Stuxnet is a worm that has infiltrated over a 100,000 computers over the last two years. It’s incredibly complex and required thousands upon thousands of programming hours as well as intimate knowledge of many classified systems. One hacker didn’t do this. It’s sole purpose, it seems, was to attack the Iranian Bushehr power plant and the Natanz uranium enrichment plant.
And this is where the coolness comes in.
Natanz is completely unplugged from the outside world so someone must have switched flash drives with a scientist or had a drive become infected in Tehran. Once in the facility it waited for weeks while it ‘learned’ about the Siemens uranium enrichment centrifuges. When ready, it began changing the speeds of the centrifuges far past their safety boundaries then jam the breaks on them burning out the bearings and crashing the centrifuges. Once destroyed, the program would send the scientists a message saying everything was fine and then delete itself.
For months the Iranian government has been wondering what the hell is going on and began putting the screws to the scientists themselves arguing espionage.
World governments are worried that this could spread to their own power plants but I doubt it. This took a lot of effort, a lot of knowledge and was incredibly specific in it’s target. I smell Western World covert cooperation.
*Certainly not the best cite, but there are plenty more.
Beats blowing the crap out of them, I suppose. It was a pretty cool piece of espionage. Probably a bonus that the Iranian’s (peace be upon them) are torturing their own nuclear scientists to try to figure out who dunnit. We’ll probably never really know which nation (or private concern) really did it. Which might be a good thing.
I’ve been slowly reading through Symantec’s analysis of the worm. (Link is to a PDF)
It truly is a sophisticated piece of software. It uses multiple exploits (including previously unknown ones), multiple vectors for infection, and is able to be updated remotely. The updated copy then looks around for other versions of itself, and updates them, too. So updates can propagate on their own after the initial update. It also uses multiple valid authentication certificates that were presumably stolen. And, of course, it uses rootkit tricks to hide itself.
There are little hints in the code that might point to Israeli involvement.
Stuxnet uses a driver file that has been signed with a Realtek certificate. This driver file still contains a tantalizing path name: “b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb”
Call me old-fashioned, but perhaps the fact that this attack was non-physical in nature does nothing to justify it. The world would be a far better place if the concepts of sovereignty and non-interference were given the respect that they deserve. Personally, I strongly condemn this unprovoked act of sabotage against a peaceful nation.
Well sure…but then you condemned the South Korean’s for the temerity of having their citizens blown apart by the peaceful artillery blasts of the good workers and peasants of the North, so perhaps you aren’t the most unbiased judge of this. Personally, I think an outcome that doesn’t cost any (or many at least) lives and prevents or at least delays a rogue state (or, in your terms ‘a peaceful nation’) from acquiring nuclear weapons that would enable them a virtual shield to do whatever they want in the region, is a very good one, considering the two alternatives I see as probable (namely, we do nothing, and Iran gets nuclear weapons…to be sure, for only peaceful reasons…or, Israel or the US/EU bombs the crap out of one of their their nuclear infrastructure to try and achieve the same results).
So is this a military type attack? Let’s say it takes the Iranians just as long as just much money to get things up and running as it would to rebuild a facility destroyed by bombs (no people were killed or hurt).
For the sake of argument, let’s say country X’s Government admitted to doing this, what’s an appropriate response?
No, it was a cyber attack. Dropping bombs and killing people is clearly a military action, and may or may not cause a war. A cyber attack is much more of a gray area. For instance, someone (probably the Chinese) attacked the Pentagons systems and caused quite a bit of damage and probably acquired quite a bit of sensitive materials.
Doubtful, but ok.
I’d say the appropriate response would be to pay their IT and cyber security guru’s more money, or hire better ones, and then do an independent audit using an outside consultant to try various ways to hack in, and to update their security on a continuous basis. What? You think the ‘appropriate response’ should be war? Or reparations? That mean we should bomb the crap out of China (or whoever did it)? Or should we ask them for reparations to fix what they broke and return what they stole? What if they say no?
Personally, I think the ‘appropriate response’ from Iran should be to stop trying to build nuclear weapons in the face of nearly unified international disapproval and in light of the fact that they signed the NNPT. I also think they should give up supporting external terrorist organizations, open up their country to a more representative or at least less totalitarian form of government and rejoin the international community as an open and participating member, but that’s just me…
The success of this malware was due to nobody looking for it. We may find out some day who created it, but it clearly required knowledge of the industrial application and centrifuge hardware, not just the OS and CPU. As has been noted, it was probably introduced through a memory stick or other device inadvertantly used, or by an infiltrator into the Iranian facility.
