Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant

Discussion in 'Strategic Forces' started by smartindian, Sep 23, 2010.

  1. smartindian

    smartindian Regular Member

    Joined:
    Aug 17, 2010
    Messages:
    612
    Likes Received:
    52
    Location:
    Mysore, Karnataka, India
    Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?


    Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

    The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

    At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.

    The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.
    Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.
    "Until a few days ago, people did not believe a directed attack like this was possible," Ralph Langner, a German cyber-security researcher, told the Monitor in an interview. He was slated to present his findings at a conference of industrial control system security experts Tuesday in Rockville, Md. "What Stuxnet represents is a future in which people with the funds will be able to buy an attack like this on the black market. This is now a valid concern."

    A gradual dawning of Stuxnet's purpose
    It is a realization that has emerged only gradually.

    Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.
    But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?

    By August, researchers had found something more disturbing: Stuxnet appeared to be able to take control of the automated factory control systems it had infected – and do whatever it was programmed to do with them. That was mischievous and dangerous.
    But it gets worse. Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.
    "Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."
    A guided cyber missile

    On his website, Langner lays out the Stuxnet code he has dissected. He shows step by step how Stuxnet operates as a guided cyber missile. Three top US industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Monitor.
    "His technical analysis is good," says a senior US researcher who has analyzed Stuxnet, who asked for anonymity because he is not allowed to speak to the press. "We're also tearing [Stuxnet] apart and are seeing some of the same things."
    Other experts who have not themselves reverse-engineered Stuxnet but are familiar with the findings of those who have concur with Langner's analysis.
    "What we're seeing with Stuxnet is the first view of something new that doesn't need outside guidance by a human – but can still take control of your infrastructure," says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy's Idaho National Laboratory. "This is the first direct example of weaponized software, highly customized and designed to find a particular target."
    "I'd agree with the classification of this as a weapon," Jonathan Pollet, CEO of Red Tiger Security and an industrial control system security expert, says in an e-mail.
    One researcher's findingsLangner's research, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls "fingerprinting," qualifies Stuxnet as a targeted weapon, he says.

    Langner zeroes in on Stuxnet's ability to "fingerprint" the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.

    Stuxnet's ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.
    "Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."

    So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

    Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.
    "After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

    For those worried about a future cyber attack that takes control of critical computerized infrastructure – in a nuclear power plant, for instance – Stuxnet is a big, loud warning shot across the bow, especially for the utility industry and government overseers of the US power grid.
    "The implications of Stuxnet are very large, a lot larger than some thought at first," says Mr. Assante, who until recently was security chief for the North American Electric Reliability Corp. "Stuxnet is a directed attack. It's the type of threat we've been worried about for a long time. It means we have to move more quickly with our defenses – much more quickly."
    Has Stuxnet already hit its target?It might be too late for Stuxnet's target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after.

    A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

    Could Stuxnet's target be Iran's Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?
    Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

    But if Stuxnet is so targeted, why did it spread to all those countries? Stuxnet might have been spread by the USB memory sticks used by a Russian contractor while building the Bushehr nuclear plant, Langner offers. The same contractor has jobs in several countries where the attackware has been uncovered.
    "This will all eventually come out and Stuxnet's target will be known," Langner says. "If Bushehr wasn't the target and it starts up in a few months, well, I was wrong. But somewhere out there, Stuxnet has found its target. We can be fairly certain of that."
    :angry_1: :angry_1: :angry_1: :angry_1: :angry_1: :angry_1: :angry_1:
     
  2.  
  3. bhramos

    bhramos Elite Member Elite Member

    Joined:
    Mar 21, 2009
    Messages:
    13,206
    Likes Received:
    6,638
    Location:
    Telangana/India/Bharat
    hi mate please post the links. ........
     
  4. SHASH2K2

    SHASH2K2 New Member

    Joined:
    May 10, 2010
    Messages:
    5,711
    Likes Received:
    723
    Location:
    Bihar, BanGalore , India
    Big Claims, But Little Evidence of Cyber Attack on Iran's Nuclear Program

    The evidence may be scant, and the claims seemingly far-fetched, but a cybersecurity expert is suggesting that a sophisticated new type of malware, called Stuxnet may have been spread in the hopes of bringing down Iran's nuclear program.

    "At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat," the Christian Science Monitor reported Wednesday, based on comments made by Ralph Langner, a German cyber-security researcher.

    Stuxnet, the worm in question, has attracted widespread attention since being identified over the summer because of its level of sophistication, which Computerworld called "ground breaking." The worm specifically targets systems known as SCADA, or supervisory control and data acquisition," that are used to run large facilities, like power plants.

    The expertise and resources needed to created something like Stuxnet does suggest the involvement of a government, but there appears to be little evidence that Stuxnet was targeting specifically Bushehr, according to other analysts.

    Jeffrey Carr, a cybersecurity expert, said he found the claims that Stuxnet was targeting Iran "odd" given the lack of specific evidence. "The reality is that Iran, India, and Indonesia all had big problems with this worm, based on three different information security companies," Carr, the founder of GreyLogic, told AOL News. "To take one possibility out of many and to claim that [is the explanation] is irresponsible."

