iran? Sure, that was a bad idea. If Iran wanted reparations for that, I wouldn't be opposed. Does that mean Iran should automatically be allowed to get a nuclear bomb? Of course not. No one in the region wants them to get the bomb. There are a lot of reasons to try to prevent it, especially with non-violent means like sanctions, that could avert serious crisis.

Re:Not so bad of a result

[DoofusOfDeath]

True, but it is generally prudent to stop crazed assholes* with the stated goals of wiping other states from the map from having any such weapons.

You mean the Israeli settlers in East Jerusalem and the West Bank?

Re:

[Xaositecte]

If Israel really wanted to wipe out the Palestinians, they could do it without Nukes.

Surrounding Islamic countries however, have repeatedly attempted to wipe out Israel without nukes, and failed. Historical record implies if they had access to nukes, they'd use them.

Re:

[DoofusOfDeath]

If Israel really wanted to wipe out the Palestinians, they could do it without Nukes.

Perhaps, but rounding them up into a massive concentration camp because they wanted some lebensraum isn't so swell, either.

Re:

[Anonymous Coward]

What about crazed Israeli leaders?

Martin van Creveld is a Israeli historian and researcher -

In a September 2003 interview in Elsevier (Dutch weekly) on Israel and the dangers it faces from Iran, the Palestinians and world opinion van Creveld stated:

We possess several hundred atomic warheads and rockets and can launch them at targets in all directions, perhaps even at Rome. Most European capitals are targets for our air force.... We have the capability to take the world down with us. And I can assure you tha

Re:

[theshowmecanuck]

Martin van Creveld is a Israeli historian and researcher

Yes he is. That is, he is a citizen and is a historian and researcher, and is entitled to his own opinion. Let me say the key part again, *his own opinion*. He is not part of the Israeli government. And in case you forgot Mahmoud Ahmadinejad, who said "Israel should be wiped off the map", well he IS the PRESIDENT of Iran. It sounds like you are not clear on or don't understand the subtleties of a citizen making a statement and the head of state of a c

Re:

[dave420]

He didn't say he wanted to wipe Israel off the map. That was a clumsy translation that has been frequently pointed out as such, but it seems some people just don't want to listen.

The rest of your bullshit is just childish.

Re:

[dave420]

He never said he wanted to wipe Israel off the map. That is a much-repeated bad translation, which people loved because it sounded so dangerous. He was merely hoping for the end of the Zionist Israeli government.

Re:Not so bad of a result

[Anonymous Coward]

Actually, Ahmadinejad never said that. The quote is a mistranslation and has mendaciously used as propaganda by Zionists and useful idiots as proof of Iran's alleged destructive intentions.

If you bothered to read the entire page you linked to, the Guardian published a retraction: http://www.guardian.co.uk/theguardian/2009/apr/23/corrections-clarifications [guardian.co.uk]

Re:

[Xaositecte]

"the regime occupying Jerusalem must vanish from the page of time"

is still a pretty inflammatory quote.

Re:

[dave420]

Are you still learning English? That statement is about as far from inflammatory as possible. It's poetic if anything, conjuring up a future time when the current bullshit Israeli regime is a long-distant memory, and not at all important.

Re:

[Xaositecte]

It's sorta've like the difference between "Go die" and "Please go die."

the message is still clear.

Re:

[Beelzebud]

Way to use a mistranslation to prove your point...

Re:Not so bad of a result

[Xaositecte]

How often have surrounding Arab states invaded Israel?

How often has Israel invaded surrounding Arab states?

Historical records do not agree with your statements.

Re:

[wall0159]

Err, didn't the surrounding Arab states attack Israel in the days/weeks after the British left? My understanding is that they "threw the first punch"

(I'm no Israel apologist -- plenty of blame for the current mess rests on their shoulders also, IMO)

Re:

[dave420]

How often has a new state been carved out of Israel, against the wishes of Israel?

Re:

[phantomfive]

but lets not forget that since Israel's creation its borders have done nothing but grow.

