1. USB drives (doing so while also effectively hiding itself)
The worm gained initial access to a system through an ordinary USB drive. Picture what happens when you plug a flash drive into your computer. The machine performs a number of tasks automatically; one of them is pulling up icons to be displayed on your screen, representing the data on the drive. On an infected USB drive, Stuxnet exploited this routine to pull the worm onto the computer.
The challenge is that once on the machine, the worm becomes visible to security protocols, which constantly query files looking for malware. To disguise itself, Stuxnet installed what’s called a “rootkit”—a piece of code that intercepts security queries and sends back false “safe” messages, indicating that the worm is innocuous.
But installing a rootkit requires using drivers, of which Windows machines are well trained to be suspicious. Windows requires that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely guarded secrets. Stuxnet’s malicious drivers presented genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. Either by electronic trickery or a brick-and-mortar heist job, the creators of Stuxnet stole these keys—and in a sophisticated enough manner that no one knew they had been compromised.
2. Print spoolers on local area networks.
Stuxnet spread in other ways, too. It was not designed to propagate over the Internet at large, but could move across local networks using print spoolers. In any group of computers which shared a printer, when one computer became infected, Stuxnet quickly crawled through the printer to contaminate the others. Once it reached a computer with access to the Internet, it began communicating with command-and-control servers located in Denmark and Malaysia. (Whoever was running the operation took these servers offline after Stuxnet was discovered.) While they were functional, Stuxnet delivered information it had gathered about the systems it had invaded to the servers and requested updated versions of itself. Several different versions of Stuxnet have been isolated, meaning that the programmers were refining the worm, even after it was released.
And, a description of the cyber-sabotage / warhead, its intended purpose, which, at least in the one case of the Natanz facility, was well accomplished:
Finally, there’s the actual payload. Once a resident of a Windows machine, Stuxnet looked for WinCC and PCS 7 SCADA programs. If the machine had neither of these, then Stuxnet merely went about the business of spreading itself. But on computers with one of these two programs, Stuxnet began reprogramming the programmable logic control (PLC) software and making changes in a piece of code called Operational Block 35. For months, no one knew exactly what Stuxnet was looking for with this block of code or what it intended to do once it found it. Three weeks ago, that changed.
As cybersecurity engineer Ralph Langner puts it, Stuxnet was one weapon with two warheads. The first payload was aimed at the Siemens S7-417 controller at Iran’s Bushehr nuclear power plant. The second targeted the Siemens S7-315 controller at the Natanz centrifuge operation, where uranium is processed and enriched. At Bushehr, Stuxnet likely attempted to degrade the facility’s steam turbine, with unknown results. But the attack on Natanz seems to have succeeded brilliantly.
Once again, Stuxnet’s design was unexpectedly elegant. With control of the centrifuge system at Natanz, the worm could have triggered a single, catastrophic incident. Instead, Stuxnet took over the centrifuge’s frequency converters during the course of everyday operation and induced tiny bursts of speed in the machinery, followed by abrupt decelerations. These speed changes stressed the centrifuge’s components. Parts wore out quickly, centrifuges broke mysteriously. The uranium being processed was corrupted. And all the while, Stuxnet kept sending normal feedback to the Iranians, telling them that, from the computer’s standpoint, the system was operating like clockwork. This slow burn went on for a year, with the Iranians becoming increasingly exasperated by what looked like sabotage, and smelled like sabotage, but what their computers assured them was perfectly routine.
In sum, Stuxnet wasted a year’s worth of enrichment efforts at Natanz, ate through centrifuge components and uranium stores, sowed chaos within Iran’s nuclear program, and will likely force Iran to spend another year disinfecting its systems before they can operate at peak levels again. All in all, a successful operation.
Who dunnit? The article ends with some speculation:
The planning and implementation of Stuxnet involved three layers of complication. First, there’s the sophistication of the worm itself. Microsoft estimates that the coding of Stuxnet consumed somewhere in the neighborhood of 10,000 man-work days. With a team of 30 to 50 programmers, that’s a year or two of effort, at least. Between the workload, the zero day exploits, and the innovative design of the worm, Stuxnet required not just time but enormous technical sophistication and sizable financial resources.
On the next level, the creators of Stuxnet needed competency in the more traditional cloak-and-dagger elements of espionage. The digital verification certificates had to be stolen from the companies in Taiwan, and the infected USB drives had to be planted on or around the community of people who worked in the Iranian nuclear program—modern espionage tradecraft at its best.
The final complication is that vast amounts of expertise in nuclear engineering were required. It’s not enough to design a worm to infiltrate a nuclear plant—Stuxnet’s creators had to know (1) what parts of the systems to target, (2) the intricacies of the systems’ designs, and (3) how to manipulate the systems to achieve the desired effects. This knowledge base might have been the most difficult to obtain. The world is full of enterprising computer jocks; there are only so many people who understand exactly how centrifuges and nuclear reactors work and the minute complexities of Siemens’s S7-315 and S7-417 control systems. It seems unlikely that a private party—a group of rogue hackers or interested civilians—could amass the requisite competencies in all three of these areas.