    Regardless of whether Stuxnet was targeting the Iranian nuclear program, it is possible to create malware designed to target a nuclear plant, or some other part of a country's electricity grid, another cybersecurity expert tells AOL News. A simulation run by the Pacific Northwest National Laboratory demonstrated that it was possible to hack a facility like a power plant, Chris Bronk, a fellow in information technology policy at Rice University's Baker Institute, told AOL News

    Citing the new emphasis on cybersecurity, including the creation of U.S. Cyber Command, a unified military command, the idea of the United States deploying a cyber weapon is quite possible, according to Bronk. "They have talked about having offensive and defensive cyber portfolios," Bronk says. "Defensive is easy; offensive is something no one is talking about."

    Even if Langner's assertions about the Iran are correct, but there isn't really any evidence to back up those claims, even by his own account. "This will all eventually come out and Stuxnet's target will be known," Langner told the Christian Science Monitor. "If Bushehr wasn't the target and it starts up in a few months, well, I was wrong."
     
  5. SHASH2K2

    SHASH2K2 New Member

    Joined:
    May 10, 2010
    Messages:
    5,711
    Likes Received:
    723
    Location:
    Bihar, BanGalore , India
    Stuxnet worm 'targeted high-value Iranian assets'


    One of the most sophisticated pieces of malware ever detected was probably targeting "high value" infrastructure in Iran, experts have told the BBC.

    Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed.

    It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

    It was first detected in June and has been intensely studied ever since.

    "The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it," Liam O'Murchu of security firm Symantec, who has tracked the worm since it was first detected, told BBC News.


    Some have speculated that it could have been aimed at disrupting Iran's Bushehr nuclear power plant or the uranium enrichment plant at Natanz.

    However, Mr O'Murchu and others, such as security expert Bruce Schneier, have said that there was currently not enough evidence to draw conclusions about what its intended target was or who had written it.

    India and Indonesia have also seen relatively high infection rates, according to Symantec.
    'Rare package'

    Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009.

    Unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons.

    Instead it infects Windows machines via USB keys - commonly used to move files around - infected with malware.

    Once it has infected a machine on a firm's internal network, it seeks out a specific configuration of industrial control software made by Siemens.
    Siemens factory The worm searches out industrial systems made by Siemens

    Once hijacked, the code can reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions.

    "[PLCs] turn on and off motors, monitor temperature, turn on coolers if a gauge goes over a certain temperature," said Mr O'Murchu.

    "Those have never been attacked before that we have seen."

    If it does not find the specific configuration, the virus remains relatively benign.

    However, the worm has also raised eyebrows because of the complexity of the code used and the fact that it bundled so many different techniques into one payload.

    "There are a lot of new, unknown techniques being used that we have never seen before," he said These include tricks to hide itself on PLCs and USB sticks as well as up to six different methods that allowed it to spread.

    In addition, it exploited several previously unknown and unpatched vulnerabilities in Windows, known as zero-day exploits.

    "It is rare to see an attack using one zero-day exploit," Mikko Hypponen, chief research officer at security firm F-Secure, told BBC News. "Stuxnet used not one, not two, but four."

    He said cybercriminals and "everyday hackers" valued zero-day exploits and would not "waste" them by bundling so many together.

    Microsoft has so far patched two of the flaws.
    'Nation state'

    Mr O'Murchu agreed and said that his analysis suggested that whoever had created the worm had put a "huge effort" into it.

    "It is a very big project, it is very well planned, it is very well funded," he said. "It has an incredible amount of code just to infect those machines."
    Continue reading the main story
    “Start Quote

    There have been no instances where production operations have been influenced or where a plant has failed”

    End Quote Siemen's spokesperson

    His analysis is backed up by other research done by security firms and computer experts.

    "With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," said Ralph Langer, an industrial computer expert in an analysis he published on the web.

    "This is not some hacker sitting in the basement of his parents' house. To me, it seems that the resources needed to stage this attack point to a nation state," he wrote.

    Mr Langer, who declined to be interviewed by the BBC, has drawn a lot of attention for suggesting that Stuxnet could have been targeting the Bushehr nuclear plant.

    In particular, he has highlighted a photograph reportedly taken inside the plant that suggests it used the targeted control systems, although they were "not properly licensed and configured".

    Mr O'Murchu said no firm conclusions could be drawn.

    However, he hopes that will change when he releases his analysis at a conference in Vancouver next week.

    "We are not familiar with what configurations are used in different industries," he said.

    Instead, he hopes that other experts will be able to pore over their research and pinpoint the exact configuration needed and where that is used.
    'Limited success'

    A spokesperson for Siemens, the maker of the targeted systems, said it would not comment on "speculations about the target of the virus".

    He said that Iran's nuclear power plant had been built with help from a Russian contractor and that Siemens was not involved.

    "Siemens was neither involved in the reconstruction of Bushehr or any nuclear plant construction in Iran, nor delivered any software or control system," he said. "Siemens left the country nearly 30 years ago."

    Siemens said that it was only aware of 15 infections that had made their way on to control systems in factories, mostly in Germany. Symantec's geographical analysis of the worm's spread also looked at infected PCs.

    "There have been no instances where production operations have been influenced or where a plant has failed," the Siemens spokesperson said. "The virus has been removed in all the cases known to us."

