1 year, 8 months ago
Was Stuxnet built to infiltrate Iran's nuclear program?
Specifically Iran's Bushehr reactor? What do we know about this "Stuxnet" and who might be responsible for introducing it? Could you explain in plain English what the findings published here at Langner.com say to us about what is going on with Stuxnet?
images:
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$1 Answer
As for the tech speak, as far as I can make sense of it....
- The malware arrives on a Windows PC via the usual routes, say an infected USB stick
- It checks if the PC it's landed on is hooked up to talk to a specific type of industrial process controller from Siemens
- Looks like it does that check every 5 seconds
- If yes, it injects a piece of itself into the process controller
- Whoever wrote the malware knows the internal details of that particular controller, and the specific application that it would be being used for. i.e. They know how that controller has been programmed in the target plant, and the malware can tell from that pretty reliably if it has found the right target
- One of the things the target controller would ordinarily have been doing is ten times a second it is performing some unknown industrial process task, say for example "Check the temperature of X and if it's more than Y, engage the safety cut out and cool down". Or if the target should happen to be a centrifuge in a uranium enrichment plant, may be instead it's "Check the centrifuge RPM, and stop it going over X".
- The malware will let the controller carry on doing its normal thing until some condition is met. Let's say for example unless the date is one of a series of pre-programmed attack dates.
- When the condition is met, e.g. a certain date is reached, the malware has the controller ignore that thing it was supposed to be doing ten times a second.
- In our examples, maybe there will now be no automatic cooling-off initiated when something starts to overheat, or no slowdown when the centrifuge is spinning too fast. Because that action doesn't happen the result could be possibly a catastrophic plant failure
From what I can see, the idea that Stuxnet was designed to target Iran's nuclear program is at best a good guess based on circumstantial evidence.
The logic seems to be...
- Very expert piece of malware, with seeming insider knowledge of one specific target
- Seems to have turned up in Iran a lot (but also plenty in Pakistan, Indonesia & India)
- Once people have figured it out properly, it will be ineffective...
- So whatever it was meant to be doing, it was probably intended to already have done it by now
- So...what could be a target in Iran that is known to have had tech problems?
- Guess: The most obvious thing that comes to mind is Bushehr. or maybe Natanz
Obviously even if true, no one that could confirm it is likely to be forthcoming.
But we really don't know. Maybe the virus turned up in Iran a lot by accident, and the real target was something else entirely. The virus has turned up also in Germany, Canada, Korea, the UK and the US. That's viruses for you. And the type of equipment targeted is used in chemical plants, oil pipelines and military facilities among other things. For example Dow Chemical is a user.
So... pick any massive industrial disaster of your choice, and invent a suitable conspiracy theory. :)
- The malware arrives on a Windows PC via the usual routes, say an infected USB stick
- It checks if the PC it's landed on is hooked up to talk to a specific type of industrial process controller from Siemens
- Looks like it does that check every 5 seconds
- If yes, it injects a piece of itself into the process controller
- Whoever wrote the malware knows the internal details of that particular controller, and the specific application that it would be being used for. i.e. They know how that controller has been programmed in the target plant, and the malware can tell from that pretty reliably if it has found the right target
- One of the things the target controller would ordinarily have been doing is ten times a second it is performing some unknown industrial process task, say for example "Check the temperature of X and if it's more than Y, engage the safety cut out and cool down". Or if the target should happen to be a centrifuge in a uranium enrichment plant, may be instead it's "Check the centrifuge RPM, and stop it going over X".
- The malware will let the controller carry on doing its normal thing until some condition is met. Let's say for example unless the date is one of a series of pre-programmed attack dates.
- When the condition is met, e.g. a certain date is reached, the malware has the controller ignore that thing it was supposed to be doing ten times a second.
- In our examples, maybe there will now be no automatic cooling-off initiated when something starts to overheat, or no slowdown when the centrifuge is spinning too fast. Because that action doesn't happen the result could be possibly a catastrophic plant failure
From what I can see, the idea that Stuxnet was designed to target Iran's nuclear program is at best a good guess based on circumstantial evidence.
The logic seems to be...
- Very expert piece of malware, with seeming insider knowledge of one specific target
- Seems to have turned up in Iran a lot (but also plenty in Pakistan, Indonesia & India)
- Once people have figured it out properly, it will be ineffective...
- So whatever it was meant to be doing, it was probably intended to already have done it by now
- So...what could be a target in Iran that is known to have had tech problems?
- Guess: The most obvious thing that comes to mind is Bushehr. or maybe Natanz
Obviously even if true, no one that could confirm it is likely to be forthcoming.
But we really don't know. Maybe the virus turned up in Iran a lot by accident, and the real target was something else entirely. The virus has turned up also in Germany, Canada, Korea, the UK and the US. That's viruses for you. And the type of equipment targeted is used in chemical plants, oil pipelines and military facilities among other things. For example Dow Chemical is a user.
So... pick any massive industrial disaster of your choice, and invent a suitable conspiracy theory. :)
source(s):
http://www.metafilter.com/95946/Case-is-that-you
http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_a...
http://www.langner.com/en/index.htm
http://www.zerohedge.com/article/deadf007-stuxnet-secret-weapon-attack-iran...
http://www.informit.com/articles/article.aspx?p=1636983
http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1...
http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-pro...
http://www.metafilter.com/95946/Case-is-that-you
http://www.pcworld.com/businesscenter/article/205827/was_stuxnet_built_to_a...
http://www.langner.com/en/index.htm
http://www.zerohedge.com/article/deadf007-stuxnet-secret-weapon-attack-iran...
http://www.informit.com/articles/article.aspx?p=1636983
http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1...
http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-pro...
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
Symantec published a long report on Stuxnet.
49 page PDF here
It's mostly all tech speak so you probably don't want to read it, but is basically the same story as above. Their final words in conclusion:
-- Quote
Stuxnet is of such great complexity—requiring significant resources to develop—that ... we would not expect masses of threats of similar in sophistication to suddenly appear.
However, Stuxnet has highlighted direct-attack attempts on critical infrastructure
are possible and not just theory or movie plotlines.
The real-world implications of Stuxnet are beyond any threat we have seen in the past. Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.
-- /Quote