Except when they've shrunk. Like when they unilaterally shut down the settlements in Gaza. But why let facts get in the way of your Israel bashing?

If Palestine could make a credible commitment to peace, there would be a settlement within a year. Israelis don't want to keep watching over Palestinians like they have to now.

Re:

[SuricouRaven]

That's shooting rockets *back* as residential buildings. Hamas started on that one - they thought that if they launched their own rockets from residential or public buildings, Israel would be too afraid of the bad PR to risk counterattacking the launch sites. It partially worked.

Israel is not a good neighbour - but their actions are not unprovoked. They have to live with a seemingly endless stream of rockets being fired into their own residential areas over the border, frequent attempts at suicide or car-

Re:

[DoofusOfDeath]

intersting it is totally ok for israel to have nukes.

If you think I was implying that it's okay for Israel to stop Iran's nuke problem, that wasn't my point at all.

My point was much more generic and simple: all things being equal, I'd rather computers get viruses than that people die in an airstrike.

Email titled "Death To America!"

[erroneus]

Yeah, that'll teach'm to open up emails and PDFs titled "Death To America!" while running an OS and applications software written and controlled by a U.S. company.

Re:

[Anonymous Coward]

... on Intel processors designed in Israel.

Re:

[lennier1]

Just for the record:
Siemens = German

Re:

[ColdWetDog]

Actually Siemens is a pretty globally dispersed corporation, although you are correct in that it's based out of Germany. So they're dancing to many drummers.

Re:

[SuricouRaven]

German, American... regardless, I imagine the chips are made in China.

Re:Email titled "Death To America!"

[Grishnakh]

Yep, this is the part that's so funny to me. Iran is so anti-America, Ahmadinejad is spouting conspiracy theories at the UN saying the US orchestrated 9/11, but then they're trusting Microsoft Windows (an American product known for security problems) to run their industrial computers? How stupid can you get?

The Chinese are the complete opposite of these buffoons. They know that relying on another country's secret, proprietary software is foolhardy, so they've adopted Linux for governmental uses and have even developed their own Linux distro, Red Flag. Maybe it can't run all the latest applications or whatever, but trusting a product made by your enemy to run your country's infrastructure is just dumb.

Re:

[Grishnakh]

It would also be trivial for Iranians to turn off Windows Updates and block it at the routers. Of course, they might not be smart enough to do that in time. They're obviously not smart enough to build their own nuclear reactor without having to get help from the Germans. To my knowledge, even the Chinese and North Koreans are smart enough to develop their own nuclear technology without having to buy it from someone else. Of course, since the Muslim world hasn't done anything technological of note at all

Leaps of logic

[Anonymous Coward]

I have a hard time taking it seriously that a "Nation State" is the most likely source of the infection and I have an even harder time that it is the Untited States behind it. Siemens is a huge (German) manufaturer of control systems, their equipment is installed throughout the industrialized world. The Bushehr reactor is being built with help from Russia but I am sure there are engineers from many different countries involved (notably absent would be Israel and the U.S.). These engineers should include people responsible for the security of both the Windows and the Siemens systems.

I would argue that these engineers are the likely source of the information used to create the 'worm'. They have to be. Nobody else should have the information available to them to program the specific scenero to meet all of the inputs required to cause the mayhem the worm is intended to cause.

Perhaps over a couple of beers they decided they didn't like some of the things they were seeing? Maybe they wrote the worm or maybe they just provided the information to the people that did. But either way, it reeks of being an inside job.

Re:Leaps of logic

[IamTheRealMike]

The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot. Given what this virus does, it's very hard to believe it's the work of one or two guys. The whole thing smells strongly of a highly skilled and well financed team assembled for a specific reason. After all, it apparently is searching for a specific device or type of device and then tries to sabotage it - presumably this code was thoroughly tested, which means whoever wrote it is likely to have a small recreation of parts of the target factory somewhere. Not cheap or easy to set up.

Re:Leaps of logic

[seanadams.com]

The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot.