    He also said that according to global security standards, Microsoft software "may not be used to operate critical processes in plants".

    It is not the first time that malware has been found that affects critical infrastructure, although most incidents occur accidentally, said Mr O'Murchu, when a virus intended to infect another system accidently wreaked havoc with real-world systems.

    In 2009 the US government admitted that software had been found that could shut down the nation's power grid.

    And Mr Hypponen said that he was aware of an attack - launched by infected USB sticks - against the military systems of a Nato country.

    "Whether the attacker was successful, we don't know," he said.

    Mr O'Murchu will present his paper on Stuxnet at Virus Bulletin 2010 in Vancouver on 29 September. Researchers from Kaspersky Labs will also unveil new findings at the same event.
     
  6. Tshering22

    Tshering22 Sikkimese Saber Senior Member

    Joined:
    Aug 20, 2010
    Messages:
    4,404
    Likes Received:
    2,782
    Location:
    Gangtok, Sikkim, India
    I wonder why for goodness sakes Iran doesn't allow IAEA to check their reactor. Every country in NSG agreed. Even we agreed to show the civilian nuke plants. Then what's Iran howling for as "discrimination"?

    Comparing everything with Israel is stupid and immature, just as a 5 year old complains his neighbour having bigger chocolate. Israel is a state that is 20 times smaller than Iran in size and 10 times in population. It is surrounded by countries who have never left no stones unturned to attempt to destroy it. In every war of Israel, there are a minimum of 3 Arab countries that have teamed up against Israelis. So nuclear bombs are naturally important for them. Their existence depends on it.

    In Iran's case, how many enemies are there for it? Pakistan has normal ties with them, Afghanistan cannot attack them at least in the next 4 decades, Turkey is cool but not hostile to Iran, Iraq is long gone as a threat, Arab countries are tiny and too insignificant for them. By forcefully making USA and Israel as their enemies, they are just doing that: creating enemies for themselves. Signing IAEA mandates is as a country, regardless of what happens to the ruling regime and they signed it. We had a right to protest because we never signed it.

    All their troubles would end if they simply agreed to show the nuke plants and accept IAEA safeguards if indeed they want nuke power for civilian purposes. For civilian energy I don't know which government would be as foolish and narrow-minded as Iranian government to let their own citizens suffer and make it look like they are challenging a "superpower". Seriously.
     
  7. SHASH2K2

    SHASH2K2 New Member

    Joined:
    May 10, 2010
    Messages:
    5,711
    Likes Received:
    723
    Location:
    Bihar, BanGalore , India
    Software bomb fired at Iran N-plant


    SAN FRANCISCO: Computer security experts are studying a scary new cyber weapon: a software smart bomb that may have been crafted to find and sabotage a nuclear facility in Iran.

    Malicious software, or malware, dubbed "Stuxnet" is able to recognize a specific facility's control network and then destroy it, according to German computer security researcher Ralph Langner. "Welcome to cyber war," Langner said in a post at his website. "This is sabotage." Langner has been analyzing Stuxnet since it was discovered in June and said the code had a technology fingerprint of the control system it was seeking and would go into action automatically when it found its target.

    "It's pretty amazing," James Lewis , a senior fellow at the Center for Strategic and International Studies, said on Thursday. "It looks like more than simple cyber espionage."

    Stuxnet was tailored for Siemens supervisory control and data acquisition (SCADA) systems commonly used to manage water supplies, oil rigs, power plants and other industrial facilities. It traveled by sneaking onto USB memory sticks and was able to thereby hop from system to system without needing the internet, according to Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab Americas.

    Stuxnet is considered a malware "worm" because it burrows from machine to machine, replicating itself on the way. Once in a computer system running on Windows software, Stuxnet checked for any of three Siemens SCADA programmable logic controllers (PLCs) that manage functions such as cooling or turbine speed, Schouwenberg said.

    If there was a match, Stuxnet automatically took over control of the PLC and hid any changes from workers operating or managing a system, according to Schouwenberg.

    "When the operator looks at the plant, everything will look just fine," Schouwenberg said. "Meanwhile, the machine will be overloading. Its ultimate goal is cyber sabotage."

    "Stuxnet manipulates a fast running process," Langner explained. "We can expect that something will blow up soon. Something big."

    The software saboteur has been found lurking on systems in India, Indonesia , Pakistan and elsewhere, but the heaviest infiltration appeared to be in Iran, according to software security researchers.

    The pattern of spread correlated somewhat with jobs handled by a firm commissioned to work at nuclear facilities, according to researchers . Langner suspected Stuxnet's mark was the Bushehr nuclear facility in Iran. Unspecified problems have been blamed for a delay in getting the facility fully operational.
     
  8. Patriot

    Patriot Senior Member Senior Member

    Joined:
    Apr 11, 2010
    Messages:
    1,760
    Likes Received:
    538
    Location:
    Ahmedabad, Gujarat, India
    Stuxnet Under the Microscope- Israeli Cyber Warefare Expert Analyzes the Malicious Code

    Stuxnet uncovers the vulnerability of our infrastructure system – exposing the vulnerable interfaces between the logical and physical world, these elements are totally unprotected and open disastrous vulnerabilities to attack by cyber terrorism and cyber criminals.

