Researcher Offers New Perspective On Stuxnet-Wielding Sabotage Program

An anonymous reader writes with this excerpt from Help Net Security: "Stuxnet, the malware that rocket the security world and the first recorded cyber weapon, has an older and more complex 'sibling' that was also aimed at disrupting the functioning of Iran's uranium enrichment facility at Natanz, but whose modus operandi was different. The claim was made by well-known German control system security expert and consultant Ralph Langner, who has been analyzing Stuxnet since the moment its existence was first discovered. He pointed out that in order to known how to secure industrial control systems, we need to know what actually happened, and in order to do that, we need to understand all the layers of the attack (IT, ICS, and physical), and be acquainted with the actual situation of all these layers as they were at the time of the attack."

Rocket the security world?

[digitalPhant0m]

Stuxnet, the malware that rocket

I didn't know it was airborne.

Re:

[NatasRevol]

Only way to get across the air gap.

Re:

[slashmydots]

Stuxnet, Skynet, what's the difference?

Re:

[a-zarkon!]

Stuxnet prevents a nuclear exchange, Skynet initiates one.

Re:"the first recorded cyber weapon"

[kbg]

But it is actually a cyber weapon. Instead of bombing the facility with conventional weapons it used software to sabotage the facility. Stuxnet was specially designed to be an actual cyber weapon.

Grammar nazis overload

[Anonymous Coward]

A grammar nazi dies everytime someone reads TFS

Re:

[HornWumpus]

Dats goodly!

Re:

[NoNonAlphaCharsHere]

Don't kid yourself, "Stuxnet, the malware that rocket the security world" would kill a grammar Boy Scout.

grammar

[sect0r0]

Was this put through Google translator? I almost choked on my lunch trying to reach through this.

Re:

[NatasRevol]

Looks like a sector0 error.

Proof read?

[Anonymous Coward]

They should proof read these posts. It's been bad lately. Good subjects, just makes it hard to read. the malware that "rocket" -> "rocked"

Re:Proof read?

[Zontar_Thing_From_Ve]

They should proof read these posts. It's been bad lately. Good subjects, just makes it hard to read. the malware that "rocket" -> "rocked"

You have a good point, but at least it's better than all those people who can't read properly and post articles in a panic saying "This article says X!" when in fact the article says "not X". We can figure out that "rocket" is a bad word choice and get around that but it really sucks when people claim and article says the exact opposite of what it really says because then we get tons of comments about how bad X is and how they can't believe that someone would actually do that and then a few posts follow up (and mostly get ignored) telling people to actually read the article where it is actually against X, so the submitter blew it. It seems to me that quite often about 90% of the posters never read the article in the links, so when the idiot submitter misrepresents what he submitted, that becomes what the article is about in the minds of most people here.

Re:

[jiadran]

Well, the document (from which TFS is extracted) was written by a non-native English speaker (Ralph Langner, who is German). Interestingly, I note that as a non-native English speaker myself I make a number of mistakes that Americans find particularly annoying (this post is probably full of them), while at the same time I have difficulties reading comments with typical American mistakes (theirs / there's, then / than, he's / his, etc.). I think that native-English speakers rely more on how it sounds, while

Re:

[Decker-Mage]

Wow. Jabberwocky on serious steroids. Perhaps we need a +/-1 Inscrutable here!

Wow.

[Chas]

Hyperbole AND bad grasp of grammar!

Really wants to make me keep reading...

*Austin Powers* Really?

*Doctor Evil* No. Not really.

Interesting quote

[cold fjord]

“Stuxnet is a low-yield weapon with the overall intention to reduce the lifetime of Iran’s centrifuges and make their fancy control systems appear beyond their understanding,” he says, and estimates that the Stuxnet set back the Iranian nuclear program by over two years.

Interesting description - "low-yield"

That is a rather different take on it given the uproar over it.

Re: Interesting quote

[semi-extrinsic]

Well, what would you say high yield is? I can't bring myself to call a US cyber weapon "high yield" unless it destroys or disables infrastructure on a large cale. Bonus points for egg on faces in Riyadh.

The reason it has gotten so much attention is the same reason the F117 got a huge amount of press even though it's practically useless.

Re:

[Anonymous Coward]

I do think the F117 was highly effective in taking out lots of strategic targets in Iraq. Pilots tend to be more precise when they know the SA-5 missiles cannot hit them. Actually, it was the most effective air weapons system until the Iraqi integrated air defence system had been destroyed. And that was done in no small part by the F117s.

