Was stuxnet created by Israeli hackers?

[mynis]

http://www.guardian.co.uk/technology/20 ... nal-agency

A computer worm which targets industrial and factory systems is almost certainly the work of a national government agency, security experts told the Guardian – but warn that it will be near-impossible to identify the culprit.

The "Stuxnet" computer worm, which has been described as one of the "most refined pieces of malware ever discovered", has been most active in Iran, says the security company Symantec – leading some experts to conjecture that the likely target of the virus is the controversial Bushehr nuclear power plant, and that it was created by Israeli hackers.

Speaking to the Guardian, security experts confirmed that Stuxnet is a targeted attack on industrial locations in specific countries, the sophistication of which takes it above and beyond previous attacks of a similar nature.
Latest figures, from August, show 60% of computers infected by Stuxnet are located in Iran – dramatically up from July, when it accounted for less than 25% of infections, research by Symantec shows, with the graph below (from 4 August) showing the prevalence in other countries by comparison. The company estimates that the group building Stuxnet would have been well-funded, comprising between five and 10 people, and that it would have taken six months to prepare.

Alan Bentley, senior international vice president at security firm Lumension, said Stuxnet is "the most refined piece of malware ever discovered", and that the worm was significant because "mischief or financial reward wasn't its purpose, it was aimed right at the heart of a critical infrastructure".

However Graham Cluley, senior consultant with the online security company Sophos, warned against jumping to conclusions about the target of the attack, saying "sensationalist" headlines were "a worry". Clulely is wary of reports linking Stuxnet with Israel: "It's very hard to prove 100% who created a piece of malware, unless you are able to gather evidence from the computer they created it on – or if someone admits it, of course."

But he said that its characteristics did not suggest a lone group. "I think we need to be careful about pointing fingers without proof, and I think it's more appropriate – if true – to call this a state-sponsored cyber attack rather than cyber terrorism."

Stuxnet works by exploiting previously unknown security holes in Microsoft's Windows operating system. It then seeks out a component called Simatic WinCC, manufactured by Siemens, which controls critical factory operations. The malware even uses a stolen cryptographic key belonging to the Taiwanese semiconductor manufacturer RealTek to validate itself in high-security factory systems.

The worm then takes over the computer running the factory process – which for WinCC would be "mission-critical" systems which have to keep functioning under any circumstance – and "blocks" it for up to a tenth of a second. For high-speed systems, such as the centrifuges used for nuclear fuel processing being done by Iran, that could be disastrous, experts suggested.

US army forces are aware of the threat posed by Stuxnet, general Keith Alexander confirmed this week, saying early indications showed that the worm was "very sophisticated".

Clulely told that Guardian that Siemens has "astonishingly" advised power plants and manufacturing facilities not to change the default password that allows access to functions, despite it being exploited by Stuxnet and being "public knowledge on the web for years".

Alan Bentley, SVP International at Lumension, told the Guardian: "There is a lot of circumstantial evidence to suggest that Iran was the target of Stuxnet. We know that the worm was designed with a specific target in mind – its makeup and the way it executes render the tell-tale signs.

"Combine this with the fact that the worm was identified by a Belarusian security firm working for an Iranian client and the fact that the nuclear power plant was not working properly for months, it is understandable that speculation points towards Iran as the target. But, without being inside the walls of the Bushehr nuclear power plant, we can't be certain."

Rik Ferguson, senior security adviser at Trend Micro, said: "Initially, it looks like a targeted attack. It saw a high percentage of infections concentrated in the Middle East. Iran being one. There's every possiblity that the [other countries affected] may have been collateral damage."

Asked whether a nation state was behind the attack, Ferguson said: "The truth is we don't know. But we can look at the concentration [of the attacks]. I don't think we can call this cyberwarfare, I would call it modern espionage. Countries have been spying on their neighbours for years – as the technology has improved, espionage has always improved, and this is step in that direction.

"It's significant because it's not just the malware but the vulnerability to infect machines – if this had been in more traditional, criminal hands it could have been more widely used, like Conficker was. This was a powerful vulnerability it exploited and usually either you sell it for a lot of money or use it for mass criminality."

David Emm, a senior security researcher at Kaspersky Lab, told the Guardian: "We think that Stuxnet's sophistication, purpose and the intelligence behind it suggest the involvement of a state.

"This is a very sophisticated attack – the first of its kind – and has clearly been developed by a highly skilled group of people intent on gaining access to SCADA [supervisory control and data acquisition] systems – industrial control systems for monitoring and managing industrial infrastructure or facility-based processes. In contrast to the bulk of indiscriminate cybercrime threats on the internet, this has been aimed at very specific targets. It's different also because there's no obvious financial motivation behind the attack – rather the aim seems to be to sabotage systems."