    “We have analyzed the code, and compared it to other, similar known malware, this new code has definitely the parameters of a ‘military code’, but it lacks some aspects one would expect to find in military cyber warfare application” Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. Among these parameters are communications, encryption, internal self-protection (anti-anti debug) and certain methodologies that are followed by western cyber warfare specialists.

    While Iran was marked as Stuxnet’s most popular target, other countries falling prey to the new malware were many third world nations where Siemens equipment is widely used and security and legal discipline in licensing and security methods are not strictly enforced. Stuxnet also attacked Indonesia, India, Russia, Belarus, and in Kirgizstan. What’s more important is where the Stuxnet didn’t attack – China and – most surprisingly – Germany, where only few systems were compromised yet none of the reports was confirmed!

    “Siemens is reporting that industrial plants in Germany have also been hit by the Stuxnet worm. According to Wieland Simon, press spokesman at Siemens, approximately one third of the 15 infections discovered at industrial plants worldwide have been found at sites in German process industry sector. Siemens’ own plants are said not to be affected” simon added.

    Although it was ‘discovered’ by the media in late September, Stuxnet is definitely not a new threat and, in fact, most of the vulnerabilities it exploited have already been ‘patched’. It was created sometime in January-February according to the ‘time stamps’ embedded into the compiled code. Initial anomalies related to the new threat were reported about two months later. Maglan received the new threat as part of our technical support services to some of our customers, who were hit by the malware. After thorough analysis we have uncovered several interesting aspects of the code that were not familiar before, and lead us to assume that Stuxnet was not created by a western cyber warfare organization. However, the great effort and resources invested in this code testify to its value to its creators, who spent great investments – financial, technical and in – most importantly, in assets considered scarce commodities among the hackers community.

    Targeting Industrial and Infrastructure Systems

    First, and most important, the code was not written by “home based” hackers – unlike most other malware codes, it is not directed against conventional windows systems, but specifically at industrial systems, by exploiting four different vulnerabilities (security ‘holes’ detected by hackers but not yet patched, three months ago, by the targeted software provider – also called ‘Zero Day’ exploits). Such Zero-Day Exploits are not spent easily by hackers, and would rarely be used in tandem, let alone in a ‘quad’ formation, testifying to the fact that the developer team had no limits on the use of resources.

    Multiplicity and redundancy were also employed addressing the targeted operating systems. The creators of Stuxnet also went into great effort to ensure the malware covers all potential avenues of approach – including systems that rarely interest hackers – like WindowsCC, a Microsoft operating system designed for embedded systems. The code also targets all Windows platforms from Windows ME, XP, NT, Vista, 2000, 2003 and 2008 to the latest Windows 7 – again not a simple task for regular hackers. Other aspects of the code target specific vulnerabilities attributed to Siemens PSC7 systems, designed to control Programmable Logic Controllers (PLC) widely used in utility and industrial SCADA systems.

    While each of these penetration axes operates independently, these parallel lines are coordinated and supporting each others to achieve the goal – ‘hijack’ as many PLCs as possible and burry embedding itself into the command and control hubs. The malicious code does not carry the type of spyware commonly found in other bots, but is rather ‘attack oriented’ – carrying a ‘payload’ in form of a set of commands designed to bypass those controlling the PLC, and carry out a set of actions as instructed by the hijacker.


    CONTNUD>>>






    Stuxnet Under the Microscope – Israeli Cyber Warfare Expert Analyzes the Malicious Code - Defense-Update
     
    Last edited: Oct 2, 2010
  9. Patriot

    Patriot Senior Member Senior Member

    Joined:
    Apr 11, 2010
    Messages:
    1,760
    Likes Received:
    538
    Location:
    Ahmedabad, Gujarat, India
    “Stuxnet is definitely not a military code, at least not a Western one” said Shai Blitzblau, Head of Maglan-Computer Warfare and Network Intelligence Labs, interviewed by Defense Update. “Stuxnet is a sophisticated and highly advanced code, but it lacks certain elements commonly associated with military operations” Blitzblau explains that the broad, indiscriminate attack on industrial computers launched by Stuxnet is not characteristic to a military operation, where the nation launching the attack tries to minimize collateral damage and focus on a specific target.

    “Every student can write a module discriminating the target computer and localizing the attack to a specific target” Blitzblau added, “The fact that this sophisticated code does not have such elements, and certain aspects of the functionality of the malicious code, allege to the creators’ aiming Stuxnet to target Siemens industrial systems on a broad base, rather than a specific application as reported by the media.” In addition, a high level code aimed at Network Intelligence Operations would have an anti-anti debug mechanism to avoid forensic analysis.
    Who could be the perpetrators behind this attack and what were their goals?

