My Photo

« The old-fashioned way | Main | Freedom's Just Another Word »

September 22, 2010

Comments

The stuxnet software is exceptionally well written, it makes very very sure that nothing crashes, no outward signs of the infection can be seen and, above all, it makes pretty sure that its final payload, which manipulates parameters and code in the SPS computer is only executed if it is very certain to be on the right system.

I smell a hoax/psyop. You're talking about a highly sophisticated piece of code that cannot be tested in a "real" setting before being deployed that is supposedly flawless? Sorry, I don't buy it. Perhaps the target is Iran's nuclear power operation, but the "weapon" is publicity that will compel Iran to design entirely new security protocols for its computer systems, significantly delaying putting operations on-line, (and possibly compromising existing protocols in the process.)

I am no kind of technical expert on any of this: not remotely.

But if you read through the links, the technical details seem plausible enough to convince all sorts of people it should otherwise be very difficult to convince, it seems to me.

To be sure, perhaps it's way over-hyped. I couldn't say. But enough people with credibility seem to think otherwise that I find it more than interesting.

I've known Bruce Schneier since we were both very young; he's impressed, and his opinion carries weight with me.

If the Koch Brothers and their astro-turf kochsuckers approach their goal of destroying the U.S. Government, Stuxnet should be used by the U.S. Government, if it is the author, to destroy all Koch Industries
manufacturing facilities.

Mortal enemies within and without.

See also: the alleged 1982 sabotage of the Soviet Urengoy - Surgut - Chelyabinsk natural gas pipeline by the CIA

The pipeline, as planned, would have a level of complexity that would require advanced automated control software (SCADA). The pipeline utilized plans for a sophisticated control system and its software that had been stolen from a Canadian firm by the KGB. The CIA allegedly had the company insert a logic bomb in the program for sabotage purposes, eventually resulting in an explosion with the power of three kilotons of TNT.

The CIA was tipped off to the Soviet intentions to steal the control system plans in documents in the Farewell Dossier and, seeking to derail their efforts, CIA director William J. Casey followed the counsel of economist Gus Weiss and a disinformation strategy was initiated to sell the Soviets deliberately flawed designs for stealth technology and space defense. The operation proceeded to deny the Soviets the technology they desired to purchase to automate the pipeline management, then, a KGB operation to steal the software from a Canadian company was anticipated, and, in June 1982, flaws in the stolen software led to a massive explosion of part of the pipeline.

It's not clear whether any of the above actually happened, though.

Paul -- that was my first thought as well, but in order for that to work there have to be a bunch of people in on the whole thing, many of whom aren't that closely tied to the usual alphabet soup suspects.

Which is not to say that there isn't a big psyops upside for even a partial success, just that I think there has to be more substance to this than mere bluff. They have to have, at the least, managed to infect a bunch of machines in Iran to make this threat plausible, and they likely would have to have compromised the Russian contractors in order to do that. Without those details the rest of the social engineering sort of falls apart.

If you are talking high level advanced automated control software (SCADA) we are talking very heterogeneous systems, aren't we?

I've seen high level systems built on traditional UNIXes like HP-UX and Solaris, things like SCO, Linux, QNX, and of course some Windows.

Kind of hard to target them all, though if they have some subset in mind, and if that subset is net-connected, it might be possible.

(If it was me, I wouldn't put my centrifuges on an open net.)

"If it was me, I wouldn't put my centrifuges on an open net."

As I quoted: "stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossile Windows 2000 to the most modern and supposedly secure Windows 7."

Stuxnet is non-net-dependent; it's spread by USB memory stick.

The Natanz theory doesn't hold up. The only real basis is the idea that the target might have been in Iran (due to the large number of infections) and the effect should show up around Jan 09 (because that's when stuxnet would cease spreading.) But capacity at Natanz increased during that time. According to the chart you included, the decrease didn't come for another six months or so (summer of 09). Further, the decrease was only on the order of 15%, hardly a catastrophic result. (And my reading of the IAEA report indicates an actual decrease of only about half that level; 6-7%.)
There are other plausible explanations for the Natanz decrease (e.g. maintenance or sparing issues, a temporary shortage of uranium hexaflouride, preparation to switch to a new type of equipment, changes related to the later switch from 3.5% to 20% enrichment, no benefit to Iran from dramatically increase their low enriched uranium stockpiles at this time).

"There are other plausible explanations for the Natanz decrease (e.g. maintenance or sparing issues, a temporary shortage of uranium hexaflouride, preparation to switch to a new type of equipment, changes related to the later switch from 3.5% to 20% enrichment, no benefit to Iran from dramatically increase their low enriched uranium stockpiles at this time)."

Definitely.