However, John Pescatore, vice president for internet security at Gartner, said it was "definitely not the case" that Stuxnet would have required state sponsorship. "We've seen similarly targeted software going after credit card readers for financial gain in the past," he said. "Governments have no monopoly on the talent. We've seen attacks that looked like they were state-sponsored in the past launched by hackers for attention or citizens' groups. You cannot tell just by looking at where it landed."

The experts agree that Stuxnet marks a shift away from malware deployed for financial gain to controlling critical machinery. We are now moving into a "third age" of cyber crime, Clulely said, where the intention of making money from technical exploits is replaced by an intention to bring down critical infrastructure. "We're entering this third age as well, where there are political, economic and military ways in which the internet can be exploited – and malware can be used – to gain advantage by foreign states.

"I think we will see more and more attacks which will be blamed on state-sponsored cyber attacks. There have been numerous attacks in the past which could be said to have possible military, political or economic motives, but it is very difficult to prove that a hack was ordered by Mossad or instead dreamt up by a Macclesfield student."

[mynis]

http://www.pcworld.com/businesscenter/a ... ogram.html

A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran's Bushehr nuclear reactor.
That's the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they've broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker -- possibly a nation state -- and it was designed to destroy something big.

Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company discovered the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers who say they've never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran's nukes.

Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm's attack.

Experts had first thought that Stuxnet was written to steal industrial secrets -- factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings -- a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device -- and then it injects its own code into that system.

Because of the complexity of the attack, the target "must be of extremely high value to the attacker," Langner wrote in his analysis.

Langner is set to present his findings at a closed-door security conference in Maryland this week, which will also feature a technical discussion from Siemens engineers. Langner said he wasn't yet ready to speak to a reporter at length ("the fact of the matter is this stuff is so bizarre that I have to make up my mind how to explain this to the public," he said via e-mail) but others who have examined his data say that it shows that whoever wrote Stuxnet clearly had a specific target in mind. "It's looking for specific things in specific places in these PLC devices. And that would really mean that it's designed to look for a specific plant," said Dale Peterson, CEO of Digital Bond.

This specific target may well have been Iran's Bushehr reactor, now under construction, Langner said in a blog posting. Bushehr reportedly experienced delays last year, several months after Stuxnet is thought to have been created, and according to screen shots of the plant posted by UPI, it uses the Windows-based Siemens PLC software targeted by Stuxnet.

Peterson believes that Bushehr was possibly the target. "If I had to guess what it was, yes that's a logical target," he said. "But that's just speculation."

Langner thinks that it's possible that Bushehr may have been infected through the Russian contractor that is now building the facility, JSC AtomStroyExport. Recently AtomStroyExport had its Web site hacked, and some of its Web pages are still blocked by security vendors because they are known to host malware. This is not an auspicious sign for a company contracted with handling nuclear secrets.

Tofino Security Chief Technology Officer Eric Byres is an industrial systems security expert who has tracked Stuxnet since it was discovered. Initially he thought it was designed for espionage, but after reading Langner's analysis, he's changed his mind. "I guessed wrong, I really did," he said. "After looking at the code that Ralph hauled out of this thing, he's right on."

One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35. This Siemens component monitors critical factory operations -- things that need a response within 100 milliseconds. By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too, Byres said. "The only thing I can say is that it is something designed to go bang," he said.

Whoever created Stuxnet developed four previously unknown zero-day attacks and a peer-to-peer communications system, compromised digital certificates belonging to Realtek Semiconductor and JMicron Technology, and displayed extensive knowledge of industrial systems. This is not something that your run-of-the-mill hacker can pull off. Many security researchers think that it would take the resources of a nation state to accomplish.

Last year, rumors began surfacing that Israel might be contemplating a cyber attack on Iran's nuclear facilities.

Bushehr is a plausible target, but there could easily be other facilities -- refineries, chemical plants or factories that could also make valuable targets, said Scott Borg, CEO of the U.S. Cyber Consequences Unit, a security advisory group. "It's not obvious that it has to be the nuclear program," he said. "Iran has other control systems that could be targeted."

Iranian government representatives did not return messages seeking comment for this story, but sources within the country say that Iran has been hit hard by the worm. When it was first discovered, 60 percent of the infected Stuxnet computers were located in Iran, according to Symantec.

