8 November 2014

AN UNPRECEDENTED LOOK AT THE STUXNET CYBER VIRUS – THE WORLD’S 1ST OPERATIONALLY DEPLOYED CYBER WEAPON

November 4, 2014 

An Unprecedented Look At The Stuxnet Cyber Virus – The World’s 1st Operationally Deployed Cyber Weapon

Kim Zetter, writing on the November 3, 2014 website Wired.com, takes an in-depth look at the Stuxnet cyber virus/worm, that wreaked havoc on Iran’s nuclear program back in 2010. She begins by noting that in January 2010, inspectors with the International Atomic Energy Agency (IAEA) were visiting the Iran’s Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery — apparently as much to the Iranian technicians replacing the centrifuges, to the inspectors observing them.”

“Five months later,” Ms. Zetter writes, “a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until researchers found a handful of malicious files on one of the systems; and, discovered the world’s first [known] digital weapon.”

“Stuxnet, as it came to be known, was unlike any other [cyber] virus or worm that came before. Rather than simply hijacking the targeted computers, or stealing information from them…it escaped the digital realm to wreak physical destruction on equipment the computers controlled,” Ms. Zetter added.

“Countdown To Zero-Day: Stuxnet And The Launch Of The World’s First Digital Weapon,” a new book written by Ms. Zetter, and set to be released on November 11, 2014, “tells the story behind Stuxnet’s planning, execution, and discovery.” Some of the key observations made by Ms. Zetter in her upcoming book: “Stuxnet had already been working…silently sabotaging centrifuges at the Nantanz plant for about a year. An early version of the attack manipulated values on the centrifuges to increase the pressure inside them; and, damage the devices as well as the enrichment process. Centrifuges are large cylindrical tubes — connected by pipes in a configuration known as a “cascade” — that spin at supersonic speed to separate isotopes in uranium gas for use in nuclear power plants and weapons. At the time of the attacks, each cascade at Natanz, held 164 centrifuges. Uranium gas flows through the pipes [and] into the centrifuges in a series of stages, becoming further “enriched” at each stage of the cascade…as isotopes needed for a nuclear reaction are separated from other isotopes and become concentrated in the gas.”

An excerpt from her book begins, “It’s June 2009 — a year or so since Stuxnet was first released, but still a year before the covert operation will be discovered and exposed. As Iran prepares for its presidential elections, the attackers behind Stuxnet are also preparing for their next assault on the enrichment plant…with a new version of the malware. They unleash it just as the enrichment plant is beginning to recover from the effects of the previous attack. Their weapon this time, is designed to manipulate computer systems made by the German firm, Seimens, that control and monitor the speed of the centrifuges. Because the computers are air-gapped from the Internet, however, they cannot be reached directly by the remote attackers. So, the attackers have designed their weapon to spread via infected USB flash drives. To get Stuxnet to its target machines, the attackers first infect computers belonging to five outside companies that are believed to be connected in some way to the [Iran's] nuclear program. The aim is to make each “patient zero an unwitting carrier who will help transport the weapon on flash drives into the protected facility; and, the Siemens computers. Although the five companies have been referenced in previous news reports, they’ve never been [publicly] identified. Four of them are identified in this excerpt,” Ms. Zetter writes.

The Lead Up To The 2009 Attack

“The two weeks leading up to the release of the next attack were tumultuous ones in Iran,” Ms. Zetter notes. “On June 2009, the presidential elections between incumbent Mahmoud Ahmadinejad, and challenger Mir-Hossein Mousavi didn’t turn out the way most expected. The race was supposed to be close; but, when the results were announced — two hours after the polls closed — Ahmadinejad had won with 63 percent of the vote, over Mousavi’s 34 percent. The electric cried foul, and the next day crowds of angry protestors poured into the streets of Tehran to register their outrage and disbelief. According to media reports, it was the largest civil protest the country had seen, since the 1979 revolution ousted the shah…and, it wasn’t long before it became violent.” After several days of violent protests and a brutal police response, “a new version of Stuxnet was being compiled and unleashed.”

Recovery For Previous Attack

“While the streets of Tehran had been in turmoil, technicians at Natanz had been experiencing a period of relative calm. Around the first of the year [2010], they had begun installing new centrifuges again; and, by the end of February [2010] they had about 5,400 of them in place, close to the 6,000 that Ahmadinejad had promised the previous year. Not all the centrifuges were enriching uranium yet, but at least there was forward movement, again; and, by June the number had jumped to 7.052, with 4092 of these encircling gas. In addition to the eighteen cascades enriching gas in unit A24, there were now twelve cascades in A26 enriching gas. An additional seven cascades had even been installed in A28, and were under vacuum, being prepared to receive gas.”