I missed the USB in my skim. Interesting also if it is limited to the Win-Siemans architecture?

If the malware is spread by USB stick, then one of two things would appear to be true:

1) whoever generated the malware has (or believed that they would have) someone on the inside at the target location. Someone who could insert the USB stick.

2) the intention is to infect a lot of (supposedly new and unused) USB sticks, in the expectation that one of more of them will be acquired, and then get used, at the target location.

From the number of systems reported to be infected, it would seem that the latter is the more likely transmission vector.

Which suggests that one interesting analysis approach might be to figure out how to detect it on a memory stick. And check lots and lots of them. And then back-trace the infected memory sticks, to see what their common origin is. Just the sort of combined "lousy legwork" and massive analysis that major intelligence organizations are very good at. Which, in turn, would suggest that the origin (if not the target) is probably not totally anonymous any more.

Paul,

Is there a reason that someone couldn't build a duplicate of the target SCADA, with fake inputs representing the actual controls and instrumentation that the actual SCADA is hooked in to, and fully test the worm on the duplicate SCADA?

I would have imagined that that was what people do when they build a new SCADA (wouldn't want to debug the code on a nuclear power plant while it was actually running...), so I would have imagined that there would even be a standard framework for setting up SCADA development test beds. But I don't really know anything about the subject, is there really nothing like that?

Not saying that the underlying information in the quoted article is wrong, but there are a lot of technical inaccuracies. That might just be an issue of translation from Technical to Everday, but it might also indicate some fundamental misinformation (or disinformation).

Just two examples:

> Too large, too encrypted, too complex to
> be immediately understood, it employed
> amazing new tricks, like taking control
> of a computer system without the user
> taking any action or clicking any button
> other than inserting an infected memory
> stick.

I first encountered that "amazing new trick" in the wild in 1987, and I don't think it was new then. USB-key malware has been common since at least 2002.

> "Until a few days ago, people did not
> believe a directed attack like this was
> possible,"

That will come as a surprise to the industrial control systems dudes I work with; the possibility of a directed malware attack on an industrial DCS has been of great concern to everyone in the industry since the barriers between the corporate networks and the plant networks began being crossing around 1996, and has been discussed extensively on controls-guy message boards for the last 2-3 years. It was also discussed both in the industry and general press after the 2003 Northeast blackout (which was ultimately tied to poor tree trimming, not control systems, but which an inopportune software failure did make worse).

Cranky

> Is there a reason that someone couldn't
> build a duplicate of the target SCADA, with
> fake inputs representing the actual
> controls and instrumentation that the
> actual SCADA is hooked in to, and fully
> test the worm on the duplicate SCADA?

In theory not impossible, but (a) it would be an extremely expensive endeavor (b) obtaining that much hardware and licensed software (these systems are neither cheap nor sold in large quantities) would be difficult to conceal for very long in the industry without extreme Manhattan-project levels of security (c) control systems in working plants are constantly being modified, expanded, contracted, changed, optimized, etc; if you have that much knowledge of the target's systems why not just pay the guy who is stealing the plans for you to set a small explosive device in the computer room? [*]

Cranky

[*] That's the weak link in most super-cyber-espionage plots: it is always cheaper to just bribe the cleaning lady to steal the stuff for you.

Paul,

Is there a reason that someone couldn't build a duplicate of the target SCADA, with fake inputs representing the actual controls and instrumentation that the actual SCADA is hooked in to, and fully test the worm on the duplicate SCADA?

I have absolutely no clue :)

-- my take was based on the rather extravagant claims for the software, and my minimal experience literally years ago in writing and debugging even the simplest program.

Here's what I think:

I think the government tends to work the middle of the technological spectrum better than it does the edges. Defense is a decent example of this: by the time a system actually gets deployed, its technology is many years old. I recall seeing some press releases in the late 1990s about missile defense tests, talking up the technology. None of the technology in that missile was much less than a decade into its development cycle; some of it much older. Sure, some of the specific hardware was brand-new, but the technology wasn't.

I can't see the government contracting this kind of work out to a straight-up defense contractor; that's kind of a low-bid proposition. I also can't think that the CIA (for example) has enough high-caliber hackers to pull this off, although anything I say about the CIA should be viewed with Spock-canted eyebrows.

The alternative might be that this kind of work has been farmed out to a national laboratory like Sandia or LLNL, or that an analog of a national laboratory for developing cyber-weapons has been established in near-absolute secrecy. In any case, the need for secrecy would be very high, and the cartoon view of hackers is that they resist authority.

This is just a really long version of "I don't know either"; just throwing some ideas out there. It's probably horribly irresponsible of me to speculate, and I'm sure I'm as good as equipping Iran with nuclear-tipped precision-guided long-range missiles just by thinking about this kind of thing.