Now that the Stuxnet attack is public, the industrial control systems industry has come of age in an uncomfortable way. And clearly it will have more things to worry about

"The problem is not Stuxnet. Stuxnet is history," said Langner in an e-mail message. "The problem is the next generation of malware that will follow."

[mynis]

I recently wrote a white paper entitled “Dragons, Tigers, Pearls, and Yellowcake” in which I proposed four alternative scenarios for the Stuxnet worm other than the commonly held assumption that it was Israel or the U.S. targeting Iran’s Bushehr or Natanz facilities. During the course of my research for that paper, I uncovered a connection between two of the key players in the Stuxnet drama: Vacon, the Finnish manufacturer of one of two frequency converter drives targeted by this malware; and RealTek, who’s digital certificate was stolen and used to smooth the way for the worm to be loaded onto a Windows host without raising any alarms. A third important piece of the puzzle, which I’ll discuss later in this article, directly connects a Chinese antivirus company which writes their own viruses with the Stuxnet worm.

Most people who have followed the Stuxnet investigation know that the international headquarters for Vacon is in Finland, but surprisingly, Finland isn’t where Vacon’s frequency converter drives are manufactured. Vacon’s manufacturing plant is actually located in the Peoples Republic of China (PRC) under the name Vacon Suzhou Drives Co. Ltd., located at 11A, Suchun Industrial Square 428# Xinglong Street, SIP Suzhou 215126 China.

Vacon isn’t the only company involved with Stuxnet that has a Chinese connection. The first genuine digital certificate used by Stuxnet developers was from RealTek Semiconductor Corp., a Taiwanese company which has a subsidiary in (of all places) Suzhou under the name Realsil Microelectronics, Inc. (450 Shenhu Road, Suzhou Industrial Park, Suzhou 215021 Jiangsu Province, China).

The question, of course, is what, if anything, does this say about China’s possible role as the source of the Stuxnet worm. There are scenarios under which China would benefit such as the rare-earths scenario that I presented in my white paper, however there’s a lack of data on mining failures that can be attributed to Stuxnet. The closest that anyone has come to identifying compromised operations is at Natanz however their centrifuge failures go back several years according to this February, 2010 report by ISIS, while the earliest Stuxnet sample seen by Symantec’s researchers was June, 2009 and that’s before it had signed driver files or exploited the remote code execution vulnerability that appeared in January, 2010 and March, 2010 respectively. Natanz may very well have been the target of an earlier cyber attack, or even multiple attacks, which had nothing to do with Stuxnet.

Does China Benefit By Attacking Natanz?

In 2008, China decided to assist the IAEA inspectors after it learned that Iran was in possession of blueprints to shape uranium metal into warheads, according to this article in The Telegraph. That same article discloses that Chinese designs for centrifuges were discovered in Iran, supplied via Pakistan’s AQ Khan.

On April 13, 2010, Beijing reiterated its opposition to Iran’s goal to develop nuclear weapons capabilities while stating that sanctions against Iran would be counter-productive. In other words, the PRC wanted to support its third largest supplier of oil (after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop its uranium fuel enrichment program. What better way to accomplish that goal than by covertly creating a virus that will sabotage Natanz’ centrifuges in a way that simulates mechanical failure while overtly supporting the Iranian government by opposing sanctions pushed by the U.S. It’s both simple and elegant. Even if the worm was discovered before it accomplished its mission, who would blame China, Iran’s strongest ally, when the most obvious culprits would be Israel and the U.S.?

Reviewing The Evidence

China has an intimate knowledge of Iran’s centrifuges since, according to one source quoted above, they’re of Chinese design.

China has better access than any other country to manufacturing plans for the Vacon frequency converter drive made by Vacon’s Suzhou facility and specifically targeted by the Stuxnet worm (along with an Iranian company’s drive). Furthermore, in March 2010, China’s Customs ministry started an audit at Vacon’s Suzhou facility and took two employees into custody thereby providing further access to Vacon’s manufacturing specifications under cover of an active investigation.

China has better access than any other country to RealTek’s digital certificates through it’s Realsil office in Suzhou and, secondarily, to JMicron’s office in Taiwan.

China has direct access to Windows source code, which would explain how a malware team could create 4 key zero day vulnerabilities for Windows when most hackers find it challenging to develop even one.

There were no instances of Stuxnet infections in the PRC until very late which never made sense to me, particularly when Siemens software is pervasive throughout China’s power installations. Then, almost as an after-thought and over three months from the time the virus was first discovered, Chinese media reported one million infections, and here’s where the evidence becomes really interesting.

