Did The Stuxnet Worm Kill India's INSAT-4B Satellite?

[ajtr]

Did The Stuxnet Worm Kill India's INSAT-4B Satellite?​

posted by JEFFREY CARR
On July 7, 2010, a power glitch in the solar panels of India's INSAT-4B satellite resulted in 12 of its 24 transponders shutting down. As a result, an estimated 70% of India's Direct-To-Home (DTH) companies' customers were without service. India's DTH operators include Sun TV and state-run Doordarshan and data services of Tata VSNL.

INSAT-4B was put into orbit in March, 2007 by the Indian Space Research Organization (ISRO), which conducts research and develops space technology for the government of India. It is also the agency which controls and monitors India's satellites and space vehicles while they are operational.

Once it became apparent that INSAT-4B was effectively dead, SunDirect ordered its servicemen to redirect customer satellite dishes to point to ASIASAT-5, a Chinese satellite owned and operated by Asia Satellite Telecommunications Co., Ltd (AsiaSat). AsiaSat's two primary shareholders are General Electric and China International Trust and Investment Co. (CITIC), a state-owned company. China and India are competing with each other to see who will be the first to land another astronaut on the Moon. China has announced a date of 2025 while India is claiming 2020.

What does this have to do with the Stuxnet worm that's infected thousands of systems, mostly in India and Iran? India's Space Research Organization is a Siemens customer. According to the resumes of two former engineers who worked at the ISRO's Liquid Propulsion Systems Centre, the Siemens software in use is Siemens S7-400 PLC and SIMATIC WinCC, both of which will activate the Stuxnet worm.

I uncovered this information as part of my background research for a paper that I'm presenting at the Black Hat Abu Dhabi conference in November. My objective for that presentation will be to provide an analytic model for determining attribution in cases like Stuxnet. My objective for this post is simply to show that there are more and better theories to explain Stuxnet's motivation than just Israel and Iran, as others have posited. My personal research won't be available until after Black Hat Abu Dhabi, however I hope others will pick up this thread, give it a good yank, and see what unravels before then.

 

[A.V.]

we need chota to enlighten us on this development on what the real problem was with insat 4b he will have the inside info marking a mail to him

 

[ajtr]

Lost Asian satellites send powerful signals ​

By Peter J Brown

During the second half of 2010 all three Asian space powers - China, India and Japan - suffered major satellite failures. Each failure is significant, but for different reasons. In this instance, the satellite failures will be addressed in chronological order.

At the same time, it must be emphasized that satellite failures happen rarely.

What makes the loss of India's Insat-4B in early July - the first Asian satellite on this list - so important is the possibility that the satellite fell victim to deliberate act of sabotage as the result of a cyber attack. This involves the very malicious "Stuxnet" worm.

The official line is that a power supply problem stemming from a faulty solar panel was the culprit.

Others wonder if while everyone was speculating about the impact of a Stuxnet-based cyber attack on an Iranian nuclear facility, an Indian satellite was rendered useless by the same sinister software code. At least, that is the theory.

Security technologist and author Bruce Schneier described Stuxnet in the following way.

"Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines," said Schneier. [1]

If it turns out that Insat-4B met its demise because someone hacked the satellite's control system software or hacked software inside an Indian ground control station in a two-step attack, this is a very sobering moment for the global satellite industry.

Stuxnet began to surface at around the exact same time that Insat-4B went on the blink. By the way. Stuxnet is known to target industrial control systems.

The Indian Space Research Organization (ISRO) had already lost one communications satellite earlier in 2010. In April, ISRO lost the GSAT-4 communications satellite after ISRO's GSLV-D3 rocket malfunctioned. An earlier GSLV series rocket failure took place in 2006, destroying the INSAT-4C satellite. So, the loss of Insat-4B which was launched in early 2007 put satellite TV service providers along with other users in India in a very difficult spot.

In late September, cyberwarfare expert and author Jeffrey Carr, who is a Forbes magazine contributor and the CEO of Taia Global, wrote on the Forbes "Firewall" blog that the loss of Insat-4B can be traced to specific purchases made by ISRO which unbeknownst to ISRO set the silent and destructive effects of Stuxnet in motion.

"According to the resumes of two former engineers who worked at the ISRO's Liquid Propulsion Systems Center, the Siemens software in use is Siemens S7-400 PLC and SIMATIC WinCC, both of which will activate the Stuxnet worm," said Carr. "I uncovered this information as part of my background research for a paper that I am presenting at the Black Hat Abu Dhabi [computer security] conference in November. My objective for that presentation will be to provide an analytic model for determining attribution in cases like Stuxnet. My objective for this post is simply to show that there are more and better theories to explain Stuxnet's motivation than just Israel and Iran, as others have posited." [2]

Carr also described how so many customers who relied on Insat-4B ended up on the ASIASAT-5 satellite , and that, "AsiaSat's two primary shareholders are General Electric and China International Trust and Investment Co. (CITIC)," which is a Chinese state-owned company.

As the size and scope of the Stuxnet phenomenon becomes more widely understood, experts are stunned by the growing presence in India where "infections" were rampant in late September. [3]

Two weeks after the Insat-4B failure, ISRO activated Cartosat-2B - its latest remote sensing satellite - which offers high-resolution imagery via a panchromatic camera. It has functioned flawlessly thus far as it orbits approximately 630 kilometers above the earth. This demonstrates that ISRO was launching and operating other new satellites without any problems during the same time period.

