November 12, 2014
Stuxnet ‘Patient Zero’ Attack Targets Revealed; Researchers Question Whether USB Sticks Were Method Of Infection; Attacking The Supply Chain
Sara Peters, writing on the November 11, 2014) website, DarkReading.com, says cyber security “researchers have identified the five Iranian Industrial Control Systems companies attacked in 2009-2010; and, they question whether USB sticks were really the method of infection.” She adds, “the Stuxnet malware was considered the harbinger of a new era of state-sponsored attacks on control systems, after it infected Iran’s Natanz uranium enrichment complex; and, later spread through the Internet to other organizations. Before Stuxnet had run its course, the virus had infected some 130,000 computers worldwide, most of them however, were in some fashion related to the Iran nuclear program. Some earlier assessments said that a coding error in Stuxnet caused it to be leaked from Natanz. Newer theories state that Stuxnet leaked after infecting five “patients zero,” — all companies in the Iranian industrial control system supply chain — in order to reach Natanz,” Ms. Peters wrote.
Cyber security researchers at — Symantec and Kaspersky Labs published separate reports on the Stuxnet episode earlier this week — and, “released the identities of these patient zero’s; and, more information, based on analysis of more than 2,000 Stuxnet files. Ms. Peters adds “the reports were published in conjunction with the release….”Countdown To Zero Day,” a new book by Wired.com’s Kim Zetter; and, based in part on interviews with Kaspersky and Symantec researchers.”
As Kaspersky explained: “For Stuxnet to be effective, and penetrate the highly guarded installations where Iran was [is still] developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain “high profile” companies was the solution; and, it was probably successful.”
Ms. Peters adds that “researchers were able to track backward in these companies — the “patients zero.” — because the attackers ‘rather helpfully left’ “bread crumbs” in each Stuxnet example.” As Symantec’s Liam O Muchu wrote recently in his blog: “Every time Stuxnet executes, it records some information about the computer it is executing on; and, stores that within an executable file itself, creating a new, unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected.”
Ms. Peters observed that “the bread crumbs led back to five organizations, all in the Iranian industrial control systems arena, including several that are on the U.S. government’s sanctions lists:
— 1) Foolad Technic Engineering Company: “This company, headquartered in Isfahan, creates automated systems for Iranian industrial systems. Examining the attack on Foolad, and the timestamp of the Stuxnet code, Kaspersky researchers concluded that the systems could not have been infected via a USB stick containing the malware: From Kaspersky: “The Stuxnet 2009 version (we refer to it as Stuxnet A) was created on June 22, 2009. This information is present in the worm’s body — in the form of the main module’s completion date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file; and, infecting the first computer almost completely rules out infection via a USB drive — the USB stick simply can’t have passed from the worm’s authors to the organization under attack in such a short time.”
— 2) Behpajooh: “Also based in Isfahan, Behpajooh develops industrial automation systems. In 2006, the company was implicated as the recipient of banned weapons technology smuggled into the country, including pressure sensors used to trigger explosives. It was placed on the sanctions list by the U.S. Department of Justice, which charged it with illegal export of U.S.-manufactured commodities with military applications to “prohibited entities” and to Iran.”
— 3) Neda Industrial Group: “Neda provides industrial automation services for power plants, and the oil, gas, and petrochemical sector. It was placed on the sanctions list by the U.S. Department of Justice, which charged it with illegal export of U.S.-manufactured commodities with military applications to “prohibited entities” and to Iran.”
— 4) Control-Gostar Jahed Company: “The Iranian industrial automation company has ties to Iranian businesses in the oil production, metallurgy, and energy supply sectors.”
— 5) Kala Electric (a.k.a., Kalaye Electric): “The attack on Kala was launched from three computers on the same day. According to Kaspersky: “This is in fact and ideal target for an attack, given Stuxnet’s main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran’s nuclear program, and the logic of the worm’s propagation. Of the other companies, Kala Electric is named as the main manufacturer of the Iranian enrichment centrifuges.”
Ms. Peters adds that “Kala Electric has been labeled as an “entity of concern” by government agencies in the U.S. the United Kingdom, and Japan because of its potential to divert items to programs related to the development of weapons of mass destruction.”