“The performance of the centrifuges was improving too. Iran’s daily production of low-enriched uranium was up 20 percent; and, would remain consistent throughout the summer of 2009. Despite the previous problems, Iran had crossed a technical milestone; and, succeeded in producing 839 kilograms of low-enriched uranium — enough to achieve nuclear-weapons breakout capability. If it continued at this rate, Iran would have enough enriched uranium to make two nuclear weapons within a year. This estimate, however, was based on the capacity of the IR-1 centrifuges currently installed at Natanz. But, Iran had already installed IR-2 centrifuges in a small, cascade in the pilot plant; and, once testing on these was complete, and technicians began installing them in the underground hall, the estimate would be revised. The more advanced IR-2 centrifuges were more efficient. It took 3,000 IR-1s to produce enough uranium for a nuclear weapon in one year, but it would take just 1,200 IR-2 centrifuges to do the same.”

“Cue Stuxnet 1001, which showed up in late June [2010].”

The Next Assault

“To get their weapon into the plant, the attackers launched an offensive against computers owned by all four companies,” Ms. Zetter wrote. All of the companies were involved in industrial control and processing of some sort, either manufacturing products and assembling components, or installing industrial control systems. They were all likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees.”

“To ensure greater success at getting the code where it needed to go, this version of Stuxnet had two more ways to spread than the previous one. Stuxnet 0.5 could spread only by infecting Step 7 Project Files — the files used to program Siemens PLCs. This version, however, could spread via USB flash drives using the Windows Autorun feature through a victim’s local network using the print-spooler zero-day exploit that Kaspersky Lab, the antivirus firm based in Russia, and Symantec later found in the code.”

“Based on log files in Stuxnet, a company called Foolad Technic was the first victim. It was infected at 04:40 a.m. on June 23, a Tuesday. But then it was almost a week before the company was hit.. The following Monday, about five thousand marchers walked silently through the streets of Tehran to the Qoba Mosque…to honor victims killed during the most recent election protests. Late that evening, around 11:20 p.m., Stuxnet struck machines belonging to its second victim — a company called Behpajooh.”

“It was easy to see why Behpajooh was a target,” Ms. Zetter argues. “It was an engineering firm based in Esfahan — the site of Iran’s new uranium conversion plant, built to turn milled uranium ore into gas for enriching at Natanz; and, was also the location of Iran’s Nuclear Technology Center, which was believed to be the base for Iran’s nuclear weapons development program. Behpajooh had also been named in U.S. federal court documents in connection with Iran’s illegal procurement activities. Behpajooh was in the business of installing and programming industrial control and automation systems, including Siemens systems. The company’s website made no mention of Natanz, but it did mention that the company had installed Siemens S7-400 PLCs, as well as Step 7 and Win CC software and Profibus communication modules at a steel plant in Esfahan. This was, of course, all the same equipment Stuxnet targeted at Natanz. At 5 p.m., on July 7, nine days after Behpajooh was hit, Stuxnet struck computers at Neda Industrial Group, as well as a company identified in the logs only as CGJ, believed to be Control Gostar Jahed. Both companies designed, or installed industrial control systems.”

“Natanz designed and installed control systems, precision instrumentation, and electrical systems for the oil and gas industry in Iran, as well as for power plants and mining process facilities. In 2000, and 2001, the company had installed Siemens S7 PLCs in several gas pipeline operations in Iran; and, has also installed Siemens S7 systems at the Esfahan Steel Complex. Like Behpajooh, Neda had been identified on a proliferation watch-list for its alleged involvement in Illicit procurement activity; and, was named in a U.S. indictment for receiving smuggled microcontrollers, and other components.”

“About two weeks after it [Stuxnet] struck Neda, a control engineer who worked for the company popped up on a Siemens user forum on July 22, complaining about a problem that workers at his company were having with their machines. The engineer, who posted a note under the user name Behrooz, indicated that all PCs at his company were having an identical problem with a Siemens Step 7.DLL file that kept producing an error message. He suspected the problem was a virus that spread via flash drives. When he used a DVD, or CD, to transfer files, the new PC started having the same problems the other machine had. A USB flash drive, of course, was Stuxnet’s primary method of spreading. Although Behrooz and his colleagues scanned for viruses, they found no malware on their machines. There was no sign in the discussion thread that they ever resolved the problem at the time.”

Ms. Zetter concludes that “it’s not clear how long it took Stuxnet to reach its target after infecting machines at Neda and the other companies, but between June and August , the number of centrifuges enriching uranium gas at Natanz began to stop. Whether this was the result solely of the new version of Stuxnet, or the lingering effects of the previous version is unknown. But, by August that year, only 4,592 centrifuges were enriching at the plant, a decrease of 328 centrifuges since June. By November, that number had dropped even further, to 3,936, a difference of 984 in five months. What’s more, although new machines were still being installed, none of them were being fed gas.”