    Blitzblau describes an act of ‘Advanced Industrial Espionage’ a deliberate cyber sabotage launched by someone against Siemens – this could be a competitor or service-provider, seeking to exploit the situation for business opportunities – first create the problem and then – help fixing it. But there are also other aspects to the attack that could tell a different story. “This could also be a ‘general test’, prior to a planned attack, or a proof of concept, initiated by an academic group – in the past we witnessed such attacks, for example, one attack was launched from Japan, on video drivers.” According to Blitzblau a military test going out of control is not an option here. “Military offensive cyber ops are not conducted this way and even when an intelligence agency conducts such tests they will go a long way to ensure that the test is limited to a specific volume and not spread it worldwide.” He said. Blitzblau attributes the widespread infection of industrial networks in Iran to low level of security and, apparently the high popularity of Siemens systems in the country. In fact, Stuxnet could have propagated from Belarus, and Russia unintentionally by Russian system engineers, using USB devices to update and program Siemens systems in Iran, Indonesia and India. The intensity of attack in Iran could illuminate the intensity of their activities associated with the nuclear projects in Natanz and Bushehr.

    While the media attributed Stuxnet as a cyber weapon launched by Israel or the USA against Iran’s nuclear facilities, the possibility of it being a cyber weapon developed and launched by international terrorists’ organization has not been tackled seriously by the media. Yet, Blitzblau has a grim outlook as to the potential value of such cyber weapon in the hands of terrorist organizations. “International terrorist organizations certainly have the will, and means to launch such an attack, and they could gain the most from it – creating mega events like bringing airports, disrupting train traffic, cutting power supplies and utilities. “Even if they did not create it, they now have access to such a weapon, as Stuxnet is now in their reach, like a loaded gun. Despite the countermeasures developed by Microsoft and Siemens, there are many networks that have not been patched yet – some will never be protected. Blitzblau warns that the current attack will probably set the route for new vectors for cyber terror, as the malicious code is modified and manipulated into a range of new forms and variants. The vulnerabilities highlighted by the current attack will undoubtedly set the course for more attacks aimed at industrial controllers and embedded systems. With that, the risk of compromising military systems will grow dramatically; as such elements are widely used in military weapon systems.
     
  10. nitesh

    nitesh Mob Control Manager Stars and Ambassadors

    Joined:
    Feb 12, 2009
    Messages:
    7,541
    Likes Received:
    1,260
    Location:
    Bangalore
  11. Phenom

    Phenom Regular Member

    Joined:
    Mar 6, 2010
    Messages:
    878
    Likes Received:
    401
    This virus seems to have caused enormous irritant around the world, but has caused little real damage to its intended target. If this episode clear proof that cyber warfare has a long way to go before it can become a major threat to any country.
     
  12. Patriot

    Patriot Senior Member Senior Member

    Joined:
    Apr 11, 2010
    Messages:
    1,760
    Likes Received:
    538
    Location:
    Ahmedabad, Gujarat, India
    Iran Arrests 'Spies,' Fights Cyber Attack

    ran's intelligence minister says authorities have arrested what he calls several "nuclear spies."

    Iranian state television quotes Heidar Moslehi who announced the arrests Saturday while touting the country's efforts to combat a computer "worm" that has infected Iranian networks. Moslehi said Iran's enemies designed and sent the electronic attack to undermine the country's nuclear activities. But he said his ministry is fighting off the worm.

    He did not provide any details about the alleged spies who were arrested, and did not say if they were linked to the cyber attack.

    Cyber security experts say the so-called Stuxnet worm appears to be specifically designed to target industrial installations such as power plants.

    The head of Iran's Bushehr nuclear power plant confirmed earlier this week that the worm had infected some of the facility's software. But he said the plant's main systems are safe.

    The worm's origins are unclear, although some experts suspect it may be a state-sponsored program.

    The malicious computer code also has been detected in systems in other parts of the world, including India and Indonesia, but Iran is believed to be the most hard-hit, experiencing approximately 60 percent of the attacks.

    Some information for this report was provided by AP, AFP and Reuters.








    http://www.globalsecurity.org/wmd/library/news/iran/2010/iran-101002-voa01.htm
     
    Last edited: Oct 3, 2010
  13. Patriot

    Patriot Senior Member Senior Member

    Joined:
    Apr 11, 2010
    Messages:
    1,760
    Likes Received:
    538
    Location:
    Ahmedabad, Gujarat, India
    Stuxnet infected industrial computers cleaned: Iran | Defense Technology News at DefenseTalk

    Tehran: Industrial computers infected by Stuxnet in Iran have been cleaned and returned to their units, a top official said on Sunday, following reports that the malware was mutating and wreaking havoc with equipment.

    "The industrial computers infected by the Stuxnet virus have been cleaned," Mohsen Hatam, deputy industry minister, was quoted as saying on the state television's website.

    Iranian media had said that Stuxnet had mutated and was wreaking havoc on computerized industrial equipment in Iran, with around 30,000 IP addresses infected.

    [​IMG]

    But Hatam said that "all platforms have been cleaned and delivered to the industrial units."

    "The virus infected these computers because they lacked high security firewalls," he added.

    He said Stuxnet was "designed and despatched about a year ago to gather information from industrial computers."

    Stuxnet, which was publicly identified in June, is a self-replicating malware found lurking on Siemens systems, mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, researchers say.

    Analysts say Stuxnet may have been designed to target Iran's nuclear facilities, especially the Russian-built first atomic power plant in the southern city of Bushehr.

    Officials have denied that Bushehr was among the addresses penetrated by the worm, but had acknowledged that some personal computers of the plant's personnel had been infected.

    Iran's nuclear ambitions are at the heart of a conflict between Tehran and the West, which suspects the Islamic republic is seeking to develop atomic weapons under the cover of a civilian drive.