Satellite communications and satellite surveillance are two different thing entirely. Spy satellites are increasing in number over Asia, and they are much more powerful than their predecessors.

In late August, the Japanese government reported that it lost its only operational synthetic aperture radar (SAR)-equipped surveillance satellite. Japan still maintains a fleet of three optical spy satellites. So, in bad weather or when night comes, Japan cannot conduct its own satellite surveillance operations.

Here again a power supply failure was the primary contributor to the satellite malfunction in question. Was there a Stuxnet connection? Thus far, malevolent software or a worm has not been mentioned as a potential source of the problem. But in late 2010, it cannot be ruled out entirely.

A significant window has now closed in Japan and while a replacement satellite may appear late next year in the form of a new prototype or test platform, a full compliment of surveillance satellites is not expected until well after 2013 at the earliest. The latest launch of a Japanese spy satellite was in November 2009. [4]

When Japan lost its first SAR satellite in 2007, also to a power failure, it briefly triggered a wave of domestic soul-searching in the highest circles of the Japanese government. Now, more than 3 years later, Japan's dependence on the US - absent a suitable alternative partner which, of course, could well be India. - and upon imagery generated by US commercial earth observation satellites in particular is not a controversial subject.

As 2010 comes to an end, however, anxiety is bound to intensify in Tokyo and disputes in the Diet [parliament] may erupt thanks to a new report from the Washington, DC-based Institute for Science and International Security which includes satellite imagery of a North Korean nuclear site. DigitalGlobe, a US-based satellite operator, is the source of the imagery. [5]

This satellite imagery and the circumstances in which the Japanese now find themselves due to the loss of Japan's only radar satellite - and the absence of any redundancy - coincides with questionable activity at this North Korean nuclear site. Add it all up and it could prove to be a very disruptive situation for the Japanese government.

On the other hand, this makes the announcement by the Japanese Ministry of Defense concerning the possible acquisition of three unmanned US Global Hawk reconnaissance aircraft perhaps easier to digest by the Japanese people as a whole.

These Global Hawk robotic spy planes will greatly enhance Japan's ability to conduct surveillance operations over land and sea. They will also enable Japan to develop its own innovative satellite-based surveillance architectures, while providing a means to watch North Korea closely.

While this Global Hawk procurement may also bring about a resurgence of support for another Japanese attempt to obtain advanced US F-22 fighter aircraft - "Why do they give us Global Hawks, but not F-22's?" - it may alter the process that guides Japan's creation and deployment of intelligence-gathering satellites and bring about a larger, more flexible and more diverse satellite fleet. [6]

In China, the loss of another satellite is also impacting what is seen - on people's TV sets.

In early September, Chinasat-6A also known as Zhongxing 6A, ZX 6A, Sinosat-6, or Xinnuo 6 suffered a helium pressurization problem immediately after launch. This affected the operation and control of the satellite's onboard fuel tank. For its owner, China Satellite Communications Corp of Beijing, it means that uncertainty about the operational status and projected life span of this new satellite is going to linger for some time.

So, although China did not "lose" a satellite here in a technical sense, the setback is severe enough to warrant its consideration here for several reasons.

Chinasat-6A is one of the Chinese-built DFH-4 series. These satellites have experienced complete failures in the past. Indeed, the record of success for the DFH-4 to date is remarkably slim. Chinasat-6A unlike Sinosat 2 and Nigeria's Nigcomsat-1 - earlier DFH-4 failures - is not crippled by a solar array - related problem. [7]

The questionable status of this satellite not only affects its users, but also China's satellite exports. The DFH-4 has been China's preferred export satellite, and the malfunction does not bode well for business overseas at a time when China is aggressively seeking satellite partners abroad.

Back at home, planning and policy-making across the complete satellite TV and TV infrastructure of China as a whole could be affected by this satellite glitch. Among other things, it could become a factor in China's efforts to curb illegal satellite TV.

For months, China has discussed possibly ceasing crackdowns in the future on the owners of unauthorized or illegal satellite dishes which some say now number 60 million or more. China Satellite Communications (China Satcom) has played a role in this process. China's only authorized domestic satellite TV service for households, China Satcom began offering many free satellite TV channels last year.

"Since our service launched, most of the illegal DTH viewers have turned their dishes away from foreign satellites and onto our domestic platform," said Huang Baozhong, vice president of China Satcom. "This helps the Chinese government with propaganda control."

The loss of Chinasat-6A may be inconsequential or it could adversely impact the supply domestic satellite capacity to the point that it provides opponents of reform with the excuse to postpone or delay the imposition of new rules and regulations.

And whereas provincial broadcasters might have been able to bypass links to either Beijing and Shanghai as part of their broadcast operations, here again, reduced satellite capacity might cast a shadow over this proposed transition. [8]

At the same time, discussions about censorship and propaganda control in China involving foreign media and satellite TV channels available heated up considerably in early October following Premier Wen Jiabao's latest interview with CNN's Fareed Zakaria.

