Did Stuxnet Take Out 1,000 Centrifuges At Natanz? 189
AffidavitDonda writes "In late 2009 or early 2010, Iran decommissioned and replaced about 1,000 IR-1 centrifuges in the Fuel Enrichment Plant (FEP) at Natanz, implying that these centrifuges broke. Iran's IR-1 centrifuges often break, yet this level of breakage exceeded expectations and occurred during an extended period of relatively poor centrifuge performance. Although Iran has not admitted that Stuxnet attacked the Natanz centrifuge plant, it has acknowledged that its nuclear sites were subject to cyber attacks."
Re:Well that was the intention of the virus (Score:5, Interesting)
Just spent a minute at wikipedia...
Apparently the virus is Windows specific and targets industrial control systems manufactured by Siemens.
They have distributed a removal tool, which is dependent on current patching from Microsoft
Of course, this soooo many questions, like;
Who else uses the same Siemens controllers, should they be worried as well?
Who holds the keys to this thing?
What is preventing anybody else from hijacking the root kitted systems?
What are the chances of any Microsoft patches being poisoned by the author?
And finally... Why the heck are our friends at Siemens selling systems to the Iranians?
Re:Maybe we will know in the future. (Score:5, Interesting)
By all accounts, stuxnet caused considerable trouble and delay for Iranian enrichment efforts and(at least in public) the closest anybody has gotten to figuring out who did it has basically been pointing fingers at the intersection of "people who don't like Iran" and "people who are good at computers and stuff". A reasonable strategy, to be sure; but not one that suggests they have the slightest in hard evidence to go on. Unless it was unbelievably costly to develop, that is a pretty clear win for whoever was behind it.
I'm sure US military and industrial types could think of a few (thousand) things that they really would not want that happening to, never mind the continual, low-level; but costly, stream of financial scamming and fraud, much of which is electronic and much of which is a net flow from the US to assorted offshore gangs.
Would Windows Security Essentials have protected? (Score:2, Interesting)
What antivirus software would have protected the victims of this virus? Kaspersky? AVG? Windows Security Essentials? ClamAV?
While on the one hand, it is important to prevent infections from becoming a massive swarm with the ability to hammer away at particular locations in a DDOS, in this particular case it seems like specific machines were infected with the goal of harming them directly. Since these machines are running on specialized hardware, it doesn't really make sense to consider StuxNet a "swarm" virus. The swarming aspect only seems to have helped it spread in an organic way towards the targeted systems.
On the very end lay the centrifuges, but between those and the Internet lay Windows PCs. Would having Norton (or any other AV) running on startup have blocked this virus?
If none, then what hope do we really have of protecting ourselves from deliberate attacks on our network infrastructure?
Quite frightening, actually. (Unless Windows Security Essentials would have caught it.)
Re:Maybe we will know in the future. (Score:4, Interesting)
Not true, numerous counterexamples; the simplest one being barricaded somewhere on a mountain with the weather on your side, batteries, ammo, a trustworthy sniper rifle, lots of food, and an internet connection (for your idle time between headshots)
You're either shallow enough to get burned out or deep enough to get buried. Very effective techniques for taking out pill boxes and deep fortifications were developed in the Second World War.
Re:Would Windows Security Essentials have protecte (Score:4, Interesting)
You're not a high profile target.
Could your apartment door keep out an exceptional burglar who specialized in breaking into high profile objects? Could your home safe stop someone who is an expert in opening bank safes? Would someone trained in defeating multi layer security systems trip your alarm system at home?
I think none of those answers could be answered positively.
But these people do not break into your home. They got better, more profitable, targets to rob.
Likewise, nobody would "waste" 4 0day vulnerabilities just to infect YOU, and ONLY YOU (a blanket attack on multiple, nonspecific, targets is usually trivial to discover through early warning means and also quite easy to protect against).
As odd as it may sound, there's safety in numbers. The garden variety trojan is not targeted. They don't care too much who they infect, their goal is not a specific target, their goal is to infect as many machines as possible, for various reasons, but no matter what the reason, it's better (for them) to infect many instead of a specific target. Phishing, botnets, they all need many, but not specific, machines.
This is not the case here. The target was very specific and I am actually quite sure that infecting anything else with this trojan would actually have been seen as a flaw in the whole operation.
I'd guess that the malware was installed specifically where it should strike, not in the usual "release and wait" way but targeted and planted. In other words, I'd guess it would have taken a physical person to be physically present to get this rolling.
This is nothing that would affect you, or any Joe Randomsurfer for that matter.
Re:Maybe we will know in the future. (Score:5, Interesting)
Not really.
It sounds like a much more professional attack than previously considered.
Varying speed by itself should have just sent yield to hell. Varying speed properly with the full knowledge of the centrifuge design and construction allows to select resonating frequencies (which each centrifuge has) and keep it at those until it disintegrates. In my "previous life" doing biotech I have seen what happens when a rotor goes off balance at 50000 rpm. The effect is more or less similar to that of a hand grenade in a closed space.
Add to that the fact that a broken uranium enrichment centrifuge will leak UF6 all over the place which is highly toxic and corrosive and you have your perfect sabotage method.
There is one more question to be answered here which puts the final dots over Is and crosses the last Ts. The people who have analysed the source so far in AV companies were malware professionals, not chemists or industrial automation experts. So they left one question open - does it try to determine the frequencies or it knows them already. If it is the latter, this means that the attacker has managed to obtain the exact design of a centrifuge with the actual improvements used by Iran so Iran's nuclear programme is way leakier than we thought and everyone and their dog has that centrifuge design now (with the actual improvements done by Iran after they got it from our "allies" in Pakistan). If it is the former, the same attack can be applied to all kind's of industrial automation equipment and Siemens kit provides enough telemetry to run the attack. That is probably even scarier than the first possibility. Resonance is lovely stuff... Nothing can withstand it for a sufficiently long time.