Stuxnet Worm

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Stuxnet Worm

Post by Pigeon » Sat Apr 02, 2011 3:50 pm

A lot of info and comments about the Stuxnet worm can be found at these links. Excepts here. It is targeting certain Programmable Logic Controllers used in process control in plants, etc.

Who is behind it?

Another piece of the puzzle:

New research, published late last week, has established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz. The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose.

Low-harmonic frequency converter drives that operate at over 600 Hz are regulated for export in the US by the Nuclear Regulatory Commission as they can be used for uranium enrichment. They may have other applications but would certainly not be needed to run a conveyor belt at a factory, for example.

The threat of Stuxnet variants is being used to scare senators.
Me on Stuxnet. (except in next quote)

http://www.schneier.com/blog/archives/2010/11/

Bruce Schneier

Here's what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)

Stuxnet doesn't actually do anything on those infected Windows computers, because they're not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.

If it doesn't find one, it does nothing. If it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. Then it reads and changes particular bits of data in the controlled PLCs. It's impossible to predict the effects of this without knowing what the PLC is doing and how it is programmed, and that programming can be unique based on the application. But the changes are very specific, leading many to believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location--and that Stuxnet's authors knew exactly what they were targeting.

more...

http://www.schneier.com/blog/archives/2010/11/

Is it the Israelis?

...

"We came to the conclusion that, for our purposes, a key Iranian vulnerability is in its on-line information," said one recently retired Israeli security cabinet member, using a generic term for digital networks. "We have acted accordingly."

Cyberwarfare teams nestle deep within Israel's spy agencies, which have rich experience in traditional sabotage techniques and are cloaked in official secrecy and censorship.

They can draw on the know-how of Israeli commercial firms that are among the world's hi-tech leaders and whose staff are often veterans of elite military intelligence computer units.

"To judge by my interaction with Israeli experts in various international forums, Israel can definitely be assumed to have advanced cyber-attack capabilities," said Scott Borg, director of the US Cyber Consequences Unit, which advises various Washington agencies on cyber security.
Technolytics Institute, an American consultancy, last year rated Israel the sixth-biggest "cyber warfare threat," after China, Russia, Iran, France and "extremist/terrorist groups."

The United States is in the process of setting up a "Cyber Command" to oversee Pentagon operations, though officials have described its mandate as protective, rather than offensive.

Asked to speculate about how Israel might target Iran, Borg said malware -- a commonly used abbreviation for "malicious software" -- could be inserted to corrupt, commandeer or crash the controls of sensitive sites like uranium enrichment plants.

'Cyberwar clandestine and deniable'

Such attacks could be immediate, he said. Or they might be latent, with the malware loitering unseen and awaiting an external trigger, or pre-set to strike automatically when the infected facility reaches a more critical level of activity.

As Iran's nuclear assets would probably be isolated from outside computers, hackers would be unable to access them directly, Borg said. Israeli agents would have to conceal the malware in software used by the Iranians or discreetly plant it on portable hardware brought in, unknowingly, by technicians.

"A contaminated USB stick would be enough," Borg said.
Ali Ashtari, an Iranian businessman executed as an Israeli spy last year, was convicted of supplying tainted communications equipment for one of Iran's secret military projects.

more...

http://www.ynetnews.com/articles/0,7...742960,00.html


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Stuxnet Worm

Post by Pigeon » Sat Apr 02, 2011 3:51 pm

From the Scare senators link...

Stuxnet, the first known weaponized software designed to destroy a specific industrial process, could soon be modified to target an array of industrial systems in the US and abroad, cyber experts told US senators Wednesday.

The Stuxnet malware, discovered this summer, was apparently designed to strike one target – Iran's nuclear-fuel centrifuge facilities, researchers now say. But Stuxnet's "digital warhead," they caution, could be copied and altered by others to wreak havoc on a much grander scale.
Variants of Stuxnet could target a host of critical infrastructure, from the power grid and water supplies to transportation systems, four cybersecurity experts told the Senate Committee on Homeland Security and Governmental Affairs.

...

Stuxnet infiltrated and targeted an industrial control system software that is widely used in US infrastructure and industry, meaning the nation is vulnerable to future Stuxnet-like attacks, he said. "While we do not know which process was the intended target [of Stuxnet], it is important to note that the combination of Windows operating software and Siemens hardware can be used in control systems across critical infrastructure sectors – from automobile assembly lines to mixing baby formula to processing chemicals," said Mr. McGurk.

As of last week, 44,000 computers worldwide were still infected with the Stuxnet worm – including 1,600 in the US, said Dean Turner, head of global intelligence for Symantec Corp., the computer security firm that detailed Stuxnet's inner workings. Fifty of those US infections had worked their way from Windows operating systems into industrial control systems. It's not publicly known who created Stuxnet.

more...

http://www.csmonitor.com/USA/2010/11...-senators-told


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Stuxnet Worm

Post by Pigeon » Sat Apr 02, 2011 3:58 pm

This long New York Times article includes some interesting revelations. The article claims that Stuxnet was a joint Israeli-American project, and that its effectiveness was tested on live equipment: "Behind Dimona's barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran's at Natanz, where Iranian scientists are struggling to enrich uranium."