Because Wen seems eager to champion political reform in China - some openly question his sincerity - and speaks of "the continuous progress of China," the fact that millions of Chinese satellite TV viewers had no opportunity to view the interview in question can only set the stage for storminess in the form of a clash of opposing viewpoints. [9]

Who will prevail remains to be seen, but the absence or a significant shortage of satellite capacity - even when artificially inflated - is a barrier unto itself and might serve the purposes of those who wish not to open the door entirely in China today. Thus, Chinasat-6A could emerge as a useful prop on the stage of domestic politics.

Finally, there has been widespread speculation about a very controversial Chinese satellite loss last January. Last summer, China was accused of shooting down one of its satellites in January, a repeat of its 2007 satellite shootdown although this time without all the fanfare.

"It was a large test which needs time to prepare for," said Peng Guangqian, a Beijing-based military expert. "If confirmed, I think it was a further step for China to improve its defensive ability in space." [10]

The fate of that satellite is something that Beijing refuses to verify despite the fact that there is no real element of secrecy involved.

The vast majority of satellites perform solidly, round-the-clock in a reliable fashion that is a source of pride for their builders. Thus, these lost Asian satellites represent the exception not the rule. Still, whether viewed as the victims of isolated mishaps or not, these errant satellites still send out powerful signals.

 

[ajtr]

Stuxnet hits India the most​

It's being described as the new cyber WMD and may have crippled an Iranian nuclear plant, but one cybersecurity company has estimated that the worm, Stuxnet, may have its largest footprint in India. Another expert has put forward a conjecture that the failure of the INSAT 4B satellite this summer


may have been due to this cyber superweapon.
According to data posted by Alexander Gostev, Chief Security Expert at Kaspersky Lab, India has topped the list of the most infected countries.

While clarifying that the data had been collected from Kaspersky's personal product line, the numbers are still worrisome. Since Stuxnet was first detected in July, the number of infections in India in the first five days was at over 8,500 with just over 5000 in Indonesia and a little over 3000 in Iran, the top three countries.

The latest data set, between September 20 and 25, makes it clear that the problem is still raging in India, which again heads the list with over 8,000 infections, trailed by Indonesia with about 3000 and Kazakhstan with approximately 1300. The numbers of Iran dipped to 765.

Gostev noted in the analysis: "Iran managed to significantly cut its infection rate by cleaning many infected systems. If this trend is maintained, then Iran will stop being one of the centres of the epidemic. India, on the other hand, has stayed more or less at the same level; it is encouraging, though, the epidemic doesn't seem to be on the rise."

Iran has been projected as the epicenter of the Stuxnet epidemic. Iran's nuclear infrastructure near Bushehr had been beset by problems caused by the worm which the Iranian regime has claimed was part of cyberwarfare being conducted possibly by Israel and the United States.

Meanwhile, the threat posed by Stuxnet to India has been alluded to by Jeffrey Carr, author of Inside Cyber Warfare, who has drawn a link between the failure of INSAT 4B and Stuxnet.

In Forbes' The Firewall blog, Carr that the satellite was operated by the Indian Space Research Organisation or ISRO which "is a Siemens customer.

According to the resumes of two former engineers who worked at the ISRO's Liquid Propulsion Systems Centre, the Siemens software in use is Siemens S7-400 PLC and SIMATIC WinCC, both of which will activate the Stuxnet worm."

Siemens control systems, like those used in Iran, have been reported as the most vulnerable to this particular worm.

While data may vary according to the company undertaking the assessment, other reports have also made it clear that India is within the top three in terms of infections, along with Iran and Indonesia.

A report in September from Symantec pointed out that while 58 per cent of infections were in Iran, about 18 per cent was in Indonesia and nearly 10 per cent in India.

 

[ajtr]