That's like saying, the skills "sweating copper pipe" and "hydraulic engineering" don't overlap a lot. It's true, but if you can do the latter, you're probably smart enough to figure out the former. And please, don't tell me how hard SCADA is... I've done it (as well as much harder things eg kernel work, VHDL, and analog circuit design), and it's all gluing together simple logic blocks and control busses. The equipment may be specialized, but that only makes it an obscure skill set, not an advanced one.

I don't necessarily disagree with your conclusion though. The aspect of actually making this an _effective_ attack would call for some specific knowledge of how the plant operates. That is of far more interest to me than the technical skills needed to code it. I'm not convinced that this really was an _effective_ hack, in terms of intelligence gained, operations halted for a long time, etc - but who knows the exact objective.

Re:Leaps of logic

[Angst Badger]

The most telling detail for me is that everyone involved or potentially involved is issuing denials at multiple levels.

My guess -- and it's only a guess -- is that the Germans created it, hoping to throw a spanner into the works at the Iranian reactor because someone in their intelligence community got wind of Russian (and not only Russian-made) SAMs being moved into position to protect their investment, and while no one could predict the exact outcome of an unexpected direct US-Russian clash, the Germans were pretty certain it wouldn't do them any good. (The reason for this guess -- and I emphasize guess -- is the recent change in message from one of the Russian number stations, recently noted here on Slashdot.)

Re:

[russotto]

The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot. Given what this virus does, it's very hard to believe it's the work of one or two guys.

If it weren't for the stolen private keys, two guys would not be unlikely (one Windows, one industrial control) and one guy would be possible, IMO. But given the stolen private keys, some sort of larger espionage operation seems likely. Even if an unethical individual managed to get those private keys, they'd be

Re:Leaps of logic

[gad_zuki!]

Bored engineers came up with 4 zero-day exploits and two stolen keys to sign Realtek and Jmicron drivers? Whoever did this had some serious black-hat resources at his disposal. Most likely a nation state as an individual or group would be able to sell these exploits for a tidy sum.

Its also important to realize that revealing these exploits and compromised keys to the public is a huge opportunity cost. Someone decided that attacking Iran was worth it. That seems like a decision a government would make.

Re:

[melikamp]

IMHO, it could easily be industrial sabotage by a competitor of Siemens. Iran just got in the way. The linked articles indicate that the worm does not seem to be harmful at the moment, so, really, Siemens is worse off than Iran right now.

Re:Leaps of logic

[EdIII]

You've completely ignored idealism here. The U.S and Israel are not the only governments with an interest to destabilize the Iranian government. I can see Russia, China, and Jordan having an interest as governments to destabilize Iran, especially, when the U.S and Israel are such convenient scapegoats. Perhaps, even just causing the U.S and Israel some problems would be the end goal of the whole project.

Keep in mind that opportunity costs only matter to criminal organizations... and governments. Criminal organizations would be concerned with lost profit, while governments are concerned with losing an attack vector.

What about the idealism? Out of all of the engineers that have worked on that equipment in Iran, NONE of them had any idealism or conflicts with the Iranian government?

Burning a huge opportunity cost to sabotage a nuclear reactor in Iran certainly sounds like something an idealistic group of "terrorists" would do to stop the Iranian government from becoming a nuclear power.

Note I keep saying Iranian government. There are millions of young people in Iran right now, some of them fairly well educated, sophisticated, and access to funding, that don't consider themselves on board with the current Iranian leaders.

We can speculate all day who really might have done this, but we can't rule out home grown terrorism here either.

Re:

[moortak]

We also can't rule out regional players other than Israel. The UAE has deep pockets a no desire for a nuclear Iran, same deal for Saudi Arabia.

Quoth the CIA

[CarpetShark]

although the US official claims they do not know the origin of the virus

"Hey, we just want them fucked up. We don't give a shit about the details."