“Clearly,” she ends, “there were problems with cascades, and technicians had no idea what they were. The changes mapped precisely, however, to what Stuxnet was designed to do.”

Some Observations And Comments: “If This Is Cyber War, Where Are All The Cyber Weapons?”

This should be an interesting read and will definitely be on my reading list this winter, While much has been reported about the Stuxnet cyber virus; neither Israel, nor the United States has publicly acknowledged being behind Stuxnet cyber attack — which set the Iranian nuclear program back as much as two years, according to some estimates. And, the virus may be much older than originally thought — and, could date back to November 2007, two years earlier than was generally believed at the time And, the cyber security company Symantec believes that the cyber virus was in development as far back as 2005.. And, it was the first publicly known use of a cyber virus being used to attack industrial machinery — and, be deliberately employed by a nation-state or two, against another nation-state. Before Stuxnet had run its course, the virus had infected some 130,000 computers worldwide, most of them however, were in some fashion related to the Iran nuclear program.

Paul Roberts, writing recently in the MIT Review wrote, “Like the atomic bomb in the waning days of WWII, the computer virus known as Stuxnet, discovered in 2010, seemed to usher in a new era of warfare. In this new era of cyber war, experts warned silent, software-based attacks will take the place of explosive ordnance, tanks, and machine guns, or at least set the stage for them.”

But, “almost four years after it was publicly identified, Stuxnet is an anomaly,” writes Mr. Roberts, — the first, and only cyber weapon ever known to have been deployed. “Now, some cyber security experts are starting to ask why? Are there fewer realistic targets than suspected?; Are such weapons harder to construct than previously understood? Or, is the current generation of cyber weapons simply to well hid?” he asks.

Mr. Roberts notes, “it is clear that, in the years since Stuxnet came to light, developed and developing nations alike have seized on cyber operations as a fruitful new avenue for research and development (see “Welcome To The Malware Industrial Complex”).; “Even so,” he adds, “truly effective cyber weapons require extraordinary expertise.” Ralph Langer, whom Mr. Roberts describes as perhaps the world’s top authority on the Stuxnet worm, argues that the mere hacking of critical infrastructure systems doesn’t count as cyber warfare. For example, Stuxnet made headlines for using four exploits for “zero day” (or previously undiscovered) holes in Windows operating system.; But, Langer argues that the metallurgic expertise needed to understand the construction of Iran’s centrifuges was far more impressive. “Those who created Stuxnet, needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging Iran’s uranium enrichment operation.”

Mr. Langer argues that concentrating on software-based tools that can cause physical harm — sets a much higher bar for discussions of cyber weapons. Mr. Roberts suggests that “by that standard, Stuxnet was a true cyber weapon, but the 2012 Shamoon cyber attack against Saudi Oil Aramco and other oil companies was not — even though it erased the hard drives of the companies it infected.”

Some leading cyber security experts say the conditions for using a cyber weapon of mass destruction or disruption, “simply haven’t yet arisen — and, aren’t likely to — at least for a while. Sophisticated cyber attacks like Stuxnet– stealthy, or clandestine cyber operations designed to slowly degrade Iran’s enrichment capability over years — are the exception rather than the rule, argues Thomas Rid, of the Department of War Studies at Kings College in London and author of “Cyber War Won’t Take Place.” “There aren’t too many targets that would lend themselves to a covert cyber campaign like Stuxnet.” The quality of the intelligence gathered in preparation for such a sophisticated and complex operation makes the difference between success and failure. Those requirements however, aren’t; unique to cyber. Rid also acknowledged the possibility that other sophisticated cyber operations along the lines of Stuxnet may have occurred elsewhere; but, the circumstances surrounding this event remain classified. Mr. Langer said he knew of at least one additional, physical cyber attack — tied to a major cyber criminal

group — but, he declined to elaborate or discuss it further.”

“Meanwhile,” Mr. Roberts concludes, “technology is driving even more rapid and transformative changes as part of what’s called the Internet of Things. Ubiquitous Internet connectivity combined with inexpensive and tiny computers and sensors will soon allow autonomous systems to communicate with each other

Securing The Smart Home From Toasters to Toilets”).” “Without proper security features built-in (at the foundation level) industrial products from the get-go, the potential for attacks and physical harm increase dramatically.” “If we continue to ignore the problem,” says Mr. Langer, “we’re going to be in deep trouble.”

I would also add that nation-states are likely loathe to inadvertently, deliberately, and unnecessarily expose their cyber weapons too early, for fear that effective countermeasures and defenses could render them feckless before they’re really needed. Something to think about. V/R, RCP

No comments: