Though the Stuxnet cyber-attack which likely targeted Iran’s nuclear facilities may’ve begun as early as 2009, computer security experts have only this month published their full analysis of one of the most sophisticated and powerful computers worms ever developed, and what industrial damage it may’ve done.
Stuxnet is malware likely designed to infiltrate Iranian (60% of computers infected were in Iran) industrial computers which controlled numerous automated processes in factory production cycles. The most likely target according to most experts consulted would be Iran’s Bushehr nuclear reactor complex, which last year was reported by Israeli media to have been sabotaged and faced extensive production delays. Since Bushehr is using Russian-supplied fuel not related to centrifuges or uranium enrichment, it seems unlikely they were the goal. But there clearly is some key industrial process likely targeted at Bushehr and the worm may’ve either destroyed equipment or corrupted a production cycle central to the reactor’s function.
By all accounts. the worm is so advanced, performs so many functions, and operates in such a complex fashion that it can only have been produced by the intelligence agency of a sovereign nation. We can imagine which nations would have the capacity to mount such an operation and the motivation to sabotage Iran’s nuclear program. The CIA and Mossad (or IDF military intelligence) spring to mind. My money is either on Israel and a shared operation mounted in some way by both countries.
IDF military intelligence has such a capability, Unit 8200, which analyzes intercepted communications and performs all manner of cyber-warfare tasks. A recent profile of the group described its operations in some detail though didn’t deal with the question of whether 8200 may’ve been involved in this attack. Forbes published this warm and fuzzy profile as well making 8200 out to be a real cool version of Silicon Valley.
This military unit performs a similar role in Israeli society to that of the Silicon Valley here. Since most Israelis serve in the army, this  is where the techno-geeks among them gravitate. And when they exit their military service with their advanced technical training, they not only create commerical technology start-ups, they also continue developing products for Israel’s security apparatus. Such an 8200 alumnus founded Carmel Ventures, an Israeli venture capital outfit which funded Yuval Tal’s Payoneer, a U.S. company providing prepaid debit cards to its customers, who happened to be two of the Mossad hitmen who “hit” Mahmoud al-Mabouh in Dubai.
Since I don’t claim to be a computer security expert, but feel that Stuxnet is a very important development not only in and of itself, but also for the impact it will have on the Iran nuclear debate, I’m going to quote at some length from the recent technical articles about it in industry publications. It’s really fascinating stuff even for a layperson. Let’s start with PCWorld:
Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker — possibly a nation state — and it was designed to destroy something big…some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran’s nukes.
…Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor…Bushehr reportedly experienced delays last year, several months after Stuxnet is thought to have been created, and according to screen shots of the plant posted by UPI, it uses the Windows-based Siemens PLC software targeted by Stuxnet.
…One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35. This Siemens component monitors critical factory operations — things that need a response within 100 milliseconds. By messing with Operational Block 35, Stuxnet could easily cause a refinery’s centrifuge to malfunction, but it could be used to hit other targets too, Byres said. “The only thing I can say is that it is something designed to go bang,” he said.
…This is not something that your run-of-the-mill hacker can pull off. Many security researchers think that it would take the resources of a nation state to accomplish.
Last year, rumors began surfacing that Israel might be contemplating a cyber attack on Iran’s nuclear facilities.
It is common for such malware to exploit a single weakness to infect a computer or system, but Stuxnet uses four separate vulnerabilities, which is unheard of for such worms. It also uses two forged digital certificates, which further indicates the highly sophisticated nature of the attack. It is important to note that Israel’s high tech industry has made a specialty of developing digital certificates. As one of my readers who specializes in IT wrote:
Public and private key technology (the basis of certificates) is indeed an Israeli computer specialty. The Weizman Institute in fact is the premier research university for such things.
What better country to forge a digital certificate than one whose techno hackers specialize in creating them? When you know a technology you also know how to exploit its weaknesses.