Must be reading that line wrong

[devphaeton]

"Talking heads are speculating that the worm is too complex for an individual or group, causing blame to be placed on Israel or even the United States "

How does "too complex for an individual or group" equate to "must be Israel or the United States"? I hope I'm reading this wrong.

Otherwise I might have to troll about "German companies blaming the US and the Jews for everything" or something.

Re:

[mr100percent]

People hack Windows for Fun or Profit. Script kiddies don't hack to cause Sabotage, and they don't hack expensive industrial control systems. I'm pretty sure whoever was this sophisticated didn't just get an equipment manual and write a virus for an embedded processor, they most likely got their hands on one to dissect and test a virus on, which some hacker kiddie can't do. It seems very likely someone bankrolled this with lots of money and resources. China is out since they are supporting Iran, and Russia

Re:

[ColdWetDog]

China is out since they are supporting Iran, and Russia is profiting from Iran as well. With the usual suspects out, it's time to look at Iran's enemies for this.

Don't rule out either China or Russia. Yes, they 'support' Iran in some limited sense but they both have their own (differing) views of how things should play out. Neither might be terribly interested in a nuclear armed Iran. Of course, the Russians would be playing a very fine line both building and destroying the plant - however, there may we

Interesting (highly speculative) link to Israel

[IamTheRealMike]

from here [digitalbond.com]

I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.

Re:Interesting (highly speculative) link to Israel

[Kozz]

from here [digitalbond.com]

I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.

Or, from the Guava wikipedia page [wikipedia.org], the fruit is part of the Myrtle family. Furthermore, From http://en.wikipedia.org/wiki/Myrtus#Uses_in_myth_and_ritual [wikipedia.org],

In Jewish liturgy, it is one of the four sacred plants of Sukkot, the Feast of Tabernacles representing the different types of personality making up the community - the myrtle having fragrance but not pleasant taste, represents those who have good deeds to their credit despite not having knowledge from Torah study. Three branches are held by the worshippers along with a citron, a palm leaf, and two willow branches. In Jewish mysticism, the myrtle represents the phallic, masculine force at work in the universe.

Re:

[Thing 1]

Interesting. "b:" is generally a floppy drive as well (although can be remapped, if one is running low on drive letters).

Re:

[taxman_10m]

Do new computers sold in Israel still generally come with a floppy drive? Here in the USA it's been a while since I saw a newish computer that still had a floppy drive.

Re:

[PHPfanboy]

Nope.

Servers you right

[devent]

From Slashdot: The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft's Windows operating system, according to a startling disclosure from Microsoft. Two of the four vulnerabilities are still unpatched.

Servers you right using Windows for anything critical. Are they waiting one month for a fix as the rest of the Windows users?

and why would that be a problem, exactly?

[CAIMLAS]

So assume the US or Israel were at direct fault for this, ignoring the fallacy of "no single group" for a moment.

Why is that a problem, exactly?

We've got many, many quotes from the Iranian leaders (many of them) which are along the lines of:

* death to Israel
* we will hit Israel with a nuke
* we wish to see Israel as bright as the sun
* we can hit Europe with our ballistic missiles!
* America is our Enemy

This, all in light of their nuclear program having no explicable goal at this point aside from nuclear weapo

Re:and why would that be a problem, exactly?

[joe_frisch]

The problem is that as far as I know, international law doesn't know how to deal with national cyber-attacks. Are they the equivalent of a physical attack? If they do large scale financial damage (loss of services)? If they do large scale physical damage (destroy a factory of power plant), if they kill a few people (factory accident), kill a lot of people (chemical plant explodes)?

If a cyber-attack on financial institutions costs billions of dollars is that an act of war?

If a cyber-attack from country A caused a Bophal like disaster in country B, is country B justified in launching a physical attack on population centers of country A?

Words are one thing - attacks (physical or cyber) that cause damager are another.

Re:and why would that be a problem, exactly?

[mr100percent]

No you don't. Show me a quote from an Iranian leader currently in power who said "We will hit Israel with a nuke." US Republicans and Israeli Likudniks have said to nuke Iran, but do you have a statement showing the reverse?