    Tehran denies the allegation and is pressing on with its uranium enrichment programme -- the most controversial aspect of its nuclear activities -- despite four sets of UN Security Council sanctions.
     
  14. SHASH2K2

    SHASH2K2 New Member

    Joined:
    May 10, 2010
    Messages:
    5,711
    Likes Received:
    723
    Location:
    Bihar, BanGalore , India

    Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

    Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

    The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

    The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.

    Changing the speed “sabotages the normal operation of the industrial control process,” Eric Chien, a researcher at the computer security company Symantec, wrote in a blog post.

    Those fluctuations, nuclear analysts said in response to the report, are a recipe for disaster among the thousands of centrifuges spinning in Iran to enrich uranium, which can fuel reactors or bombs. Rapid changes can cause them to blow apart. Reports issued by international inspectors reveal that Iran has experienced many problems keeping its centrifuges running, with hundreds removed from active service since summer 2009.

    “We don’t see direct confirmation” that the attack was meant to slow Iran’s nuclear work, David Albright, president of the Institute for Science and International Security, a private group in Washington that tracks nuclear proliferation, said in an interview Thursday. “But it sure is a plausible interpretation of the available facts.”

    Intelligence officials have said they believe that a series of covert programs are responsible for at least some of that decline. So when Iran reported earlier this year that it was battling the Stuxnet worm, many experts immediately suspected that it was a state-sponsored cyberattack.

    Until last week, analysts had said only that Stuxnet was designed to infect certain kinds of Siemens equipment used in a wide variety of industrial sites around the world.

    But a study released Friday by Mr. Chien, Nicolas Falliere and Liam O. Murchu at Symantec, concluded that the program’s real target was to take over frequency converters, a type of power supply that changes its output frequency to control the speed of a motor.

    The worm’s code was found to attack converters made by two companies, Fararo Paya in Iran and Vacon in Finland. A separate study conducted by the Department of Homeland Security confirmed that finding, a senior government official said in an interview on Thursday.

    Then, on Wednesday, Mr. Albright and a colleague, Andrea Stricker, released a report saying that when the worm ramped up the frequency of the electrical current supplying the centrifuges, they would spin faster and faster. The worm eventually makes the current hit 1,410 Hertz, or cycles per second — just enough, they reported, to send the centrifuges flying apart.

    In a spooky flourish, Mr. Albright said in the interview, the worm ends the attack with a command to restore the current to the perfect operating frequency for the centrifuges — which, by that time, would presumably be destroyed.

    “It’s striking how close it is to the standard value,” he said.

    The computer analysis, his Wednesday report concluded, “makes a legitimate case that Stuxnet could indeed disrupt or destroy” Iranian centrifuge plants.

    The latest evidence does not prove Iran was the target, and there have been no confirmed reports of industrial damage linked to Stuxnet. Converters are used to control a number of different machines, including lathes, saws and turbines, and they can be found in gas pipelines and chemical plants. But converters are also essential for nuclear centrifuges.

    On Wednesday, the chief of the Department of Homeland Security’s cybersecurity center in Virginia, Sean McGurk, told a Senate committee that the worm was a “game changer” because of the skill with which it was composed and the care with which it was geared toward attacking specific types of equipment.

    Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.
    Ralph Langner, a German expert in industrial control systems who has examined the program and who was the first to suggest that the Stuxnet worm may have been aimed at Iran, noted in late September that a file inside the code was named “Myrtus.” That could be read as an allusion to Esther, and he and others speculated it was a reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

    Writing on his Web site last week, Mr. Langner noted that a number of the data modules inside the program contained the date “Sept. 24, 2001,” clearly long before the program was written. He wrote that he believed the date was a message from the authors of the program, but did not know what it might mean.

    Last month, researchers at Symantec also speculated that a string of numbers found in the program — 19790509 — while seeming random, might actually be significant. They speculated that it might refer to May 9, 1979, the day that Jewish-Iranian businessman Habib Elghanian was executed in Iran after being convicted of spying for Israel.

    Interpreting what the clues might mean is a fascinating exercise for computer experts and conspiracy theorists, but it could also be a way to mislead investigators.

    Indeed, according to one investigator, the creation date of the data modules might instead suggest that the original attack code in Stuxnet was written long before the program was actually distributed.

    According to Tom Parker, a computer security specialist at Securicon LLC, a security consulting firm based in Washington, the Stuxnet payload appeared to have been written by a team of highly skilled programmers, while the “dropper” program that delivered the program reflected an amateur level of expertise. He said the fact that Stuxnet was detected and had spread widely in a number of countries was an indicator that it was a failed operation.

    “The end target is going to be able to know they were the target, and the attacker won’t be able to use this technique again,” he said.
     
  15. SHASH2K2

    SHASH2K2 New Member

    Joined:
    May 10, 2010
    Messages:
    5,711
    Likes Received:
    723
    Location:
    Bihar, BanGalore , India


    How is this relevant to export controls? Should nuclear law take stuxnets into account? The quote below is taken from later in the article, but apart from the US Nuclear Regulatory Commission, what other countries export these machines, and what are the laws governing these exports? Can anyone say stuxnets 10 times in a row out loud?