Schneier on Security​

Stuxnet
Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story.
As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation.
Here's what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)
Stuxnet doesn't actually do anything on those infected Windows computers, because they're not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.
If it doesn't find one, it does nothing. If it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. Then it reads and changes particular bits of data in the controlled PLCs. It's impossible to predict the effects of this without knowing what the PLC is doing and how it is programmed, and that programming can be unique based on the application. But the changes are very specific, leading many to believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location--and that Stuxnet's authors knew exactly what they were targeting.
It's already infected more than 50,000 Windows computers, and Siemens has reported 14 infected control systems, many in Germany. (These numbers were certainly out of date as soon as I typed them.) We don't know of any physical damage Stuxnet has caused, although there are rumors that it was responsible for the failure of India's INSAT-4B satellite in July. We believe that it did infect the Bushehr plant.
All the anti-virus programs detect and remove Stuxnet from Windows systems.
Stuxnet was first discovered in late June, although there's speculation that it was released a year earlier. As worms go, it's very complex and got more complex over time. In addition to the multiple vulnerabilities that it exploits, it installs its own driver into Windows. These have to be signed, of course, but Stuxnet used a stolen legitimate certificate. Interestingly, the stolen certificate was revoked on July 16, and a Stuxnet variant with a different stolen certificate was discovered on July 17.
Over time the attackers swapped out modules that didn't work and replaced them with new ones--perhaps as Stuxnet made its way to its intended target. Those certificates first appeared in January. USB propagation, in March.
Stuxnet has two ways to update itself. It checks back to two control servers, one in Malaysia and the other in Denmark, but also uses a peer-to-peer update system: When two Stuxnet infections encounter each other, they compare versions and make sure they both have the most recent one. It also has a kill date of June 24, 2012. On that date, the worm will stop spreading and delete itself.
We don't know who wrote Stuxnet. We don't know why. We don't know what the target is, or if Stuxnet reached it. But you can see why there is so much speculation that it was created by a government.
Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might.
Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.
None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the origina caveats.
Once a theory takes hold, though, it's easy to find more evidence. The word "myrtus" appears in the worm: an artifact that the compiler left, possibly by accident. That's the myrtle plant. Of course, that doesn't mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. "Hadassah" means "myrtle" in Hebrew.
Stuxnet also sets a registry value of "19790509" to alert new copies of Stuxnet that the computer has already been infected. It's rather obviously a date, but instead of looking at the gazillion things--large and small--that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.
Sure, these markers could point to Israel as the author. On the other hand, Stuxnet's authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it's impossible to know when to stop.
Another number found in Stuxnet is 0xDEADF007. Perhaps that means "Dead Fool" or "Dead Foot," a term that refers to an airplane engine failure. Perhaps this means Stuxnet is trying to cause the targeted system to fail. Or perhaps not. Still, a targeted worm designed to cause a specific sabotage seems to be the most likely explanation.
If that's the case, why is Stuxnet so sloppily targeted? Why doesn't Stuxnet erase itself when it realizes it's not in the targeted network? When it infects a network via USB stick, it's supposed to only spread to three additional computers and to erase itself after 21 days--but it doesn't do that. A mistake in programming, or a feature in the code not enabled? Maybe we're not supposed to reverse engineer the target. By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide. From a foreign policy perspective, that seems dumb. But maybe Stuxnet's authors didn't care.
My guess is that Stuxnet's authors, and its target, will forever remain a mystery.
This essay originally appeared on Forbes.com.
My alternate explanations for Stuxnet were cut from the essay. Here they are:
A research project that got out of control. Researchers have accidentally released worms before. But given the press, and the fact that any researcher working on something like this would be talking to friends, colleagues, and his advisor, I would expect someone to have outed him by now, especially if it was done by a team.
A criminal worm designed to demonstrate a capability. Sure, that's possible. Stuxnet could be a prelude to extortion. But I think a cheaper demonstration would be just as effective. Then again, maybe not.
A message. It's hard to speculate any further, because we don't know who the message is for, or its context. Presumably the intended recipient would know. Maybe it's a "look what we can do" message. Or an "if you don't listen to us, we'll do worse next time" message. Again, it's a very expensive message, but maybe one of the pieces of the message is "we have so many resources that we can burn four or five man-years of effort and four zero-day vulnerabilities just for the fun of it." If that message were for me, I'd be impressed.
A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life.
Note that some of these alternate explanations overlap.
EDITED TO ADD (10/7): Symantec published a very detailed analysis. It seems like one of the zero-day vulnerabilities wasn't a zero-day after all. Good CNet article. More speculation, without any evidence. Decent debunking. Alternate theory, that the target was the uranium centrifuges in Natanz, Iran.

 

[ajtr]

Symantec security analysis :W32.Stuxnet Dossier​

 

[ahmedsid]

This Worm, supposedly built by Israel, with American Input, affects India more than even Pakistan? Whats the whole deal?

 

[ajtr]

This Worm, supposedly built by Israel, with American Input, affects India more than even Pakistan? Whats the whole deal?

might be that usa sees india as challenger to its hegemonic designs like china in asia so usa dont want to commit same mistake as it didnt with china in 1970-80 result of which today china is challenging usa's superpower status all over the world.usa keeps tab on india through pakistan and incidents like industrial sabotage.

 

[LETHALFORCE]

Wouldn't it also kill the whole network not just the satellite??

 

[sesha_maruthi27]

The U.S. thinks and also are masters in making viruses. It is time that someone show them that everybody can do what they are doing or they will do. They have some overconfidence over their ability in cyber warfare. One fine morning they will wake up to see their entire networks are effected by viruses. There is a proverb, saying "TOO MUCH OF ANYTHING IS GOOD FOR NOTHING".....

 

[LETHALFORCE]

The U.S. thinks and also are masters in making viruses. It is time that someone show them that everybody can do what they are doing or they will do. They have some overconfidence over their ability in cyber warfare. One fine morning they will wake up to see their entire networks are effected by viruses. There is a proverb, saying "TOO MUCH OF ANYTHING IS GOOD FOR NOTHING".....

It is the Chinese that are behind Cyberattacks in India and India Govt computers worldwide routinely, USA has not been behind one, if you know one where US was to blame post the link?? This stuxnet is supposedly activated on Siemens a German network.

 

[ajtr]

New Clues Point to Israel as Author of Blockbuster Worm, Or Not​

New clues released this week show a possible link between Israel and sophisticated malware targeting industrial control systems in critical infrastructure systems, such as nuclear plants and oil pipelines.

Late Thursday, security firm Symantec released a detailed paper with analysis of the headline-making code (.pdf), which reveals two clues in the Stuxnet malware that adds to speculation that Israel may have authored the code to target Iran.

Or, they could simply be red herrings planted in the code by programmers to point suspicion at Israel and away from other possible suspects.

The malware, called Stuxnet, appears to be the first to effectively attack critical infrastructure and in a manner that produces physical results, although there's no proof yet any real-world damage has been done by it. The malware's sophistication and infection of thousands of machines in Iran has led some to speculate that the U.S. or Israeli government built the code to take out Iran's nuclear program.