Iranians do see Israel and the US as enemies, since the US overthrew the democractic government of Iran in the 1950s, and tried to do it again after 1979. The amount of warmongering from Bush and Rumsfeld in both statements and actions (bombing Iranian embassy in an airstrike) only put them further on edge.

Your claim that their nuclear program can ONLY be for weapons and not energy is a silly claim, and you make it without proof. The IAEA and academics disagree with you.

Re:and why would that be a problem, exactly?

[shutdown -p now]

Citation please, along with the actual non-paraphrased quotes.

Enjoy:

http://www.youtube.com/watch?v=FckLO8HcNyo [youtube.com]
http://www.youtube.com/watch?v=Gk_eXtCu03E [youtube.com]

Oh, and here are a few more which, while they don't quite come from leaders, do come from agents of the Iranian state - in their official capacity - cheering the crowd:

http://www.youtube.com/watch?v=XHoVuFlrcjA [youtube.com]
http://www.youtube.com/watch?v=92myDzAFgU4 [youtube.com]

Search for "death to Israel" and "death to America" on YouTube for tons more of that.

it was targeting the enrichment centrifuges

[CreamyG31337]

just read
http://frank.geekheim.de/?p=1189 [geekheim.de]

Re:strange conclusion.

[O('_')O_Bush]

Really? Because, as someone who has worked in gov't related cybersecurity, I can tell you that they try all the time.

There's no shortage of reasons for hackers to want access to data (classified or otherwise) really really badly.

You just need to get the hollywood fabricated ideas about teams of small teams of omnipotent superhacker "gods" out of your mind, because they don't exist.

Re:

[retchdog]

no, of course they aren't omnipotent gods, but on the other hand you don't need to be a god to cause serious damage to human beings. you just need to be intelligent; properly specialized; and oddly motivated. fortunately, the old "pick two of three" rule seems to apply here. :)

I do personally know some security professionals whom I suspect would have a pretty good shot at something like this, if they were both unethical and had a little bit of inside knowledge.

admittedly, most of what i know about US gov't

Re:strange conclusion.

[cpghost]

i mean, all you need is the information; this isn't the manhattan project.

Getting information was not so difficult, even from within the Manhattan Project [wikipedia.org]. If a government is hellbent on infiltrating secret projects of a rival government, they sure have enough resources at hand.

Re:

[retchdog]

That's true but sort of the converse of what I was trying to say. Sorry for the confusion. I agree that a government could do this, but I don't see how it's necessarily too complicated for a group of skilled and motivated activists.

What I meant was, hacking doesn't take particle accelerators or other expensive components. Even if you had the information from the manhattan project, you'd need roomfuls of specialized and dangerous equipment and materials and a large diversely trained staff.

All you need for so

Re:

[taxman_10m]

Who said anything about the government? If some other nation really wanted to mess things up in the USA they'd attack banking or something (which is something Russia apparently did to Estonia in 2007 according to wikipedia).

Re:strange conclusion.

[IamTheRealMike]

You just need to get the hollywood fabricated ideas about teams of small teams of omnipotent superhacker "gods" out of your mind, because they don't exist.

Really? How big do you think the team that created Stuxnet is then? Or do you really think that one guy found 4 new zero days, wrote a P2P control mechanism, a custom kernel mode rootkit, a bunch of PLC code in an obscure form of assembly language and a shim DLL to hide the PLC infection from the operator?

The Stuxnet team is the closest thing to the Hollywood stereotype of a small team of omnipotent superhacker gods the world has seen.

Re:strange conclusion.

[gad_zuki!]

The stuxnet team is most likely the product of a large intelligence department. That is to say a group effort from a nation state, not some independent hacking gods with nothing better to do.

The point is that expertise in scada, coming up with 4 zero days, getting 2 signed driver keys from JMicron and Realtek, and distributing the exploit without the internet to Iranian factories is not something a non-state can do.

Re:strange conclusion.

[Cylix]

I do all of that while cooking my morning breakfast.