    Stuxnets brings up some challenging questions...let's start thinking about this before it gets out of control.

    "Cox says stuxnet only targets Vacon's or Fararo Paya's frequency converters when they run between 807 and 1210 hertz. That range is used for a small number of high-speed motor applications, but chiefly for the centrifuges used in uranium enrichment. The US Nuclear Regulatory Commission only allows export of machines rated above 600 hertz on a highly controlled basis."

    The New Scientist
    November 18, 2010
    Link

    The International Atomic Energy Agency could add computer security at nuclear plants to its remit after it emerged that stuxnet, the first computer worm known to attack industrial machinery, is indeed targeted at nuclear energy equipment as many observers had suspected.

    "It's not the IAEA's primary role to monitor how well nuclear plants are operating," says a source at the nuclear watchdog in Vienna, Austria. "But if our 150 member states want us to, we could facilitate meetings that help nuclear operators develop more secure computing systems."
    Such measures might include ensuring there are no connections between office computers and PCs monitoring control systems - or ensuring plant staff cannot insert USB sticks which may carry malware into critical hardware.

    The comments came after antivirus firm Symantec of Mountain View, California, revealed further findings in its forensic analysis of stuxnet, which infected tens of thousands of computers in Iranian nuclear enrichment facilities in September.

    No one knows who wrote stuxnet, only that at 600 kilobytes it is a much larger program than most viruses - and that the differing professional skill sets needed to write it point to an authoring team of at least 10 people. That, say security experts, points to a well funded operation replete with expertise - resources consistent with nation state level backing. And given the target, it was probably Israeli.

    Delivered online or via a USB stick, stuxnet used now-patched Windows vulnerabilities to seek out Windows PCs running software that monitors industrial control computers made by Siemens of Germany. But no one knew what type of industrial machine stuxnet wanted to meddle with.

    They do now. After crowdsourcing some expert help from industrial computing experts online, Symantec was able to work out the product codes for the types of industrial machine stuxnet aims to sabotage, says Orla Cox, chief researcher at Symantec's security response lab in Dublin, Ireland.

    They found that stuxnet tries to subtly take control of two types of frequency converters made by just two firms: Vacon of Finland and Fararo Paya of Iran. These machines convert AC power from the grid at 50 hertz into fast oscillating frequencies that are used for ultrafine speed control of some types of electric motors. The higher the frequency, the faster the motor.

    Cox says stuxnet only targets Vacon's or Fararo Paya's frequency converters when they run between 807 and 1210 hertz. That range is used for a small number of high-speed motor applications, but chiefly for the centrifuges used in uranium enrichment. The US Nuclear Regulatory Commission only allows export of machines rated above 600 hertz on a highly controlled basis.

    Symantec's analysis found that when stuxnet found such devices, it would subtly vary motor control frequencies from high (1410 hertz) to low (2 hertz) to not-so-high (1064 hertz) - in cycles that wrecked the purity of the enriched fuel. And it is thought to have succeeded in its task, says Cox - intelligence estimates says yields at Iran's Natanz enrichment plant plummeted shortly after the virus first appeared.

    Could the ability of a computer virus to effect such a change in a highly secure industry prompt action from the IAEA? Right now, its chief role is to ensure that nuclear materials are not diverted from peaceful energy generation purposes to secret bomb-making projects. "We measure how much fuel goes in and how much goes out - and we want that to be the same," says the IAEA source.

    But the source concedes the agency can't ignore the issue. "Our goal is just to help countries develop secure safety systems that are not compromised. So we could begin holding discussions among experts saying what computer security measures have worked well for them - and let them share those experiences with nuclear engineers from other countries.

    "We do this already with issues like seismic safety, and radiation safety."

    Meanwhile, IT defences are being mounted in the face of the new threat.

    "We are fully aware of the Stuxnet worm and its potential impact," says a spokesman for the massive Sellafield nuclear site in Cumbria, UK, where mixed oxide fuel manufacture, nuclear waste reprocessing, waste management and decommissioning operations are carried out.

    "We have a comprehensive set of security measures in place to identify and protect against such new and emerging threats. These measures are regularly reviewed and enhanced in response to the evolving security threat landscape. It would be inappropriate, however, to provide more details on the specific security measures in place."
     
  16. SHASH2K2

    SHASH2K2 New Member

    Joined:
    May 10, 2010
    Messages:
    5,711
    Likes Received:
    723
    Location:
    Bihar, BanGalore , India

    The Stuxnet worm may have a new target. While security analysts try to figure out whether the now-infamous malware was built to sabotage Iran’s nuclear program, North Korea has unveiled a new uranium enrichment plant that appears to share components with Iran’s facilities. Could Pyongyang’s centrifuges be vulnerable to Stuxnet?

    While U.S. officials are trying to figure out how to respond to North Korea’s unveiling of a new uranium enrichment plant, there are clues that a piece of malware believed to have hit Iran’s nuclear efforts could also target the centrifuges Pyongyang’s preparing to spin.