CNET’s report amplifies on Langner’s findings:
“With the forensics we now have, it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,” he wrote. “The attack combines an awful lot of skills–just think about the multiple zero-day vulnerabilities, the stolen certificates, etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents’ house. To me, it seems that the resources needed to stage this attack point to a nation state.”
Computerworld’s report quotes Symantec experts who have studied the worm extensively:
The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.
“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s security response team.
“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google’s network and those of dozens of other major companies, were child’s play.
Here they analyze in greater details the particular ways in which Stuxnet operates and the technical ambition and complexity required to create it:
Once within a network — initially delivered via an infected USB device — Stuxnet used the EoP [elevation of privilege] vulnerabilities to gain administrative access to other PCs, sought out systems running the WinCC and PCS 7 SCADA management programs, hijacked them by exploiting either the print spooler or MS08-067 bugs, then tried the default Siemens passwords to commandeer the SCADA software.
They could then reprogram the so-called PLC (programmable logic control) software to give machinery new instructions.
On top of all that, the attack code seemed legitimate because the people behind Stuxnet had stolen at least two signed digital certificates.
“The organization and sophistication to execute the entire package is extremely impressive,” said Schouwenberg. “Whoever is behind this was on a mission to get into whatever company or companies they were targeting.”
O Murchu seconded that. “There are so many different types of execution needs that it’s clear this is a team of people with varied backgrounds, from the rootkit side to the database side to writing exploits,” he said.
The malware, which weighed in a nearly half a megabyte — an astounding size, said Schouwenberg — was written in multiple languages, including C, C++ and other object-oriented languages, O Murchu added.
“And from the SCADA side of things, which is a very specialized area, they would have needed the actual physical hardware for testing, and [they would have had to] know how the specific factory floor works,” said O Murchu.
“Someone had to sit down and say, ‘I want to be able to control something on the factory floor, I want it to spread quietly, I need to have several zero-days,’” O Murchu continued. “And then pull together all these resources. It was a big, big project.”
…Put all that together, and the picture is “scary,” said O Murchu.
So scary, so thorough was the reconnaissance, so complex the job, so sneaky the attack, that both O Murchu or Schouwenberg believe it couldn’t be the work of even an advanced cybercrime gang.
“I don’t think it was a private group,” said O Murchu. “They weren’t just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way unintended by the real operators. That points to something more than industrial espionage.”
The necessary resources, and the money to finance the attack, puts it out the realm of a private hacking team, O Murchu said.
“This threat was specifically targeting Iran,” he continued. “It’s unique in that it was able to control machinery in the real world.”
“All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group,” said Schouwenberg
Symantec has also published a more technically detailed analysis of Stuxnet for the more adept among you.
Let’s step back and ask a few questions. While Stuxnet and other types of sabotage may’ve delayed Iran’s nuclear production and research, do we really believe that Iran’s scientists are so simple and naive that they would create only a single track for their work? Do we really believe this will cause any more than a temporary delay for them in developing their nuclear technology? No matter how damaging the worm is, no matter how impressive the technical achievement that brought it forth, it’s at best a stop-gap measure. As such, it doesn’t get at the root issue or the root way to resolve the problem which, once again like a broken record, I proclaim to anyone who will listen is a negotiated diplomatic solution.
Whatever Iran is trying to do cannot be stopped except by negotiation or war, leading to toppling the regime and replacing it with a West-compliant one (and good luck with that).
In regards to the latter option, if Israel deliberately used cyber-sabotage in order to mess with the minds and facilities of Iranian scientists, they may’ve coupled such an operation with a more deliberate one to bomb the facilities later. Such a two-pronged approach would make more sense from a military-intelligence perspective than simply messing up the production schedule of Bushehr for a year. But again, what do I know, I’m only speculating. Educated speculation by someone who has studied such minds at work for some time–but speculation nonetheless.
Paul Woodward, as usual, was one of the first bloggers to note a connection between Stuxnet and a possible U.S. or Israeli attack on Iran.