I’m curious about the idea that has found its way into 100,000 computers world wide, unless that was part of a strategy to cover up it’s source, or prevent detection (by keeping the Iranians from finding an uninfected system to examine). It may have been simpler if the Iranians were getting their software from a collaborating user somewhere else. Then a less secure party could have been infected, and provided the vector to Iran.
Like all such software, it’s easy to protect against if you have am established way of checking the system for unknown software and data, and have the means of reloading the system in case infection occurs.
While I applaud the effort to e-attack Iran in some senses, it is likely to increase efforts for e-weapons by all parties. And the US is probably more vulnerable to such attacks than everyone else because we dependent on so much computer technology.
The problem is that your argument is based on an unsupported assumption: namely, that Iran is trying to develop nuclear weapons. Despite the fact that the West has been shrilly insisting that the Islamic Republic is in fact pursuing this goal, there is nothing to indicate that it is true. In fact, given the fact that the very same nations said the very same thing about Iraq in very recent years, I may be forgiven for being slightly skeptical of these allegations.
As things currently stand, the West has not introduced any proof for its assertions. Thus, the attack in question was likely directed against a peaceful civilian nuclear energy program. If such an attack was launched on the US or Israeli electricity production facilities, you can bet that there would be hysterical outrage about “state-sponsored terrorism.” There is no reason to treat this unprovoked attack against Iran any differently.
Iran doesn’t have to be developing nuclear weapons or have an intention to. What they’ve done is give themselves the ability to do so very easily, and rejected any means of allowing the rest of the world to verify that they aren’t making weapons. If you see someone loading bullets into a clip, you don’t assume they have no bad intentions until they load the clip and point the gun at you. Especially if they have a history of killing people, and have called for your death.
Actually, it took advantage of the Siemens control system. Now, AFAIK, control systems are not usually hacked nor are they written to be as security bullet proof as possible. Pretty ingenious.
Commisar, maybe you should try living in a nominally communist country and then report back? I lived in China for 20+ years, including when it was pretty much a communist country. I’d be interested in your before and after thoughts on communist paradise.
Thanks for posting that. That is incredible. What happens with other hackers use this worm as a template to wreak havok on your computer? I think this event foreshadows a new era of truly sophisticated worms.
Iran a peaceful nation? That just isn’t plausible. Just because they do not start conventional wars (which they don’t) doesn’t mean that they don’t sponsor terrorism: there is a lot of evidence that they do. They also talk like they are trying to start a war, probably to foment terror in their own country to hang on to power.
All said and done, the probable authors of the worm were US and/or Israel. Better than a hot war and it certainly is opening the eyes of security interests around the world to what can happen. Lots of monetary damage, and the only people hurt/killed were the Iranian scientists that the government retaliated against. Not nice, but hey, they were building nukes (probably) to drop on civilians. Karma’s a bitch, ain’t she?
I would accept this argument if it had universal applicability. But do you suppose that Iranian agents will be allowed into the US and Israel to keep an eye on what they’re doing? For example, assume that Iran is concerned that these two nations are developing chemical weapons in contravention of international treaties. Can the agents barge in and demand to inspect the suspect facilities? If their entry is refused, are they justified in employing cyber warfare? How about launching actual military strikes?
And, if you answer “no” to these questions, why should Iran have to submit to unequal treatment?
That is an extremely bad analogy; unlike nuclear power, guns have no non-violent applications. Rather, you can view it as an axe - a tool that can be used for either mayhem or mundane everyday tasks. If you see someone with an axe in the woods, you may become wary of their intentions, but you should probably hold off on shooting them dead. They may just be there to chop some firewood.
I don’t argue that the US or any other nation should be exempt from the same rules. I am arguing against your contention that we have no reason to be concerned about Iran developing nuclear capability because they haven’t (to our knowledge) built a nuclear weapon yet.
Nonsense, a gun can be used for target shooting, or to kill a rabid animal. If I see a game warden loading a gun in the woods, I’d be cautious, but wouldn’t assume he is out to kill me. If I see a guy who has openly expressed a desire to see myself and others killed, I will not wait for him to load the gun and point it at me.