However, I am the most interesting man in the world....

Stay thirsty my friends.

Re:strange conclusion.

[Will.Woodhull]

I agree. Stuxnet, and who knows what will follow it, are similar to the USA Skunkworks that managed to develop and deploy the SR-71 Blackbird in complete secrecy, or before that the Manhattan Project in the USA, and the Enigma work done in Great Britain.

We have a new player on the world stage, and data security is never going to be the same again. Actually we probably have more than one new player, since there are a probably a dozen countries that are capable of doing this kind of thing. And quite possibly they've been around for a long time, hiding behind spammer botnet facades, etc. I find it suspicious that while spammer botnets are supposed to be making their fortunes by selling advertising, there has never been a serious effort to go after the companies that are apparently buying these services. I wonder how many distributors of v14gRuh there really are, and how many are virtual fronts for information gathering and disinformation distribution activities?

Hmm. I prolly read too much Philip K Dick in a younger day.

Re:strange conclusion.

[SashaMan]

Uhh, you're missing the GP's point. It's HIGHLY doubtful a small group of scruffy super smart hackers a la Angeline Jolie and friends in "Hackers" created this virus. Given the complexity you point out (and by the way, you missed a very important point - stuxnet utilizes stolen encryption keys from TWO Tiawanese chip manufacturers), it's much more likely that a large, coordinated government or corporate organization that was able to assemble experts from many different fields was behind the attacks.

Re:strange conclusion.

[IamTheRealMike]

So we're arguing about the definition whether the team was "small" or "large" then :-) Given that Stuxnet is around half a megabyte in size, I'd guess the code itself was written by a team of around 5 people, probably with each person owning an area of functionality. Say another 5 for project infrastructure, eg, building testing environments, finding the zero days and doing whatever was required to steal the digital certs.

I'm sure there is a fairly large supporting cast for this "Myrtus/Guava" project, but I'd wager a crisp benjamin the bulk of the work was done by less than 10 people. Now whether this sort of effort is "small" or "large" is a matter of perspective - for a state sponsored military project it'd be very small, for a computer virus project it'd be pretty large.

By the way, if the authors of Stuxnet are reading this - nice work, but I seriously hope you know what the hell you are doing. Remotely sabotaging industrial facilities in a part of the world that's on a political knife edge can go wrong in so many ways I don't even want to think about it.

Re:strange conclusion.

[Anonymous Coward]

By the way, if the authors of Stuxnet are reading this - nice work, but I seriously hope you know what the hell you are doing. Remotely sabotaging industrial facilities in a part of the world that's on a political knife edge can go wrong in so many ways I don't even want to think about it.

Thanks for the tip. We'll definitely keep that in mind.

Re:

[Anonymous Coward]

MB for complexity? What the fuck? That's like GHz for speed -- there is relation only when you restrict the scenario (e.g. 100% ASM). Apparently you haven't seen any 64KB demos, or 10MB STL+Boost* HelloWorld programs.

* This remark is a detraction of programmer inefficiency, not C++/STL/Boost. It doesn't occur when they are used correctly.

Re:

[Anonymous Coward]

omnipotent superhacker gods the world has seen.

Ladder logic is NOT that hard. Most of the industrial companies I have worked with there is *MAYBE* 1 or 2 guys who write the whole system. The systems are pretty freeking easy to access. It is all standard control codes (otherwise no tools would work right).

These things are meant to hook together in rings of controllers that act as a unit no matter who you buy the controllers from. Many of the bigger companies such as Siemens even make it pretty easy to gl

Re:strange conclusion.

[AJWM]

You just need to get the hollywood fabricated ideas about teams of small teams of omnipotent superhacker "gods" out of your mind, because they don't exist.

Not quite in the Hollywood image they don't, no. But assuming that such hacking is beyond the efforts of one or two highly intelligent, knowledgeable and motivated individuals is a big mistake. You just need someone with an IQ in the 150 range who reads manuals and code for fun and thinks so far outside the box he can barely see it from there.