    Some of the equipment used by the North Koreans to control their centrifuges — necessary for turning uranium into nuclear-bomb-ready fuel — appear to have come from the same firms that outfitted the Iranian nuclear program, according to David Albright, the president of the Institute for Science and International Security and a long-time watcher of both nuclear programs. “The computer-control equipment North Korea got was the same Iran got,” Albright told Danger Room.
    Nearly two months before the Yongbyon revelation, Albright published a study covering the little that’s publicly known about the North’s longstanding and seemingly stalled efforts at enriching its own uranium. (.pdf) Citing unnamed European intelligence officials, Albright wrote that the North Korean control system “is dual use, also used by the petrochemical industry, but was the same as those acquired by Iran to run its centrifuges.”

    Albright doesn’t know for sure that the North Koreans’ control system is exactly like the one the Iranians use. Siegfried Hecker, the U.S. nuclear scientist invited by Pyongyang to view the Yongbyon facility,wasn’t allowed to check out the control room thoroughly, and his report about what he saw merely says that the control room is “ultra-modern,” decked out with flat-screen computer panels.

    Nor is Albright to specify which company manufactured the control system — something that determines whether Stuxnet would have any potency. “But that’s really what the Stuxnet virus is taking over,” Albright says, “the control equipment, giving directions to the frequency converters.”

    That suggests the vulnerabilities to Stuxnet suspected within Iran’s centrifuge-command systems might be contained within North Korea’s new uranium facility. Even if they’re not identical computer systems, Stuxnet demonstrated that the type of command systems employed in centrifuge-based enrichment is vulnerable to malware attack.

    That’s not to say that Stuxnet is making its way inside the North Korean facility: Someone would have to infiltrate the Hermit Kingdom’s most sensitive sites and introduce the worm into the command systems, a hard bargain to say the least. In other words, don’t go thinking the United States or an ally could magically infect North Korea with Stuxnet. But if more information emerges about the North’s command systems, that might provide fodder for a copycat worm — provided someone could introduce it into Yongbyon.



    Stuxnet was discovered last June by a Belorussian security firm, which found it on the computers of one of its unnamed clients in Iran. The sophisticated code is the first known malware designed to effectively target industrial control systems, also known as Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems control various parts — such as automated assembly lines, pressure valves — at a wide variety of facilities, such as manufacturing plants, utilities and nuclear-enrichment plants.

    Stuxnet targeted only a specific system made by Siemens — Simatic WinCC SCADA system — and only a specific configuration of the system.

    According to the latest findings uncovered by security firm Symantec, Stuxnet first looks for Simatic systems that are controlling two particular types of frequency converter drives made by Fararo Paya in Teheran, Iran, or by Vacon, which is based in Finland.

    Frequency converter drives are power supplies that control things such as the speed of a motor. Stuxnet only initiates its malicious activity, however, if there are at least 33 of these converter drives in place at the facility and if they are operating at a high speed between 807 Hz and 1210 Hz.

    Such high speeds are used only for select applications, such as might be found at nuclear facilities. Speculation on Stuxnet’s likely target has focused on Iran’s nuclear facilities at Bushehr or Natanz. Symantec has been careful not to say definitively that Stuxnet was targeting a nuclear facility, but has noted that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

    But according to a Department of Homeland Security official who spoke on background, frequency converter drives operate at this and similar high speeds in many facilities, not just nuclear plants.

    “[They] are used anywhere you try to control a very precise process,” he says. They’re used extensively in the petro-chemical industry and in balancing machines that are used to build fan blades for jet engines. They’re also used for mining and metal manufacturing and in environments that require precise heating, cooling and ventilation. And they’re used in food processing for big mixers, conveyors and high-speed bottling lines.

    As for the export limitation on high-speed drives that run above 600 Hz, the DHS official said this isn’t the only restriction on frequency converters. He notes that the Finnish manufacturer whose drives are targeted by Stuxnet requires buyers to have a special license to operate at frequencies exceeding 320 Hz — not out of concern that they would be used in a nuclear enrichment facility, but out of concern that they’re used properly.

    “Because a lot of times you use them in very complex processes to develop exotic materials,” he says. “If you’re blending chemicals to create rocket fuel, you want to have this type of equipment be controlled so you need to have a license to purchase them, like you need a license to purchase bulk volumes of nitroglycerin.”

    Albright was quick to add that the fact that “we don’t know much at all” about North Korea’s uranium enrichment means that “we can’t make judgments” about how vulnerable Pyongyang is to Stuxnet. It’s also possible that different command systems exist in facilities the United States doesn’t know about. “This could be a Potemkin centrifuge plant,” he says. “It’s so weird to put it at Yongbyon,” the center of North Korea’s plutonium production. “They obviously want to show it off,” Albright continues, perhaps “to distract us from their real centrifuge program.”
     
  17. nitesh

    nitesh Mob Control Manager Stars and Ambassadors

    Joined:
    Feb 12, 2009
    Messages:
    7,541
    Likes Received:
    1,260
    Location:
    Bangalore
  18. nitesh

    nitesh Mob Control Manager Stars and Ambassadors

    Joined:
    Feb 12, 2009
    Messages:
    7,541
    Likes Received:
    1,260
    Location:
    Bangalore
  19. Phenom

    Phenom Regular Member

    Joined:
    Mar 6, 2010
    Messages:
    878
    Likes Received:
    401
    Makes you wonder what these countries have in their arsenal, that they have not unleashed yet.
     

Share This Page