Re:

[semi-extrinsic]

F117s were used in Bosnia as well. One was shot down there. That conflict was decided by our air power.

It's "useless" to the GP because the GP has a worldview where all US weapon systems are useless, developed for the wrong reasons and used illegitimately in all cases to further our racial and economic imperialism, the military industrial complex, corporate hegemony and all the other crimes of 'murica.

Obviously.

+1 Funny.

Seriously though, the F117 is useless because it was supposed to be a fighter jet. It may be an alright strategic bomber in scenarios where the enemy has much lower capabilities than you do (Iraq, Panama, Bosnia), but so is a B1-B or a B52 for that sake. And as you say, the Serbs managed to shoot down an F117 with the SA-3 and low frequency radar, so "knowing SA-5 missiles cannot hit them" seems a bit overconfident. The reason they were so effective in Iraq is that the Gulf war was won psycholog

Re:

[plover]

High yield would have been if it had destroyed the Busheshr reactor, as has been speculated one of the stuxnet payloads would do. The attack was supposed to open the steam valves on the main turbine shaft, while the temperature, pressure, and RPM sensors would continue to play back a recorded loop of pre-attack readings to disguise the failure.

It would have been a spectacular disaster. Running a 75 foot turbine shaft at wide-open full steam was predicted to be able to cause an explosion as large as a 1 ton

Re:

[Forever Wondering]

I think "low yield" was referring to the nature of the over-pressure attack (vs. the rotor speed attack). Or, that things could have been orchestrated to damage/disable all centrifuges at one time [which would have been detected] instead of just increasing the failure rate [which, as Langner pointed out, would confuse/confound the Iranian engineers].

Langner talks a lot about avoiding detection circa 2007 but that being less of a concern in 2009 [e.g. "now that the program has achieved its objectives, let's

Stuxnet, the Chernobyl of the 21st Century waiting

[__aasehi2499]

to happen.

Re:

[cold fjord]

The choice regarding Iran may be between one new Chernobyl versus one or more new Hiroshimas. I doubt Iran will settle for less.

Re:

[Anonymous Coward]

This is probably the most ignorant post I have read on Slashdot in quite a while. How tall of a wall should they build to stop the Palestinians from launching rockets over it? How deep should it go to stop them from tunneling under it? Do you seriously think it is the Israelis who are perpetuating the violence?

You ask why Israel can't ask Iran to set down at a peace conference, when Iran funds terrorists to attack Israel? When Iran has stated that Israel must be destroyed? When Iran refused to even rec

We dont' need to know everything

[jbmartin6]

in order to known how to secure industrial control systems, we need to know what actually happened

False, we don't need to know everything bad that ever happened in order to secure a system.

Change of tactics

[jiadran]

I know I shouldn't have, but I read the whole document and it's really interesting. Langner thinks that the tactics (and probably the team as well) changed over time. Based on his observations I propose the following (conspiracy) theory:

The attacks on the enrichment plants have been going on much longer than anyone so far claims, maybe since the beginning. That's why Iran's progress was so much slower than what the Pakistany managed to do (the first generation centrifigues are supposedly extremely tricky). Instead of discovering the initial attack (described in the document), the Iranian's compensated for the seemingly random problems by including additional control measures not present in the design from Pakistan: shut-off valves to quickly isolate a malfunctioning centrifuge and over-pressure valves. It took them ten years instead of the two years of the Pakistany, but they still managed to get enrichement started. Maybe with their added failure-tolerant design the original attacks didn't work anymore, or there was a leadership change (as Langner speculates). Maybe the Iranian's suspected something and changed procedures also for contractors and workers (Langner thinks that the initial attack was with direct access to the system while the later attack had to somehow find a way in). Maybe then the initial team was the Israelis who wanted to remain hidden, and when their approach didn't work anymore they asked the Americans for help who used the NSA's attack library for a way accros the air gap. The Americans would probably also be less worried about remaining hidden and maybe actively wanted to send a message.

Altought admittely pure speculation, I think this scenario fits the known facts and observations. I'm curious to see what you think of this ;-)

Captured drone

[minstrelmike]

Remember that captured drone in Iran?
What if someone had 'accidentally' left a click drive on it?
The Iranian researchers would probably send it to their most secure facility in order to study it.
That's one way around a secure air gap ;-)