“The researchers did not pose any new theories about the perpetrators of the attacks, though experts have pointed to a joint effort between the United States and Israel,” Ms. Peters concluded.
Stuxnet — The First Known Deployment Of A Cyber ‘Weapon’ By One/Or More Nation States — Against Another Nation State — With The Intent To Cause Damage
Kim Zetter, writing on the November 3, 2014 website Wired.com, took an in-depth look at the Stuxnet cyber virus/worm, that wreaked havoc on Iran’s nuclear program back in 2010. She began by noting that in January 2010, inspectors with the International Atomic Energy Agency (IAEA) were visiting the Iran’s Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery — apparently as much to the Iranian technicians replacing the centrifuges, to the inspectors observing them.”
“Five months later,” Ms. Zetter writes, “a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until researchers found a handful of malicious files on one of the systems; and, discovered the world’s first [known] digital weapon.”
“Stuxnet, as it came to be known, was unlike any other [cyber] virus or worm that came before. Rather than simply hijacking the targeted computers, or stealing information from them…it escaped the digital realm to wreak physical destruction on equipment the computers controlled,” Ms. Zetter added.
Some of the key observations made by Ms. Zetter in her upcoming book: “Stuxnet had already been working…silently sabotaging centrifuges at the Nantanz plant for about a year. An early version of the attack manipulated values on the centrifuges to increase the pressure inside them; and, damage the devices as well as the enrichment process. Centrifuges are large cylindrical tubes — connected by pipes in a configuration known as a “cascade” — that spin at supersonic speed to separate isotopes in uranium gas for use in nuclear power plants and weapons. At the time of the attacks, each cascade at Natanz, held 164 centrifuges. Uranium gas flows through the pipes [and] into the centrifuges in a series of stages, becoming further “enriched” at each stage of the cascade…as isotopes needed for a nuclear reaction are separated from other isotopes and become concentrated in the gas.”
“To ensure greater success at getting the code where it needed to go, this version of Stuxnet had two more ways to spread than the previous one. Stuxnet 0.5 could spread only by infecting Step 7 Project Files — the files used to program Siemens PLCs. This version, however, could spread via USB flash drives using the Windows Autorun feature through a victim’s local network using the print-spooler zero-day exploit that Kaspersky Lab, the antivirus firm based in Russia, and Symantec later found in the code.”
Ms. Zetter concludes that “it’s not clear how long it took Stuxnet to reach its target after infecting machines at Neda and the other companies, but between June and August , the number of centrifuges enriching uranium gas at Natanz began to stop. Whether this was the result solely of the new version of Stuxnet, or the lingering effects of the previous version is unknown. But, by August that year, only 4,592 centrifuges were enriching at the plant, a decrease of 328 centrifuges since June. By November, that number had dropped even further, to 3,936, a difference of 984 in five months. What’s more, although new machines were still being installed, none of them were being fed gas.”
Stuxnet Seemed To Usher In A New Era Of Warfare – Now Some 5 Years Later — It Is More Of An Anomaly
Paul Roberts, writing recently in the MIT Review wrote, “Like the atomic bomb in the waning days of WWII, the computer virus known as Stuxnet, discovered in 2010, seemed to usher in a new era of warfare. In this new era of cyber war, experts warned silent, software-based attacks will take the place of explosive ordnance, tanks, and machine guns, or at least set the stage for them.”
But, “almost four years after it was publicly identified, Stuxnet is an anomaly,” writes Mr. Roberts, — the first, and only cyber weapon ever known to have been deployed. “Now, some cyber security experts are starting to ask why? Are there fewer realistic targets than suspected?; Are such weapons harder to construct than previously understood? Or, is the current generation of cyber weapons simply to well hid?” he asks.
Mr. Roberts notes, “it is clear that, in the years since Stuxnet came to light, developed and developing nations alike have seized on cyber operations as a fruitful new avenue for research and development (see “Welcome To The Malware Industrial Complex”).; “Even so,” he adds, “truly effective cyber weapons require extraordinary expertise.” Ralph Langer, whom Mr. Roberts describes as perhaps the world’s top authority on the Stuxnet worm, argues that the mere hacking of critical infrastructure systems doesn’t count as cyber warfare. For example, Stuxnet made headlines for using four exploits for “zero day” (or previously undiscovered) holes in Windows operating system.; But, Langer argues that the metallurgic expertise needed to understand the construction of Iran’s centrifuges was far more impressive. “Those who created Stuxnet, needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging Iran’s uranium enrichment operation.”