Symantec's paper adds to that speculation. It also provides intriguing data about an update the authors made to it in March of this year that ultimately led to it being discovered. The update suggests the authors, despite launching their malware as early as June 2009, may not have reached their target by March 2010.

The code has so far infected about 100,000 machines in 155 countries, apparently beginning in Iran and recently hitting computers in China. Researchers still have no idea if the malware reached the targeted system it was designed to sabotage.

Liam O'Murchu, researcher at Symantec Security Response, said in a press call Friday that even though the malware's command-and-control server has been disabled, the attackers can still communicate with infected machines via peer-to-peer networking. Symantec hopes that experts in industrial control systems who read their paper may help identify the specific environment Stuxnet was targeting.

"We hope someone will look at the values and say this is a configuration you'd only find in an oil refinery or power plant," said O'Murchu. "It's very important to find out what the target was. You can't tell what [Stuxnet] does unless you know what it was connected to. "

The code targets industrial control software made by Siemens called WinCC/Step 7, but is designed to deliver its malicious payload to only a particular configuration of that system. About 68 percent of infected systems in Iran have the Siemens software installed, but researchers don't know if any have the targeted configuration. By contrast, only 8 percent of infected hosts in South Korea are running Step 7 software, and only about 5 percent of infected hosts in the U.S. do. An apparent "kill" date in the code indicates that Stuxnet is designed to stop working June 24, 2012.

The first clue that may point to Israel's involvement in the malware involves two file directory names – myrtus and guava – that appear in the code. When a programmer creates code, the file directory where his work-in-progress is stored on his computer can find its way into the finished program, sometimes offering clues to the programmer's personality or interests.

In this case, Symantec suggests the name myrtus could refer to the biblical Jewish Queen Esther, also known as Hadassah, who saved Persian Jews from destruction after telling King Ahasuerus of a plot to massacre them. Hadassah means myrtle in Hebrew, and guavas are in the myrtle, or myrtus family of fruit.

A clue to Stuxnet's possible target lies in a "do not infect" marker in the malware. Stuxnet conducts a number of checks on infected systems to determine if it's reached its target. If it finds the correct configuration, it executes its payload; if not, it halts the infection. According to Symantec, one marker Stuxnet uses to determine if it should halt has the value 19790509. Researchers suggests this refers to a date — May 9, 1979 — that marks the day Habib Elghanian, a Persian Jew, was executed in Tehran and prompted a mass exodus of Jews from that Islamic country.

This would seem to support claims by others that Stuxnet was targeting a high-value system in Iran, possibly its nuclear enrichment plant at Natanz.

Or, again, both clues could simply be red herrings.

O'Murchu said the authors, who were highly skilled and well-funded, were meticulous about not leaving traces in the code that would track back to them. The existence of apparent clues, then, would belie this precision.


One mystery still surrounding the malware is its wide propagation, suggesting something went wrong and it spread farther than intended. Stuxnet, when installed on any machine via a USB drive, is supposed to spread to only three additional computers, and to do so within 21 days.

"It looks like the attacker really did not want Stuxnet to spread very far and arrive at a specific location and spread just to computers closest to the original infection," O'Murchu said.

But Stuxnet is also designed to spread via other methods, not just via USB drive. It uses a zero-day vulnerability to spread to other machines on a network. It can also be spread through a database infected via a hardcoded Siemens password it uses to get into the database, expanding its reach.

Symantec estimates it took between 5 and 10 developers with different areas of expertise to produce the code, plus a quality assurance team to test it over many months to make certain it would go undetected and not destroy a target system before the attackers intended to do so.

The WinCC/Step 7 software that Stuxnet targets connects to a Programmable Logic Controller, which controls turbines, pressure valves and other industrial equipment. The Step 7 software allows administrators to monitor the controller and program it to control these functions.

When Stuxnet finds a Step7 computer with the configuration it seeks, it intercepts the communication between the Step 7 software and the controller and injects malicious code to presumably sabotage the system. Researchers don't know exactly what Stuxnet does to the targeted system, but the code they examined provides a clue.

One value found in Stuxnet – 0xDEADF007 – is used by the code to specify when a process has reached its final state. Symantec suggests it may mean Dead Fool or Dead Foot, a term referring to an airplane engine failure. This suggests failure of the targeted system is a possible aim, though whether Stuxnet aims to simply halt the system or blow it up remains unknown.

Two versions of Stuxnet have been found. The earliest points back to June 2009, and analysis shows it was under continued development as the attackers swapped out modules to replace ones no longer needed with new ones and add encryption and new exploits, apparently adapting to conditions they found on the way to their target. For example, digital certificates the attackers stole to sign their driver files appeared only in Stuxnet in January 2010.

One recent addition to the code is particularly interesting and raises questions about its sudden appearance.

A Microsoft .lnk vulnerability that Stuxnet used to propagate via USB drives appeared only in the code in March this year. It was the .lnk vulnerability that ultimately led researchers in Belarus to discover Stuxnet on systems in Iran in June.

O'Murchu said it's possible the .lnk vulnerability was added late because the attackers hadn't discovered it until then. Or it could be they had it in reserve, but refrained from using it until absolutely necessary. The .lnk vulnerability was a zero-day vulnerability — one unknown and unpatched by a vendor that takes a lot of skill and resources for attackers to find.