"Not saying that the underlying information in the quoted article is wrong...."

This would be one reason I provided links to several articles.

The amount of intelligence needed to specifically target a particular system must be staggering. I know a (very) little amount about automated control systems, and while there are a limited number of platforms on which automation controls run, I can't see how one should target a specific system in the way described unless you had a virtual replica of the system i.e. a true-to-life simulation. The complexity of sensor inputs, controls, etc, customized tolerances and user inputs would be extensive, plus many components (switches, motors, etc) have their own on board logic.
This isn't to say it couldn't be done, but whoever did this needed to know the target system pretty intimately.
If you had access to that kind of intelligence, wouldn't there be easier solutions?

I guess this is a long way of saying I agree with Cranky.

In theory not impossible, but (a) it would be an extremely expensive endeavor (b) obtaining that much hardware and licensed software

since it definitely targets a Seimens PLC, there's a good chance Seimens is involved in the analysis, and likely wouldn't charge for any of that since it's in their best interest to figure out how the worm operates (so as to prevent future infections)

maybe the worm is related to this... ?

Witness testimony from more than 120 former or retired military personnel points to an ongoing and alarming intervention by unidentified aerial objects at nuclear weapons sites, as recently as 2003. In some cases, several nuclear missiles simultaneously and inexplicably malfunctioned while a disc-shaped object silently hovered nearby. Six former U.S. Air Force officers and one former enlisted man will break their silence about these events at the National Press Club and urge the government to publicly confirm their reality.

I'm guessing there aren't all that many people who could afford the system in question for testing, but it's well within the means of the US government.

/obvious

I'm waiting for the globally televised demand for One....Million....Dollars.....

As I quoted Frank Rieger:

[...] It is clear that it has been a team effort, that a very well trained and financed team with lots of experience was needed, and that the ressources needed to be alocated to buy or find the vulnerabilities and develop them into the kind of exceptional zero-days used in the exploit. This is a game for nation state-sized entities, only two handful of governments and maybe as many very large corporate entities could manage and sustain such an effort to the achievment level needed to build stuxnet.

It seems that Mr. Ralph Langner is doing a fair bit of self-promotion in this and is stoking the hype some.

I don't think that Langner's third claim (viz. "The attack combines an awful lot of skills ... This was assembled by a highly qualified team of experts") stands up particularly well.

It has been possible to buy 0-day exploit code for some time now. The reason why prior malware hasn't used 4 0-day exploits is because that's overkill. The simplest explanation for that aspect of Stuxnet is that the attacker spent a bit of money (hundreds to thousands of dollars) for exploit code and prioritized probability of success over cost.

Similarly, an attacker doesn't need great sophistication to get access to code-signing certificates. If the certificate's owner has weak internal controls, you could simply bribe (or extort) an employee to get it for you.

That does make this particular attack (and, by extension, the attacker) stand out, but it stands out not by its sophistication but by its complication and degree-of-overkill.

I like this abstract of a paper on Stuxnet:

...Stuxnet is one of the most complex, thought-out, and overdesigned malware discovered in the wild to date.

"Well within the means of the US government."

Or the Israeli government. And as described, this would be an ideal attack from their point of view: highly targeted, highly effective, yet deniable. I think the main barrier to entry is buying/obtaining copies of the industrial software involved, and setting up a test bed somewhere. That's expensive, no doubt, but I doubt it would break the IDF or Mossad bank. If you're highly motivated -- and whatever else one thinks of Goldberg's article, it showed the Israelis are -- you'll find several $million somewhere to pay for it.

People seem to be suggesting this is all hype; it really isn't. That is, I can't say that aspects might not be entirely hyped; the existence of the virus, and an awful lot of specific knowledge about it, though, is indisputable.

Interesting graph:

Some other good quotes.

This is a major story, and if you want a patented case of one you've read here that will be showing up any day now in the New York Times, this is it.

I will bet anyone a shiny nickel on this.

Additionally, the large size of the Stuxnet files (500kb and 25kb) points away from the normal virus-writing crowd.

Compare some of the files sizes listed here (e.g. 73728, 54482, 5554, 6038) and you'll see that a 500kb file is quite big by these standards.

And some more level-headed analysis of Stuxnet.

This posting, in particular, shows that it infected more systems in India and Indonesia than in Iran.

i'm impressed that nobody here has asked what a "zero-day" exploit is.

i had no idea the ObWi gang would be familiar with the arcana of haxxorz.

elm, both our links on the number of infections by country date from July. Clearly, more up to date figures would be more useful.

I haven't seen those figures yet; so far, all the quotes on that that I've read go back to July; if you run across more current figures, please let us know.

The comments to this entry are closed.