(Some 35 years ago I routinely pwned the campus mainframe, a Burroughs B6700, through a combination of inspired guesswork (giving me access to allocated but unused accounts), dumpster diving (hey, a listing of the OS, that looks interesting. Gee, what's this string "&:*" being passed to a call that expects the [root-equivalent] password?), social engineering (me at a Burroughs sales office: "I'm a student at X, can I get some B6700 manuals?" They: "We don't have any for sale here, but [checks in back] here are some old ones I'll just give you." Systems programmer back at X: "How'd you get those? We can't even get those!") and plain outside the box thinking (Sys programmer: "but you can't edit a Burroughs backup tape!" Me: "not on the Burroughs, no. But on the IBM 360/50..." He: "Oh, shit." Being able to edit a Burroughs backup tape let you (or me) get around the fact that only a program tagged as a compiler could tag a binary file as executable, and only an operator console command could tag a program as a compiler. But if you could create your own arbitrary executable binaries, you had access to all kinds of system calls normally reserved to the OS.) Of course those were more naive, innocent times, pre Morris worm, and terms like "dumpster diving" and "social engineering" hadn't been coined yet. It's a little harder these days (back then I was barely even trying), but there are better tools available, so don't fool yourself. Script kiddies are one thing -- it's the folks inventing those scripts, or rather, the ones who invent scripts the kiddies never see, that you need to worry about.)

Re:strange conclusion.

[einhverfr]

There are some strange things that the state-sponsor theory of Stuxnet is at a loss to explain.

The first of these is the P2P update cycle of the worm. One important element of this is that to update the one has to re-seed the network with a new version. However anybody with appropriate skills can do this, so the worm could be easily retooled to strike back at the creator. The idea that a nation would be incompetent enough to allow such a weapon as this to be redirected back at their critical infrastructure doesn't sit well with me.

The second major problem has to do with the fact the virus tends to be digitally signed via stolen private keys of reputable companies from around the globe many of which have no presence in the Middle East. Theft of these private keys is suggestive of a long-term effort probably involving past viruses and trojans.

Also while Iran is a major hotspot of infections they aren't the only ones. Indonesia is a close second.

These things are easy to explain from perspective that assumes a criminal syndicate but hard to explain from the perspective of a theory of state sponsorship.

Stuxnet is groundbreaking in a large number of ways. It's also an interesting question as to whether the malfunctions in the SCADA systems expected under Stuxnet could be similar to those experienced by Deepwater Horizon before the tragic explosion. While it might not be stuxnet in that case, it raises important questions about possible consequences of such a virus. These consequences are significantly more severe for a state sponsor than for a criminal one.

Re:strange conclusion.

[IamTheRealMike]

Also while Iran is a major hotspot of infections they aren't the only ones. Indonesia is a close second.

These things are easy to explain from perspective that assumes a criminal syndicate but hard to explain from the perspective of a theory of state sponsorship.

Well. Let's ignore the problem of motive for now (there are far easier ways for criminals to turn a profit than this) - one has to wonder why Stuxnet is written as a traditional self-propagating virus.

Apparently it has some kind of self-kill logic which tries to ensure it doesn't spread after three "hops", which suggests whoever wrote it didn't want it to become a totally uncontrolled worldwide infection.

Presumably whoever wrote this knew they wouldn't be able to obtain actual physical access to the facility they wanted to damage, nor would they be able to insert an undercover agent, nor would they be able to compromise an existing employee. If you wanted to attack a high security facility and your intelligence agency wasn't able to penetrate it using more traditional techniques, creating a virus that spreads indiscriminately and hoping you get lucky seems like a pretty reasonable strategy.

The truth may be somewhere in the middle. The top candidates are the US and Israel based on "who dislikes Iran the most". Israeli intelligence has proven several times before they apparently don't care about being detected or involving other nations as collateral damage, see the recent UK passport forging that was a part of an assassination. A guy who used to be a director of anti-proliferation strategy for the US government has remarked that the style doesn't seem like a US operation given how much noise the approach would inevitably create, and the tremendous impact outside of the intended target.