The worm itself now appears to have included two major components. One was designed to send Iran's nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

http://graphics8.nytimes.com/packages/p ... e/NSTB.pdf

http://www.schneier.com/blog/archive...tuxnet_ne.html


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Stuxnet Worm

Post by Pigeon » Mon Apr 18, 2011 10:15 pm

Iran's 2 cents.

Iran Says Siemens Helped US, Israel Build Stuxnet

Iran's Brigadier General, Gholam Reza Jalali, accused Siemens on Saturday with helping US and Israeli teams craft the Stuxnet worm that attacked his country's nuclear facilities. 'Siemens should explain why and how it provided the enemies with the information about the codes of the SCADA software and prepared the ground for a cyber attack against us,' Jalali told the Islamic Republic News Service. Siemens did not reply to a request for comment on Jalali's accusations. Stuxnet, which first came to light in June 2010 but hit Iranian targets in several waves starting the year before, has been extensively analyzed by security researchers. Symantec and Langner Communications say Stuxnet was designed to infiltrate Iran's nuclear enrichment program, hide in the Iranian SCADA (supervisory control and data acquisition) control systems that operate its plants, then force gas centrifuge motors to spin at unsafe speeds. Jalali suggested that Iranian officials would pursue Siemens in the courts, and claimed that Iranian researchers traced the attack to Israel and the US. He said information from infected systems was sent to computers in Texas.

Link

Throw some blame at Siemens, the equipment manufacturer, and state the data got sent to Texas. Is this Anarch roving report.

User avatar
Egg
Posts: 8628
Joined: Thu Mar 31, 2011 5:31 pm
Location: In Your Bedroom. Hi! :D

Re: Stuxnet Worm

Post by Egg » Mon Apr 18, 2011 10:21 pm

Two things:
1. on a purely imaginative level, how cool is it that some spy probably made his way into the nuclear facility and popped a usb drive into the computer to pull this off;

2. as for what scares the senators - I've been thinking the same thing. This is a Pandora's box. Sometime in the future it can be seen to have been nothing more than a pyrhic victory.


MrPenny
Posts: 722
Joined: Mon Apr 04, 2011 1:10 pm

Re: Stuxnet Worm

Post by MrPenny » Mon Apr 18, 2011 10:53 pm

Egg wrote:1. on a purely imaginative level, how cool is it that some spy probably made his way into the nuclear facility and popped a usb drive into the computer to pull this off;
Probably didn't need even that much skullduggery.....invite a few engineers to a "seminar" and pass out promotional USB drives pre-loaded with the payload. Or a visitor to a more open facility "loses" a couple of USB drives in the lobby or cafeteria.....what's one of the first things a person does when they find one of these things? Yup, plug it into a computer to see what kind of "good stuff" is on it.....and voila, the payload is delivered.

User avatar
Egg
Posts: 8628
Joined: Thu Mar 31, 2011 5:31 pm
Location: In Your Bedroom. Hi! :D

Re: Stuxnet Worm

Post by Egg » Mon Apr 18, 2011 10:57 pm

MrPenny wrote:
Egg wrote:1. on a purely imaginative level, how cool is it that some spy probably made his way into the nuclear facility and popped a usb drive into the computer to pull this off;
Probably didn't need even that much skullduggery.....invite a few engineers to a "seminar" and pass out promotional USB drives pre-loaded with the payload. Or a visitor to a more open facility "loses" a couple of USB drives in the lobby or cafeteria.....what's one of the first things a person does when they find one of these things? Yup, plug it into a computer to see what kind of "good stuff" is on it.....and voila, the payload is delivered.
Excellent point. You're probably right - most of this stuff usually comes down to pretty commonplace occurences for the big event to happen. A lot smarter than risking someone's life, too.
All that training costs money.


MrPenny
Posts: 722
Joined: Mon Apr 04, 2011 1:10 pm

Re: Stuxnet Worm

Post by MrPenny » Mon Apr 18, 2011 11:04 pm

Those are a couple of the classic ways of introducing malicious software in a fairly targeted way......just leave a couple of 'em salted around the premises and take advantage of human behavior......social engineering in a way.

User avatar
Egg
Posts: 8628
Joined: Thu Mar 31, 2011 5:31 pm
Location: In Your Bedroom. Hi! :D

Re: Stuxnet Worm

Post by Egg » Mon Apr 18, 2011 11:12 pm

MrPenny wrote:Those are a couple of the classic ways of introducing malicious software in a fairly targeted way......just leave a couple of 'em salted around the premises and take advantage of human behavior......social engineering in a way.
Yeah, using people's natural tendencies against them. Makes sense.


User avatar
lkwalker
Posts: 6429
Joined: Mon Apr 04, 2011 8:20 pm
Location: Boycotteverything
Contact:

Re: Stuxnet Worm

Post by lkwalker » Tue Apr 19, 2011 3:11 am

It's known that the stux was introduced into the systems by a Russian technician working on the project. That's the reason that Russia called all of its tech's home as soon as the worm was discovered. This may have been either intentional or accidental. My guess is that it was done intentionally.
"If you don't think to good, don't think too much." Yogi

Post Reply