Stuxnet's sophistication means that few attackers will be able to reproduce the threat, though Symantec says many will try now that Stuxnet has taken the possibility for spectacular attacks on critical infrastructures out of Hollywood movies and placed them in the real world.

"The real-world implications of Stuxnet are beyond any threat we have seen in the past," Symantec writes in its report. "Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again."

Graphs courtesy of Symantec



Read More New Clues Point to Israel as Author of Blockbuster Worm, Or Not | Threat Level | Wired.com

 

[ajtr]

Security threat: DRDO to make own OS​

BANGALORE: India would develop its own futuristic computer operating system to thwart attempts of cyber attacks and data theft and things of that nature, a top defence scientist said.

Dr V K Saraswat, Scientific Adviser to the Defence Minister, said the DRDO has just set up a software development
centre each here and in Delhi, with the mandate develop such a system. This "national effort" would be spearheaded by the
Defence Research and Development Organisation (DRDO) in partnership with software companies in and around Bangalore,
Hyderabad and Delhi as also academic institutions like Indian Institute of Science Bangalore and IIT Chennai, among others.

"There are many gaps in our software areas; particularly we don't have our own operating system," said
Saraswat, also Director General of DRDO and Secretary, Defence R & D. India currently uses operating systems developed by western countries.

"So, in today's world where you have tremendous requirements of security on whatever you do...economy, banking and defence...it's essential that you need to have an operating system," he said. Referring to reports of cyber attacks in recent times and "susceptibility" of internet, he noted instances of "data taken away by adversaries".

"We have to protect it (data)," Saraswat said, adding, "Only way to protect it is to have a home-grown system, the complete architecture...source code is with you and then nobody knows what's that." He said DRDO is putting in place a dedicated team of 50 software professionals in the Bangalore and Delhi software development centres to accomplish the task.

Saraswat also said the DRDO has put in place a "complete framework" on the proposed commercial arm, which is currently in the process of securing necessary government approvals and is expected to be operational next year. He said this arm would customise and provide to the civil population the spin-offs of defence technologies through select industry partners, which would be production agencies.

Read more: Security threat: DRDO to make own OS - The Times of India Security threat: DRDO to make own OS - The Times of India

 

[ajtr]

If we aren't ready for cyberwar, we will lose the next war​

Rajeev Srinivasan | Tuesday, October 5, 2010
Comments: 1 | Post a comment | Share this article | Print | Email

Rajeev Srinivasan
In an increasingly digital world, ironically, there may yet be a silver lining to the primitive nature of India's infrastructure: that it is not computer-controlled may make India less vulnerable than some other nations. Cyber-warfare by sophisticated attackers is a subtle and dangerous new tactic used by many armies and intelligence agencies.

Malicious entities can infiltrate computers running critical power grids, dams, air traffic control networks, bank networks, and so on. Under the remote control of hostile groups, power grids may shut down, dams may suddenly become 'water bombs', nuclear power plants may blow up and spew radiation, and planes may start colliding in the air. The implications are horrifying.

Some nations explicitly include cyber-warfare in long-range strategic plans. China, for instance, has a doctrine of "asymmetric warfare", most particularly against the US, a foe far stronger in conventional weapons, but vulnerable to cyber-attacks. China has also been implicated in large-scale intrusion into computers in Indian embassies and ministries.It is certain that major powers have active defensive and offensive programmes to penetrate their enemies' computer systems. If India doesn't, it is at risk.

The latest example of cyber-attacks is the so-called Stuxnet worm discovered a few months ago, which focuses on industrial control systems made by Siemens. Circumstantial evidence suggests that it is explicitly meant to cripple or slow down Iran's nuclear programme. But it could be turned against India as well.

According to Symantec, 60% of Stuxnet infestations have been reported from Iran, 18% from Indonesia and 8% from India. Given the consistent hostility that western powers have shown towards India's nuclear programme, this should be cause for concern.

This should also raise questions regarding failures in other
sensitive programmes — for instance, the latest failed launches of the GSLV and the Prithvi. Are there worms in the ISRO's and DRDO's systems?

Iran is certainly taking this issue seriously. The reaction from Mohammed Liayi, head of the information technology council at the ministry of industries, was stark:"An electronic war has been launched against Iran". Forbes magazine called the attack a "game-changer". The worm is so sophisticated that Computerworld magazine felt it had to be government-backed.

The Wall Street Journal suspects the US, the UK and Israel.
Microsoft reported that 45,000 computers are known to be infected with Stuxnet. It utilises several previously unknown security holes in Microsoft Windows to attack a Siemens application called WinCC that runs Scada (supervisory control and data acquisition) systems that manage valves, pipelines and industrial equipment, according to The Economist.

Scada systems are usually not connected to the Internet, for obvious security reasons.

Apparently, Stuxnet was spread using USB pendrives, the memory sticks used to transfer data. The attack also depended on that most low-tech device: human curiosity. People picked up thumb drives they found lying around, and unknowingly infected their systems, allowing the worm to spread around the local-area network!

There are a number of factors that make this attack unique. For one, most worms and viruses are written to cause maximum, random damage and, therefore, target the most common systems — hence, for instance the preponderance of such attacks on Windows, which runs 90% of the world's PCs, and not on Macs or Unix/Linux systems. This worm, on the other hand, is only interested in particular industrial equipment from a particular manufacturer, and furthermore, it targets only specific configurations or processes — it does not attack others.