Mr. Langer argues that concentrating on software-based tools that can cause physical harm — sets a much higher bar for discussions of cyber weapons. Mr. Roberts suggests that “by that standard, Stuxnet was a true cyber weapon, but the 2012 Shamoon cyber attack against Saudi Oil Aramco and other oil companies was not — even though it erased the hard drives of the companies it infected.”
Some leading cyber security experts say the conditions for using a cyber weapon of mass destruction or disruption, “simply haven’t yet arisen — and, aren’t likely to — at least for a while. Sophisticated cyber attacks like Stuxnet– stealthy, or clandestine cyber operations designed to slowly degrade Iran’s enrichment capability over years — are the exception rather than the rule, argues Thomas Rid, of the Department of War Studies at Kings College in London and author of “Cyber War Won’t Take Place.” “There aren’t too many targets that would lend themselves to a covert cyber campaign like Stuxnet.” The quality of the intelligence gathered in preparation for such a sophisticated and complex operation makes the difference between success and failure. Those requirements however, aren’t; unique to cyber. Rid also acknowledged the possibility that other sophisticated cyber operations along the lines of Stuxnet may have occurred elsewhere; but, the circumstances surrounding this event remain classified. Mr. Langer said he knew of at least one additional, physical cyber attack — tied to a major cyber criminal
group — but, he declined to elaborate or discuss it further.”
“Meanwhile,” Mr. Roberts concludes, “technology is driving even more rapid and transformative changes as part of what’s called the Internet of Things. Ubiquitous Internet connectivity combined with inexpensive and tiny computers and sensors will soon allow autonomous systems to communicate with each other.
Securing The Smart Home From Toasters to Toilets”).” “Without proper security features built-in (at the foundation level) industrial products from the get-go, the potential for attacks and physical harm increase dramatically.” “If we continue to ignore the problem,” says Mr. Langer, “we’re going to be in deep trouble.”
Just How Did Stuxnet — ‘Digital Missile,’ Infiltrate Iran’s Secure Nuclear Facilities
As Mark Clayton wrote in the February 25, 2014 edition of The Christian Science Monitor, one of the enduring mysteries of the entire Stuxnet affair, is — how did this digital missile ‘worm’ its way into perhaps the most secure facilities in Iran? By attacking the soft underbelly — the supply chain — which may well hold lessons for “owners of critical infrastructure facilities in the United States. Sean McBride, lead author of a report and, Director of Analysis for Critical Intelligence — has written, and concluded — that U.S. intelligence operatives targeted industrial control equipment that Neda had ordered from overseas vendors; and, ultimately intercepted the equipment sometime during its shipment to Iran — to plant the bug. “It’s my contention that the evidence shows the U.S. targeted the leading Siemens control systems integrator for Natanz — and, that was Neda,” Mr. McBride said in an interview earlier this year with The Christian Science Monitor. “Neda would have had all the plans for just how the Natanz system was going to be setup, the proper centrifuge speeds, and when they would be turned on and off. The company had all the key information the U.S. needed to write Stuxnet — and, then a way to get the worm into Natanz.” “Sometime around 2008, computerized industrial control system equipment bound for Iran was intercepted, and Stuxnet, or other malware was installed on it — before it was sent on its way,” McBride posits.
McBride acknowledges his findings aren’t conclusive; and, that gaps in his thesis remain. But, “it highlights an infection vector — contractors — that almost definitely would be used against hard targets [and critical infrastructure] in the U.S.,” wrote Ralph Langer, the cyber security expert who first identified Stuxnet as a cyber weapon. “A sophisticated attacker wouldn’t bother to try and directly attacking a power utility for example. They would go after the several hundred contractors with access to critical distribution systems [such as] electrical substations.”
If Mr. McBride is correct, this is certainly something for the U.S. Defense Industrial Base and our critical infrastructure facilities and national security leadership to fully understand and appreciate. V/R, RCP
No comments:
Post a Comment