09 December 2010
STUXNET
(People's Liberation Army DF-31A warhead being mated to rocket body. Photo PLA.)
It is loony out there. I got a bunch of kick-backs from ordinary messages I was sending to some of the usual suspects. That is not an infrequent occurrence, but my ears pricked up when I heard the massive of denial-of-service attacks had been launched against PayPal and Visa. Apparently partisans of Julian Assange are incensed that the massive sites have severed their connection to Wikileaks. Your computer may have been involved in the slave-bot attacks.
That is how strange things are these days. Malware is downloaded onto the machines of the unaware as users click though things as innocent as email like this. The software lets remote individuals to command thousands of machines in cyber armies to bring down websites.
Years ago, at the dawn of the modern cyber age, I saw a virtual war flair on the edge of the Chinese demonstration of their ballistic missiles against Taiwan in the third Straits Crisis of 1995-96.
It was going to get worse. The Moonlight Maze intrusion into US Government cyber systems began. We could never really attribute who was behind it. The highest volume of activity seemed to happened during normal working hours in the time-zone shared by Moscow and places like Belarus, though of course that could have been a simple enough cover.
Of late, the Chinese have been vacuuming the web for anything not nailed down. More than just collecting things, there is a bizarre but credible reporting that twice this year, China demonstrated its ability to "substantially manipulate" the Internet by redirecting traffic to fifteen percent of the world's websites through Chinese servers for about 20 minutes.
Imagine that. Or rather, what we cannot even imagine is happening all around us. As we discussed yesterday, there is no military operation that can be conducted without a cyber component. In fact, a successful operation, like the Israeli attack on the Syrian nuclear complex relied on the cyber-neutralization of the Syrian air defense network.
My pal Steve Canyon is an old school warrior, but he keeps his eyes open. He sent me the following link that provides a clue on the new world of vulnerabilities. Check the vignette on the cyber-stalker who found a pretty girl’s apartment based on a cell-phone camera shot in a public park. Most of us have no idea what is going on around us, a digital world with unseen moving parts.
http://mail.aol.com/32992-211/aol-1/en-us/mail/get-attachment.aspx?uid=1.31123263&folder=Inbox&partId=4&saveAs=Geotagging_Safety_Smart_Phones.pdf <%22http://mail.aol.com/32992-211/aol-1/en-us/mail/get-attachment.aspx?uid=1.31123263&folder=Inbox&partId=4&saveAs=Geotagging_Safety_Smart_Phones.pdf>
That is why I wanted to tell you about STUXNET, and why it has taken this long to get to it.
When I was in the business, I used to sit in on interagency meetings to try to deconflict the operations of the people on our side who had authorities to conduct operations in cyber space. I remember shuddering to hear that two agencies, one human-enabled and the other remote, meeting in the hard drive of a denied system, while detecting the digital footprints of an ally in the software. It was very confusing then, though colleagues assure me that things have improved.
Certainly the capabilities have, and all sorts of people have them. The bot-nets are easy enough to set up. Hacker tool-kits are readily available to download on the web. Pros disparagingly call those who use them “script kiddies.” Going after a hard target requires actually becoming the adversary, like the mimes who do mimic each other’s moves in an imaginary mirror.
Stuxnet was first discovered by a Belarus security firms called VirusBlokAda in Iran. The target was the Supervisory Control And Data Acquisition (SCADA) systems manufactured by German electronic giant Siemens to control and monitor the gas centrifuges at the Iranian nuclear facility at Natanz.
That sounds simple enough, right? But no, the worm is sophisticated enough that the Kasperky Labs in Russia have described STUXNET as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world."
I will accept that as basically accurate. But it is only part of a comprehensive and committed full-spectrum operation. The first challenge is that the Siemens control device is not connected to the web. Getting access to it required a human-factors campaign. It could be something as simple as distributing complementary thumb drives to the engineers and technicians who work in the plant and just wait for one of them to swap data from home computer to the one at work, leaping the air-gap with predictable human stupidity.
Or it could be a human infiltration of the plant, a riskier level of business. Once STUXNET jumped the air gap, it really got to work.
STUXNET is written in C and C++ languages, and attacked the Windows operating system that supports the SCADA network by using four “zero-day” attacks, plus the known CPLINK vulnerability first identified by the Conficker worm. The number of zero-day Windows exploits used is unusual, since they are high-value and would be husbanded by private sector hackers. The Windows component of the malware is promiscuous and spreads rapidly.
There are fingerprints in the code that have private keys presumably stolen from corporate entities in Taiwan. Two external websites were configured as STUXNET command-and-control servers, permitting the cyber-mimes to update the software as the Iranian systems administration personnel evolved the operating system.
Once installed on a Windows system, STUXNET had to infect project files on the Siemens SCADA control software. It contained an algorithm that masked its presence from control diagnostic software. Elegant.
So far, so good.
(The Target: Siemens Simatic S7-300 PLC CPU. Photo Siemens Corporation 2009.)
Here is what the point of the attack was. STUXNET was then able to control the operation and speed of the centrifuges over which it had command. The worm, undetected, was able to overspeed thousands of the centrifuges, burning out main bearings and significantly degrading the enrichment of the uranium to weapons grade. All of this was completely undetected.
The ability of STUXNET to precisely target the equipment associated with the Iranian nuclear program is breathtaking. The Iranians did not even know that their centrifuges had been hijacked, and were being run by someone else. Julian Assange, prior to his current notoriety, had also reported a unexplained atomic accident in the Iranian program in 2009.
A very elegant operation on the technical side. I contend that this is only part of a comprehensive operation that is full spectrum in design. On the very same day that Iranian President Mahmoud Ahmadinejad held his press conference to explain certain minor irregularities in the program last week, a person or persons unknown conducted two separate terrorist acts in northern Tehran last week, Iranian nuclear scientist Dr. Majid Shahriari was killed and Dr. Fereidoon Abbasi was wounded when they turned the ignitions on their cars.
Blammo!
Ahmadinejad strongly condemned the inclusion of Abbasi's name as an Iranian "nuclear scientist" in UN Security Council Resolution 1747 and linked the recent terror attempt against him to the leak of confidential information related to the country's nuclear program.
It is a full-spectrum operation against the Sunni Bomb, and it is clearly not over yet. I am curious to know who is doing it, and would ramble on but it is late and I need to go to work. Maybe be can talk about attribution tomorrow.
Copyright 2010 Vic Socotra
vicsocotra.com | Subscribe to the RSS feed!