Therefore, the attackers knew precisely what they were looking to disrupt. The finger of suspicion at the moment points to the Iranian nuclear enrichment plant at Natanz. This facility hosts many centrifuges, those sophisticated devices (AQ Khan famously 'transferred' centrifuge technology from Europe to Pakistan) that increase the proportion of U-235 in natural uranium to produce weapons-grade material.

Given Israel's obsession with Iran's N-programme, it is the most likely suspect. Besides, experts decoding the "well-written", "ground-breaking", "impressive" code have found obscure clues about Esther, a character in Jewish mythology who helps fend off a Persian attack. Of course, this could well be disinformation.

Nevertheless, India had better take this lesson to heart. Given its almost complete lack of friends on the world stage, the "string of pearls" strategy that China is using to contain India, and the hostility of the non-proliferation ayatollahs in the Obama Administration, India will be — and may already be — the target of sophisticated computer attacks that it is woefully unprepared for.

 

[ajtr]

Web 'superbug' threatens Chinese national security: Report​

A sophisticated malicious computer software, or malware, described by security firms as a "new cyber-weapon," is attempting to infiltrate factory computers in China's key industries, threatening the country's national security, cyber experts have warned.
Called Stuxnet, the worm was first discovered in mid-June and was specially written to attack Siemens supervisory control and data (SCADA) systems commonly used to control and monitor industrial facilities - from traffic lights and oil rigs to power and nuclear plants, the state-run Global Times daily reported quoting experts.

"This malware is specially designed to sabotage plants and damage industrial systems, instead of stealing personal data. It will seriously threaten pillar industries in China," said Wang, an engineer at the Beijing-headquartered Rising International Software company.

"Once Stuxnet successfully penetrates factory computers in China, those industries may collapse, which would damage national security," he said, adding Stuxnet poses no harm to personal computers or Internet surfers.

Stuxnet spreads by exploiting three holes in Windows, one of which has been patched.

Globally, the worm has been found to target Siemens systems mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, the report said.

According to Wang, there might be large financial groups and nations behind the malicious software.

Eugene Kaspersky, co-founder of security firm Kaspersky said the Stuxnet worm could prove that "we have now entered the age of cyber-warfare."

"I think that this is the turning point... because in the past there were just cyber-criminals, now I am afraid it is the time of cyber-terrorism, cyber-weapons and cyber-wars," Kaspersky said.

He believes that Stuxnet is a working - and fearsome – prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.

Global Times interestingly quoted a "Beijing based hacker" who too expressed concern.

Chinese hackers were blamed for a series of cyber attacks in different countries including India, specially Defence and External Affairs Ministries.

Kang Lingyi, the Beijing-based hacker, said the Stuxnet malware has set off alarms regarding the country's network safety.

 

[ajtr]

It is also possible that Iranian plants have been infected as a result of an attack on India which has got out of control. Kaspersky has released new figures which show that India was, and is, the epicentre of Stuxnet activity. Russian nuclear plant builder Atomstroyexport, which is believed to have introduced the Stuxnet worm into Bushehr via infected laptops, is also currently working on India's Kudankulam nuclear plant.
This raises the question of whether the virus' author might originate from the East, rather than from the West. India and China are, for example, fierce rivals and China has amply demonstrated its cyberwar capabilities in incidents such as the penetration of parts of the US power grid in 2003. Such incidents are likely to have given the Chinese a very clear picture of the effect attacks on critical infrastructure can have, and they are likely to have used this knowledge to protect their own industrial systems. According to McAfee, China leads the world in SCADA system security.

Stuxnet brings more new tricks to cyberwar - The H Security: News and Features

 

[ajtr]

World's first 'cyber superweapon' attacks China​

BEIJING: A computer virus dubbed the world's "first cyber superweapon" by experts and which may have been designed to attack Iran's nuclear facilities has found a new target -- China.

It has wreaked havoc in China, infecting millions of computers around the country, state media reported this week. Stuxnet is feared by experts around the globe as it can break into computers that control machinery at the heart of industry, allowing an attacker to assume control of critical systems like pumps, motors, alarms and valves.

It could, technically, make factory boilers explode, destroy gas pipelines or even cause a nuclear plant to malfunction. The virus targets control systems made by German industrial giant Siemens commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.

"This malware is specially designed to sabotage plants and damage industrial systems, instead of stealing personal data," an engineer surnamed Wang at antivirus service provider Rising told the Global Times.

"Once Stuxnet successfully penetrates factory computers in China, those industries may collapse, which would damage China's national security," he added. Another unnamed expert at Rising International said the attacks had so far infected more than six million individual accounts and nearly 1,000 corporate accounts around the country, the official Xinhua news agency reported.

The Stuxnet computer worm -- a piece of malicious software (malware) which copies itself and sends itself on to other computers in a network -- was first publicly identified in June.

It was found lurking on Siemens systems in India, Indonesia, Pakistan and elsewhere, but the heaviest infiltration appears to be in Iran, according to software security researchers.

A Beijing-based spokesman for Siemens declined to comment when contacted. Yu Xiaoqiu, an analyst with the Information Technology Security Evaluation Centre, downplayed the malware threat.

