Stuxnet worm 'targeted high-value Iranian assets'

Source: BBC News

One of the most sophisticated pieces of malware ever detected was probably targeting "high value" infrastructure in Iran, experts have told the BBC.

Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed.

It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

It was first detected in June and has been intensely studied ever since.

Read more: http://www.bbc.co.uk/news/technology-11388018

> Once hijacked, the code can reprogram so-called PLC (programmable logic
> control) software to give attached industrial machinery new instructions.
> "(PLCs) turn on and off motors, monitor temperature, turn on coolers if
> a gauge goes over a certain temperature," said Mr O'Murchu.
> "Those have never been attacked before that we have seen."

Yeah, just the sort of devices you *really* want to be corrupted on a
power station ...


> However, the worm has also raised eyebrows because of the complexity of the
> code used and the fact that it bundled so many different techniques into one
> payload.
>
> "There are a lot of new, unknown techniques being used that we have never seen
> before," he said These include tricks to hide itself on PLCs and USB sticks as
> well as up to six different methods that allowed it to spread.

> "It is a very big project, it is very well planned, it is very well funded,"
> he said. "It has an incredible amount of code just to infect those machines."

Well-planned, -organised & -delivered; innovative, highly complex yet working.
That's a damn sight better than anything that most people can *buy*!


> In addition, it exploited several previously unknown and unpatched
> vulnerabilities in Windows, known as zero-day exploits.
> "It is rare to see an attack using one zero-day exploit," Mikko Hypponen,
> chief research officer at security firm F-Secure, told BBC News.
> "Stuxnet used not one, not two, but four."
> He said cybercriminals and "everyday hackers" valued zero-day exploits and
> would not "waste" them by bundling so many together.

> "This is not some hacker sitting in the basement of his parents' house.
> To me, it seems that the resources needed to stage this attack point to
> a nation state,"

So, this was professionally developed for a specific purpose - the targeting
of control systems that are likely to be in "high value" infrastructure.

Wonder which particular hi-tech terrorist-supporting nation states would be
at the top of the list of suspects for this exploit then?

Maybe they want some "insurance money" from Iran?

The Israelis have some really good programmers, and they're heavily involved in computer security. As just one example, Check Point, which produces the ZoneAlarm firewall, is headquartered in Tel Aviv.

So I think means, motive, and opportunity are all aligned here.

The article in the OP has an interesting denial:

However, Siemans parts are apparently used in the Bushehr plant:

They figure it was US or Israeli.

All three have well funded groups that would benefit from this sort of thing. There are also growing numbers of skilled programming groups in Pakistan and India that could have accomplished this.

To suggest that it could have only been written by a "nation-state" is stupid and alarmist though. I teach computer science, and I've written viruses (not for years, and as technical exercises...none of mine have ever been released). To state that a virus has to be "government funded" simply because it's complex is silly, and demonstrates how little those "researchers" actually understand the motivations of the people who write viruses nowadays.

Think about it. You're a modern virus writer, which means that you're into information theft or blackmail. You release a virus that will shut down the infrastructure of a country and cripple it, and then let it stew and spread for a few months. When the virus has sufficiently spread, you contact the government and demand a few hundred million bucks in "ransom", or threaten to set it off.

If you tried this with a nation like the U.S., France, or China, you'd set off an international manhunt and probably end up sitting in a prison cell within days. If you try this with a "pariah" nation like Iran, not only will their enforcement powers be limited, but MANY people around the world would even applaud you for it. It's the perfect target for an attack of this type. It has the money, its enforcement options are limited, and it's unlikely to get much sympathy from other governments or the world press.

Should at least require a nondisclosure.

Some of the people trying to play this up are claiming that you'd need the source, but you really wouldn't. Virus writers don't need the Windows source code to target THAT plaform, do they?

PLC programming is fairly standardized, and your local community college probably has a course teaching it. If you don't have a community college nearby, you can just Google it...there are literally HUNDREDS of sites on the web that offer tutorials and documentation on PLC programming.

Siemens is one of the biggest PLC manufacturers on the planet, and there are millions of programmers worldwide who have the knowledge needed to program and exploit them. You can buy used Siemens PLC's on Ebay for $50 to $100 to practice on. The documentation and software needed to do virtually anything with them is downloadable for free off the Internet.

I have no question that someone put a LOT of work into this, but to suggest that this could only be a government operation is silly. Computer security researchers have been screaming for DECADES about the susceptibility of our infrastructure to viruses, but have been largely ignored. Security tends to focus on desktop computers and networks. Nobody pays attention to the integrated electronics.

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/#more-4045

http://volokh.com/2010/07/18/proof-that-other-countries-are-planning-cyberattacks-on-the-power-grid/

The possible Iran angle is the new thing

http://volokh.com/2010/09/22/vc-scoops-the-security-pros-by-two-months/

I'd be surprised - and pleased - if our intelligence agencies actually pulled it off and fried Iran's nuke centrifuges. But as Baker points out

"And the target of DEADF007? Uninformed speculation claims that it’s Iran’s Bushehr nuclear facility — and that the facility is already toast. If so, we’re likely to find out pretty soon."

I've worked with PLC's for years, I'm what you might call an expert. Maybe, just maybe a worm could be written to infect a PLC as claimed. But even after that, you'd have to know the I/O address of each piece of equpment controlled by the PLC to actually do anything. Someone would either need access to the PLC program itself, or at least electrical drawings showing the I/O addresses to really do much.

Having said all that, it is possible a worm could just go in and crash the PLC, in which case the processor card would be removed and a new processor put in it's place (which was sitting on the shelf and likely not infected).

I just really can't see this worm being much of a threat without some serious insider information.

Is it possible that a virus/worm of this type could be used to cripple a nation's vital infrastructure in combination with a military attack? Water supplies, industrial output, electrical grid, etc.?

..in principle, depending on how much of the system uses automatic controllers whose defaults can be overridden.

For electrical grids you could destroy transformers by messing with voltage regulating software.

http://www.selinc.com/sel-487e/

War or Blackmail. And then there is always that unlooked for option that comes with either/or thinking (mine, in this case). Thanks for the info; I'll check out your links; try to educate myself a bit. :hi:

Source: Financial Times

A piece of highly sophisticated malicious software that has infected an unknown number of power plants, pipelines and factories over the past year is the first program designed to cause serious damage in the physical world, security experts are warning.

The Stuxnet computer worm spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes.

Stuxnet can hide itself, wait for certain conditions and give new orders to the components that reverse what they would normally do, the experts said. The commands are so specific that they appear aimed at an industrial sector, but officials do not know which one or what the affected equipment would do.

-----

At a closed-door conference this week in Maryland, Ralph Langner, a German industrial controls safety expert, said Stuxnet might be targeting not a sector but perhaps only one plant, and he speculated that it could be a controversial nuclear facility in Iran.

Read more: http://www.ft.com/cms/s/0/e9d3a662-c740-11df-aeb1-00144feab49a.html