So who was it—the Israelis, the United States, Germany, Russia? Some combination of the above? We may never know. Given the scope of the operation, it’s amazing that we understand as much as we already do about Stuxnet. Most prior acts of cyberwarfare took place in the shadows; Stuxnet is the first serious cyberweapon to be caught in the wild by civilians. As a result, we’ve witnessed over the last few months an open-source investigation involving experts in different disciplines from around the world. The techies will continue to push and prod Stuxnet, trying to understand how it worked—and how systems can be protected from a similar attack.
Because, in fundamental ways, cyberwar is no different from real war. Innovations can be copied, and there is always the potential for enemies to turn them to their advantage.
Now, let's jump on over to this story that has an intereseting little tidbit to add. While Li'l Ahmie, for a time played Bagdhad Bob, claiming nothing serious had happened, he now admits to some difficulties introduced by the stuxnet program. The coda of this report reveals something else interesting:
Ralph Langner, the German expert who was among the first to study and raise alarms about Stuxnet, said he was not surprised by the development.
“The Iranians don’t have the depth of knowledge to handle the worm or understand its complexity,” he said, raising the possibility that they may never succeed in eliminating it.
Here is their problem. They should throw out every personal computer involved with the nuclear program and start over, but they can’t do that. Moreover, they are completely dependent on outside companies for the construction and maintenance of their nuclear facilities. They should throw out their computers as well. But they can’t,“ he explained. “They will just continually re-infect themselves.”
"With the best of expertise and equipment it would take another year for the plants to function normally again because it is so hard to get the worm out. It even hides in the back-up systems. But they can’t do it,” he said.
And Iran’s anti-worm effort may have had another setback. In Tehran, men on motorcycles attacked two leading nuclear scientists on their way to work. Using magnetic bombs, the motorcyclists pulled alongside their cars and attached the devices.
One scientist was wounded and the other killed. Confirmed reports say that the murdered scientist was in charge of dealing with the Stuxnet virus at the nuclear plants.
So, we have some good old fashioned espionage, to go along with the cyber espionage/sabotage/war. This last event raises questions:
1. Were these agents who carried out the attack on the two scientists Iranians who have been cooperating all along, or were they agents of the U.S., Israel, Germany or Russia? It seems more likely that they are Iranians. It is more difficult, while not impossible, to sneak agents in, yes even for the Israelis. So, we can imagine that Li'l Ahmie and the folks running the science fair experiment just don't know who to trust. Nice.
2. Granted the amount of information that was needed about Windows 7, security certifications and the SCADA controls, one has to ask how much of this information was indeed stolen, as the accounts both seem to assume. Might not the successful use of these programs indicate that Microsoft and other companies cooperated, on the hush-hush of course, and with arrangements to provide plausible deniability in the event of cyber-counter attacks? (Not that the Iranians look to be capable of this currently.)
3. Something similar can be asked about Siemans as well. If they cooperated, good for them.
So, I think a case can be made that the effort need not have involved the level of espionage and theft assumed, but could have involved not only governments, but cooperating private sector companies Whatever the case, we have to admit the possibilities: Information was provided either by individuals within these Western companies, who were planted or recruited, or people working with approval from the companies themselves), perhaps along with..
Iranians (either moles within Iran who worked in the nuclear program itself, or Iranians who while not privy to that access, nevertheless were well positioned to make it likely that the payload made its way to its target).
In any case, the Iranian regime is presently in a pickle. To be assured of eradicating the worm, they must get rid of and replace all computers they now use for the purposes of controlling the science fair experiment, not only those in the control rooms of the facility, but those that are apparently within the machines themselves, with which the control room machines communicate. The chances of their crack team of two..er..make that one stuxnet counter-warriors actually succeeding in removing the worm without removing and replacing the offending computers is small, according to the account. (Letting alone the impossibility of removing and replacing all the computers in Iran that may have been the source of the infection. Good luck with that.)
Well, if they remain reliant on what is perhaps the most evil technology of the Great Satan, the Windows OS, then it seems that any machines they plug in as replacements will run a significant risk of coming prepackaged with 'Stuxnext', the next Generation, simply re-infecting the science fair experiment. This is especially true if they also continue to be reliant on technology from Siemans, one of Great Satan's capitalist minions. Hey, the stuff has to be shipped, and Li'l Ahmie and his cohorts aren't building the things themselves. Sucks to depend on the West doesn't it?
The only thing that is extremely dissapointing but understandable is that the folks that put together the worm did not include anything like this which would play on and on and on until the two...er...one geniuses in Iran figured out the 'hack':
Just to see the frustration, I'd pay some serious coin.
Nedry strikes again Li'l Ahmie, and to paraphrase Samuel L. Jackson, their aint a GD thing you can do about it.
No comments:
Post a Comment