"So far we don't see any severe damage done by the virus," Yu was quoted by the Global Times as saying. "New viruses are common nowadays. Both personal Internet surfers and Chinese pillar companies don't need to worry about it at all. They should be alert but not too afraid of it."

A top US cybersecurity official said last week that the country was analysing the computer worm but did not know who was behind it or its purpose.

"One of our hardest jobs is attribution and intent," Sean McGurk, director of the National Cybersecurity and Communications Integration Center (NCCIC), told reporters in Washington. "It's very difficult to say 'This is what it was targeted to do,'" he said of Stuxnet, which some computer security experts have said may be intended to sabotage a nuclear facility in Iran.

A is a term used by experts to describe a piece of malware designed specifically to hit computer networks that run industrial plants. "The Stuxnet worm is a wake-up call to governments around the world," Derek Reveron, a cyber expert at the US Naval War School, was quoted as saying by the South China Morning Post.

"It is the first known worm to target industrial control systems."

Read more: World's first 'cyber superweapon' attacks China - The Times of India World's first 'cyber superweapon' attacks China - The Times of India

 

[SHASH2K2]

China hitting India via Net worm?

NEW DELHI: The deadly Stuxnet internet worm, which was thought to be targeting Iran's nuclear programme, might actually have been aimed at India by none other than China.

Providing a fresh twist in the tale, well-known American cyber warfare expert Jeffrey Carr, who specialises in investigations of cyber attacks against government, told TOI that China, more than any other country, was likely to have written the worm which has terrorised the world since June.

While Chinese hackers are known to target Indian government websites, the scale and sophistication of Stuxnet suggests that only a government no less than that of countries like US, Israel or China could have done it. "I think it's more likely that China is behind Stuxnet than any other country," Carr told TOI, adding that he would provide more details at the upcoming NASSCOM DSCI Security Conclave in Chennai in December.

Attributing the partial failure of ISRO's INSAT 4B satellite a few months ago -- the exact reason for which is not yet known -- to Stuxnet, Carr said it was China which gained from the satellite failure.

Carr, however, made it clear that he had not arrived at any definite conclusion till now. He said he was pointing out that there were alternative targets in countries other than Iran that also made sense and served another nation's interest to attack -- namely India's Space Research Organisation which uses the exact Siemens software targeted by Stuxnet.

"Further, the satellite in question (INSAT 4B) suffered the power `glitch' in an unexplained fashion, and it's failure served another state's advantage -- in this case China," he said.

Alongwith Indonesia and Iran, India has had the maximum number of infections from Stuxnet which affects Windows computers and gets transmitted through USB sticks. While Iran and Indonesia had about 60,000 and 13,000 Stuxnet infections respectively till late September, India was at the third position with over 6,000 infections. However, it infects only those computers which use certain Siemens software systems. Siemens software systems are used in many Indian government agencies including ISRO.

As it had impacted Bushehr nuclear power plant in Iran, it was thought that Iran might have been the intended target. Israel, in fact, had emerged as the prime suspect.

According to Carr, the Siemens software in use in ISRO's Liquid Propulsion Systems Centre is S7-400 PLC and SIMATIC WinCC, both of which, he said, would activate the Stuxnet worm. The Stuxnet worm was first discovered in June this year, a month before INSAT 4B was hit by the mysterious power failure.



Read more: China hitting India via Net worm? - The Times of India China hitting India via Net worm? - The Times of India

 

[shuvo@y2k10]

actually it is the US which has directed the stuxnet to target iran's nuclear facilities. china is also targeting india with it;s own malware but most certainly it is not stuxnet.

 

[ajtr]

Cyber threat: Isro rules out Stuxnet attack on Insat-4 B​

MUMBAI: Isro has ruled out possibility of the deadly Stuxnet internet worm attacking Insat-4 B satellite on July 7, resulting in 12 of its 24 transponders shutting down.

Speaking to TOI from Bangalore on Monday, Isro officials, requesting anonymity, said that the worm only strikes a satellite's programme logic controller (PLC).

"We can confirm that Insat-4 B doesn't have a PLC. So the chances of the Stuxnet worm attacking it appear remote. In PLC's place, Insat-4 B had its own indigenously-designed software which controlled the logic of the spacecraft,'' said a source.

PLC's main function is to control the entire "logic of the spacecraft''. Other space experts described PLC as a digital computer used for automation of electro-mechanical processes.

Sources, however, said Isro is awaiting Jeffrey Carr's presentation at Abu Dhabi next to know the full details of the Stuxnet internet worm. Carr in a blog published in Forbes recently suggested that the resumes of two former engineers at Isro's Liquid Propulsion Systems Centre (LPSC) at Mahendra Giri in Tamil Nadu said that the Siemens S7-400 PLC was used in Insat-4 B, which can activate the Stuxnet worm.

An Isro announcement on July 9 said that "due to a power supply anomaly in one of its (Insat-4 B) two solar panels, there is a partial non-availability on India's Insat-4 B communication satellite''. It said that the satellite has been in operation since March 2007 and the power supply glitch had led to the switching off of 50% of the transponder capacity.

The worm infects only computers equipped with certain Siemens software systems. Isro, however, reiterated that the Siemens software wasn't used in Insat-4 B. The Stuxnet worm was first discovered in June, a month before Insat-4 B was crippled by power failure.

Carr's blog says, "China and India are competing with each other to see who will be the first to land another astronaut on the Moon.''