Now obviously he is biased, but I'd tend to agree with him. It seems kind of unlikely the US would do something so dramatically non-covert. The way Stuxnet works practically guaranteed it would be eventually detected and subjected to intense scrutiny. The fact that there's so many clues and possible evidence trails lying around also suggests that whoever did it wasn't too concerned with being caught, eg, it's possible the stolen digital certs or the C&C servers will provide a trail that can be investigated.

So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of random other nations or organizations? If I had to pick an intelligence agency in the world that most resembled a criminal syndicate, the Mossad would be pretty high up the list. Speculation is fun isn't it.

Re:

[Alicat1194]

So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of random other nations or organizations?

Perhaps it's just the conspiracy theorist in me, but is it possible that Iran isn't the main target of Stuxnet, but just a handy diversion?
If investigations are focused on the attack on Iran, and who would benefit most from it, they may be less likely to look into who would benefit from hurting oth

Re:

[IamTheRealMike]

We can't know for sure can we. But we might as well apply Occams Razor. Indonesia doesn't have any enemies that are both technically sophisticated and extremely aggressive. Nor does it have any industrial facilities of obviously high value. Iran has all these things.

It's a good question how so much Stuxnet ended up in Indonesia, but I suspect it's simply bad luck. If the initial infection vector was some kind of industrial contractor, it's easy to imagine that "hop zero" copies of the virus occurred in wha

Re:

[einhverfr]

Apparently it has some kind of self-kill logic which tries to ensure it doesn't spread after three "hops", which suggests whoever wrote it didn't want it to become a totally uncontrolled worldwide infection.

Do you have a cite for this? Also is it still this way (given the P2P component discussed in a paper on that subject by Symantec)?

So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of ra

Re:

[IamTheRealMike]

Searching Google for [stuxnet three hops] gives this analysis. [findingsfromthefield.com]

Re:

[einhverfr]

At this point, nobody else has confirmed this limit, right? Do we know if this affects all versions of Stuxnet? Only some versions? Does it only apply to the sneakerware portion of the attack or does a network attack count as a hop?

The reason I am asking is that the analysis I have seen on that site isn't sufficient to get to the view that it's geographically limited in terms of codebase.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AJWM]

so the worm could be easily retooled to strike back at the creator. The idea that a nation would be incompetent enough to allow such a weapon as this to be redirected back at their critical infrastructure doesn't sit well with me.

Actually that sort of incompetence strikes me as more the sort of thing a state-sponsored effort might miss as compared to a the efforts of a small group used to thinking in terms of vulnerabilities. I.e. it suggests that the group who found the exploits is different from the grou

Re:

[einhverfr]

Or it could just be a small group who don't give a rat's ass about anybody's infrastructure, including their own.

A small group probably doesn't have a lot of Siemens PLC's in use......

Re:

[Dan667]

usb thumb drives.

Re:

[ColdWetDog]

usb thumb drives.

More like middle finger drives.

Re:

[confused one]

a nuke plant in the U.S. was infected a while back... The contractor bypassed the firewall and hooked the system to their computers via a network connection while they were debugging the software. This inadvertently created a connection between the internal protected systems at the nuclear plant and the wide-open, wild and wooly internet. Fortunately, the plant was shut down for maintenance and no critical systems were infected.

Re:

[Cyberax]

I think it's a stretch to make an assertion that Bush has traveled 1500 years back in time: http://en.wikipedia.org/wiki/Bushehr [wikipedia.org]

Re:

[F34nor]

My Dad went to Andover with him and listened to the "stick ball" speech, later he majored in history at Harvard, got a law degree from Columbia and a JD so I think he is entitled to his opinion both personal and historical on Bush. He says "Bush was the worst president since Harding" and "...did 100 years of damage to the US economy."

My opinion is that Bush was a kakistocracy (government by the least qualified or most unprincipled citizens) created by the dominists to defame the federal government an encour