Submitted by Tyler Durden on 09/23/2010 10:22 -0500

One of the most interesting stories in the last few days, has little to do with finance and economics (at least right now), but arguably very much to do with geopolitics. A fascinating report which cites computer security experts claims that the recent uber-cryptic malware worm Stuxnet is nothing less than a weapon designed to infiltrate industrial systems, and based on attack patterns, the ultimate object of Stuxnet may be none other than Iran's Busher nuclear reactor, which could be targetted for destruction without absolutely any military intervention. Has modern warfare just become obsolete courtesy of a computer virus?

From Yahoo:

Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

A brief history of Stuxnet:

Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.

But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?

And it gets much more eerie:

Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."

Stuxnet is so sophisticated it may revolutionize the way modern warfare if fought entirely:

Stuxnet's ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.

"Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."

The virus has already spread to the point where it is safe to say most critical SCADA infrastructure may already be infected.

So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

Has Stuxnet already hit its target?It might be too late for Stuxnet's target, Langner says. He suggests it has already been hit – and destroyed or heavily damaged. But Stuxnet reveals no overt clues within its code to what it is after.

Will DEADF007 be the keyword that everyone will soon focus on?

Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.

"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

And the punchline - Iran's nuclear plant may have already been destroyed without anyone firing a shot anywhere:

A geographical distribution of computers hit by Stuxnet, which Microsoft produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

Could Stuxnet's target be Iran's Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?

Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

There is much more to this story than merely creating page click inducing headlines. Computerworld itself is on the case:

A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran's Bushehr nuclear reactor.

That's the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they have broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker -- possibly a nation-state -- and it was designed to destroy something big.

Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company found the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers, who say they have never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran's nukes.

And ever more experts are chiming in:

Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm's attack.

Experts had first thought that Stuxnet was written to steal industrial secrets -- factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings -- a kind of fingerprint that tells it that it has been installed on a very specific programmable logic controller (PLC) device -- and then it injects its own code into that system.

Because of the complexity of the attack, the target "must be of extremely high value to the attacker," Langner wrote in his analysis.

The evidence supporting that the attack is truly focusing on Iran is moving beyond the merely circumstantial:

This specific target may well have been Iran's Bushehr reactor, now under construction, Langner said in a blog post. Bushehr reportedly experienced delays last year, several months after Stuxnet is thought to have been created, and, according to screenshots of the plant posted by UPI, it uses the Windows-based Siemens PLC software targeted by Stuxnet.

Another article by Computerworld discusses the lack of patching of a bug which Windows promised had been fixed, yet which allowed the entry of the virus into attacked systems. One wonders why Windows may have misrepresented this weakness...

Microsoft confirmed Wednesday that it overlooked the vulnerability when it was revealed last year.

The vulnerability in Windows Print Spooler service was one of four exploited by Stuxnet, a worm that some have suggested was crafted to sabotage an Iranian nuclear reactor.

Last week, researchers at both Kaspersky Lab and Symantec, the firms that had reported the bug to Microsoft in July and August, respectively, said the print spooler vulnerability had not been publicly disclosed before they found Stuxnet was using the flaw.

Yesterday Microsoft this omission:

"Microsoft is aware of claims that the print spooler vulnerability in MS10-061 was partially discussed in a publication in April 2009," said company spokesman Dave Forstrom in an e-mail Wednesday. "These claims are accurate. Microsoft was not directly made aware of this vulnerability nor its publication at the time of release."

And for the paranoid, there are at least two other unpatched bugs which allow Stuxnet to enter any system it desires:

The security firms also notified Microsoft of two other unpatched bugs that the Stuxnet worm exploited. Those flaws, which can be used by attackers to upgrade access privileges on compromised PCs to administrator status, will be patched in a future update, Microsoft said last week. It has not set a timetable for the fixes, however.

Little information is available about the two lesser vulnerabilities. Danish bug tracker Secunia, for example, has posted only bare-bones advisories, noting that one affects Windows XP while the other affects Vista and Windows Server 2008 machines.

In other words, the entire world could very well be open to attacks by the most sophisticated targeted virus ever created, whose sole purpose may be the eradication of targets which previously involved the involvement of armed combat.

Is the face of warfare about to change forever?

by (name removed)
on Thu, 09/23/2010 - 23:17
#601592

Anyone using WindBloze OS for industrial control processes, deserves to go up in smoke! Linux (and BSD!) rulez!



by A [name removed]
on Sat, 09/25/2010 - 19:35
#604819

Nonsense. First of all, PEBKAC is the biggest security vulnerability. I am no fan of Windoze, or Mc iPhail, but all operating systems have vulnerabilities. Changing platforms is merely obfuscation, which only buys time. Then there is the matter of the average dipshit user being able to actually use the ****ing thing without needing to be an engineer to complete their mundane make-work in the average word processor

I have hardened a Windoze XP, SP 1 based PLC and the network such that Stuxnet has no available infection vectors. None of these task based machines need a ****ing print spooler, server/workstation services, USB ports, or goddam autoplay bullshit. It comes down to turning off that which you don't need (key difference between Windoze and IX distros), securing the network infrastructure, and the threat of termination of employment for people who **** it up (good luck with this in unionized utilities).

by [name removed]
on Thu, 09/23/2010 - 13:22
#600458

In case everyone has forgotten or for those that don't read, during the late 50's and into early 60's there was something goiing on called the "Cold War". The Russian Migs would occassionally turn on their afterburners and make a supersonic dash toward the Alaskan US boundry line only to turn at the last second recording data on electronic responses. Curtis LeMay's Strategic Air Command (alledgedly) had 1/3 of the flyable long range bombers in the air at all times. Of those, 1/3 were (alledgedly) loaded with nuclear weapons. A book, "Blind Man's Bluff" was written about the submariners cold war that was going on at the same time.

The USA operated up to 4 nuclear reactors at a place called "The Savannah River Plant". The controllers for everything were hardwired, set and monitered by staff. It was labor intensive but there were no "computers" that were not part of the hardwired system.

The research group had computers with tubes that were coded for calculation using bits and bites.

No doubt controls were "upgraded" through the years. But Savannah River probably produced enough plutonium and tritium to last all the decades since.

The Iranian technical people that I have had interface with through the decades were very bright, just as smart as the Americans. IMO, they would be able to eventually do as well as we did during the early years.

IMO, as applies to being effective in disabling Iranian fissionable materials production, this virus thing is science fiction.

And, EMP is different. That is comparing apples to hand grenades.


by [name removed]
on Thu, 09/23/2010 - 14:23
#600636

Agreed, do you think that after going through the QA review and safety evaluation process required to even get software into a nuclear plant, let alone going operational, you'd attach the system to the "internet"? In the end analysis, most actionable impulses in a power plant, including newclear plants (:, boil down to contact points, relays, and/or other mechanical control scemes. Most computer control systems are supervisory or if they do lead, contain a fail safe criteria with another computer supervising. Imagine what would happen if you lost control power at a nuc. or the grid goes down isolating the plant from the rest of the world? This does happen. For this reason, most US plant have designed in safety criteria for just this type of problem. Thus the need for the fail safe modes close, open, or stay in place. Besides, a good reactor operator and engineer, provided with current schematics, could shut most plants down with jumpers and blocks. With regards to a turbine shaft over spinning, the admission valve to the steam chest is controlled by a dead man switch based on centrifugal force. And lastly, regardless of all the hype the public has heard, Nuclear Power Plants Can Not Explode Like A Nuclear Bomb! Period.