It’s possible, but more likely they had someone on the inside who was able to plant the virus, or plant the virus in a software update via the Russian group helping the Iranians with their program.
Even if it was, the program was very, very sophisticated (apparently) and only activated with the right software/hardware configuration.
I’ve seen different things on how specifically the virus was targeted. Some articles make it sound like it would work on one targeted location and no where else, others make it sound like it was very specifically tailored to the one model of controller, but that anyone with that model of controller is vulnerable. I can’t really find anything that says explicitly that it won’t effect other systems though.
Keep in mind, they can now release the off button, since presumably they were smart enough to design one… Just in case…
From what I understand, while anyone could be using the fairly specific computer configurations stuxnet looks for, the actual data that it looks for and modifies would be unique to the target site and the result of custom written software for controlling… whatever.
Siemens says:
And you, obviously, don’t know a thing about how this works or how it was deployed. India and Indonesia were similarly affected by stux. It’s probably safe to guess that some NATO countries were hit, as well, but are not disclosing it because of the SCADA implications. We’re talking about print spooler compromise - a commonly overlooked attack vector.
They were infected - but did it do any actual damage?
The wired article pretty heavily suggested it was, and Iran confirmed yesterday that they were effected (edit: no they didn’t? I cant find the article, I mustve misunderstood.
I mean, did it cause any damage *outside *of Iran?
This all seems overblown now that the existence of the malware is known.
It looks like it spread via a contractor’s equipment. The secondary hits (outside Iran) have mostly been in locations where that contractor also worked after their work in Iran was done.
Malware for a PC is old hat. Malware for a nuclear plant? That’s just scary. You can bet your sweet ass that somewhere in Washington, an IT Director is facing the gauntlet.
Yes, somebody didn’t do their job well. What’s overblown is the fear of disaster now that the problem is known. This is one of the reasons I am wary of the proliferation of nuclear power plants. You can’t rely on people maintaining the standards called for in the allegedly safe designs. But once the malware is detected, removing it shouldn’t be that difficult. It wouldn’t surprise me if Iran is operating above their level of competence, and I’d be happy to see their power plants self-destruct. But once detected, removal of malware should not be a serious problem.
It is just software. If you can’t deal with deliberately planted malware, you are just as vulnerable to any accidental glitch in the system.
It’s not just software. The software re-programs the firmware in dedicated processor chips.
Just to be accurate with names, STUX is an honest Linux Operative System totally unrelated with STUXNET malware.
(Quote snipped)
Strictly speaking, these weren’t 0-day exploits. They were acknowledged almost a year ago (January, if I recall correctly). I’m amazed at how whiz-bang people are considering this thing; it’s a shotgun blast of mediocre exploits that caught some folks with their pants down.
Good catch. You caught me being a lazy truncator. :smack:
I don’t think I’m following your logic on this one. The vulnerabilities that were exploited required patches from Microsoft and Siemens, what do you think they could have done with respect to “system hardening” to prevent this?
The two privileged escalations were not previously published anywhere. Note the dates on the advisories: Sept 14th. I know the shortcut link exploit was used and that was recently patched, but this worm predates the patch for this, so when this worm was in the wild it was zero-day. Its coincidental that someone reported the shortcut flaw to MS. I’m not sure about the fourth exploit.
http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx
http://www.microsoft.com/technet/security/bulletin/ms10-062.mspx
Firmware is just software recorded in chips. If it can be changed, it can be unchanged. Numerous reports of malware have turned out be bugs, or corrupted software. Just as with actual viruses, worms, and other creative names for software you don’t want, any critical system should be restorable to a known state.
Sure. Of course, if the malware is designed to do something like “When the operator requests an increase in coolant flow, actually decrease the flow and suppress the alarms,” restoring the software to a known state may not help as much as you’d like.
A couple of posts suggest an inside person with a flash drive. I’d be more likely to believe a social engineering vector. I can’t find it, but about two years ago I read an article where, as a demonstration, an IT security firm scattered some cheap USB drives around the parking lot and public areas of a company they were working with. On the drives were some pictures and a file named slideshow.exe. The program just reported back to a central location where and when it was ran, but of course the payload could have been far more malicious. Before the end of the week, something like two thirds of the drives had been used on computers inside the company.
The earliest software based attack that I know of was in 1982.
The Siberian pipeline sabotage refers to the alleged 1982 sabotage of the Soviet Urengoy - Surgut - Chelyabinsk natural gas pipeline by the CIA as a part of a policy to counter Soviet theft of American technology.