That report originated with a Chinese antivirus company called Rising International, who we now know colluded with an official in Beijing’s Public Security Bureau to make announcements encouraging Chinese citizens to download AV software from Rising International (RI) to fight a new virus that RI had secretly created in its own lab. Considering this new information, RI’s Stuxnet announcement sounds more like a CYA strategy from the worm’s originators than anything else.

In Summary

The conventional wisdom on which nation state was responsible for the Stuxnet worm has relentlessly pointed the finger at Israel or the United States almost from day one of the worm’s discovery. No other scenarios were discussed or even considered with the exception of my own conjecture about India’s INSAT-4b satellite failure and Britain’s Heysham 1 nuclear plant shutdown, and then my white paper proposing 4 additional alternative scenarios; all of which were my way of trying (and failing) to expand the discussion beyond Israel and Iran. The appeal of a U.S. or Israeli cyber attack against first Bushehr, then Natanz, was just too good to pass up even though there was no hard evidence and very slim circumstantial evidence to support a case for either country. The best that Ralph Langner, CEO of Langner Communications (and the leading evangelist for this scenario) could point to was an obscure Hebrew word for Myrtus and a biblical reference for a date found in the malware that pertained to Persia; both of which could have been explained in a half dozen alternate ways having nothing to do with either Israel or the U.S.

As far as China goes, I’ve identified 5 distinct ties to Stuxnet that are unique to China as well as provided a rationale for the attack which fits China’s unique role as Iran’s ally and customer, while opposing Iran’s fuel enrichment plans. There’s still a distinct lack of information on any other facilities that suffered damage, and no good explanations for why there was such massive collateral damage across dozens of countries if only one or two facilities in one nation state were the targets however based solely on the known facts, I consider China to be the most likely candidate for Stuxnet’s origin.

http://blogs.forbes.com/firewall/2010/1 ... onnection/

[mynis]

http://www.jpost.com/Defense/Article.aspx?id=200843

Stuxnet may have destroyed 1,000 centrifuges at Natanz

The Stuxnet virus that has infected Iran’s nuclear installations may have been behind the decommissioning of 1,000 centrifuges at the Natanz uranium enrichment facility earlier this year, according to a new analysis of the malicious software.

Prepared by the Washington-based Institute for Science and International Security, the paper raised the possibility that the reported breakage of 1,000 centrifuges was caused by the virus.

According to the paper, the timing of the removal of 1,000 centrifuges was consistent with a statement made last month by Ali Akbar Salehi, then-head of Iran’s Atomic Energy Organization and recently appointed as the country’s foreign minister, who confirmed in an interview: “One year and several months ago, Westerners sent a virus to [our] country’s nuclear sites.”

There are currently approximately 10,000 IR-1 centrifuges installed inside the Natanz uranium enrichment plant, according to the report.

Last week, The Jerusalem Post interviewed Ralph Langer, a top German computer consultant who was one of the first experts to analyze Stuxnet’s code. It was possible the worm had set back Iran’s nuclear program by two years, Langer said.

Widespread speculation has named the IDF’s Military Intelligence Unit 8200, known for its advanced signal intelligence capabilities, as the possible creator of the software, or perhaps the United States. Langer said last week that in his opinion at least two countries were behind Stuxnet.

Last month, the International Atomic Energy Agency, the United Nation’s nuclear watchdog, said that Iran had suspended work at its nuclear field-production facilities. While it did not specify a reason, Stuxnet was assessed to be one of the likely culprits.

David Albright, president of the Institute for Science and International Security, told the Post that during a study of the Stuxnet code, he discovered that the virus caused the engines in Iran’s IR-1 centrifuges to increase and decrease their speed. The report cited an unnamed government official who claimed that Iran usually ran its motors at 1,007 cycles per second to prevent damage, while Stuxnet seemed to increase the motor speed to 1,064 cycles per second.

“If you start changing the speed, there are vibrations and they become so severe that it can break the motor,” Albright said. “If it is true that it is attacking the IR-1, then it is changing the speed to attack the motor.”

Albright said that the number of centrifuges damaged – 1,000 – also appeared to indicate that Stuxnet – if it caused the breakage – was meant to be subtle and work slowly by causing small amounts of damage to the systems that would not make the Iranians suspect that something foreign – like malware – had been infiltrated into their computers. “It could be that Stuxnet was meant to be subtle to disrupt and break more and have less enriched uranium produced,” he said.

[Dissent]

wouldn't be surprised if it came from the U.S. or Israel.

http://www.ancreport.com/forum/v ... 20#p149220