Stuxnet worm 'targeted high-value Iranian assets'

[Ben D]

I'm not saying you aren't correct to be suspicious, Ben, but the Siemens componentry for industrial SCADA instrumentation and control systems isn't usually integrated into a proprietary workstation. It's usually found working with a Dell box running Windows. I found this vague notice on their website:

Updates on computer virus alert for certain Windows operating systems

Unprotected Windows components in control systems SPPA-T3000 and SPPA-T2000 can potentially become infected. So far, intensive investigations and analysis that we have carried out show no indication that the malware has a negative impact on the SPPA-T3000 and SPPA-T2000 control systems.

For more detailed information about SPPA-T3000 and SPPA-T2000 control systems please contact Maggie Yu. Email: maggie.yu@siemens.com

Phone: 678-256-1603

Information about this topic in combination with PCS7/WinCC can be found at the following internet site:

SIMATIC WinCC/SIMATIC PCS7: Information concerning Malware/Virus/Trojan

And this is the page on the SPPA-T3000, which seems to be running on Windows.

Every municipal SCADA system I've come into contact with has used off the shelf boxes, at least for control display.

This may explain why Microsoft is reporting the number of infected machines worldwide. I was curious about that.

Gets curiouser, the experts say that while it infiltrates wherever it can, it was designed to identify and attack just one plant on the planet.

This week, Mr. Langner became the first person to detail Stuxnet's peculiar attack features. He explained, for example, how Stuxnet "fingerprints" each industrial network it infiltrates to determine if it has identified the right system to destroy. Stuxnet was developed to attack just one target in the world, Langner says and other experts confirm.

http://news.yahoo.com/s/csm/20100924/ts_csm/328049_1

[MinM]

Does a biblical clue in a computer worm point to Israel as the cause of Iran's nuclear program's problems?

September 29, 2010
In a Computer Worm, a Possible Biblical Clue
By JOHN MARKOFF and DAVID E. SANGER

Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.

Not surprisingly, the Israelis are not saying whether Stuxnet has any connection to the secretive cyberwar unit it has built inside Israel’s intelligence service. Nor is the Obama administration, which while talking about cyberdefenses has also rapidly ramped up a broad covert program, inherited from the Bush administration, to undermine Iran’s nuclear program. In interviews in several countries, experts in both cyberwar and nuclear enrichment technology say the Stuxnet mystery may never be solved.

There are many competing explanations for myrtus, which could simply signify myrtle, a plant important to many cultures in the region. But some security experts see the reference as a signature allusion to Esther, a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project. Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel.

“The Iranians are already paranoid about the fact that some of their scientists have defected and several of their secret nuclear sites have been revealed,” one former intelligence official who still works on Iran issues said recently. “Whatever the origin and purpose of Stuxnet, it ramps up the psychological pressure.”

So a calling card in the code could be part of a mind game, or sloppiness or whimsy from the coders.

The malicious code has appeared in many countries, notably China, India, Indonesia and Iran. But there are tantalizing hints that Iran’s nuclear program was the primary target. Officials in both the United States and Israel have made no secret of the fact that undermining the computer systems that control Iran’s huge enrichment plant at Natanz is a high priority. (The Iranians know it, too: They have never let international inspectors into the control room of the plant, the inspectors report, presumably to keep secret what kind of equipment they are using.)

The fact that Stuxnet appears designed to attack a certain type of Siemens industrial control computer, used widely to manage oil pipelines, electrical power grids and many kinds of nuclear plants, may be telling. Just last year officials in Dubai seized a large shipment of those controllers — known as the Simatic S-7 — after Western intelligence agencies warned that the shipment was bound for Iran and would likely be used in its nuclear program.

“What we were told by many sources,” said Olli Heinonen, who retired last month as the head of inspections at the International Atomic Energy Agency in Vienna, “was that the Iranian nuclear program was acquiring this kind of equipment.”

Also, starting in the summer of 2009, the Iranians began having tremendous difficulty running their centrifuges, the tall, silvery machines that spin at supersonic speed to enrich uranium — and which can explode spectacularly if they become unstable. In New York last week, Iran’s president, Mahmoud Ahmadinejad, shrugged off suggestions that the country was having trouble keeping its enrichment plants going.

Yet something — perhaps the worm or some other form of sabotage, bad parts or a dearth of skilled technicians — is indeed slowing Iran’s advance.

The reports on Iran show a fairly steady drop in the number of centrifuges used to enrich uranium at the main Natanz plant. After reaching a peak of 4,920 machines in May 2009, the numbers declined to 3,772 centrifuges this past August, the most recent reporting period. That is a decline of 23 percent. (At the same time, production of low-enriched uranium has remained fairly constant, indicating the Iranians have learned how to make better use of fewer working machines.)

Computer experts say the first versions of the worm appeared as early as 2009 and that the sophisticated version contained an internal time stamp from January of this year.

These events add up to a mass of suspicions, not proof. Moreover, the difficulty experts have had in figuring out the origin of Stuxnet points to both the appeal and the danger of computer attacks in a new age of cyberwar.

For intelligence agencies they are an almost irresistible weapon, free of fingerprints. Israel has poured huge resources into Unit 8200, its secretive cyberwar operation, and the United States has built its capacity inside the National Security Agency and inside the military, which just opened a Cyber Command.

But the near impossibility of figuring out where they came from makes deterrence a huge problem — and explains why many have warned against the use of cyberweapons. No country, President Obama was warned even before he took office, is more vulnerable to cyberattack than the United States.

For now, it is hard to determine if the worm has infected centrifuge controllers at Natanz. While the S-7 industrial controller is used widely in Iran, and many other countries, even Siemens says it does not know where it is being used. Alexander Machowetz, a spokesman in Germany for Siemens, said the company did no business with Iran’s nuclear program. “It could be that there is equipment,” he said in a telephone interview. “But we never delivered it to Natanz.”

But Siemens industrial controllers are unregulated commodities that are sold and resold all over the world — the controllers intercepted in Dubai traveled through China, according to officials familiar with the seizure.

Ralph Langner, a German computer security consultant who was the first independent expert to assert that the malware had been “weaponized” and designed to attack the Iranian centrifuge array, argues that the Stuxnet worm could have been brought into the Iranian nuclear complex by Russian contractors.

“It would be an absolute no-brainer to leave an infected USB stick near one of these guys,” he said, “and there would be more than a 50 percent chance of having him pick it up and infect his computer.”

There are many reasons to suspect Israel’s involvement in Stuxnet. Intelligence is the single largest section of its military and the unit devoted to signal, electronic and computer network intelligence, known as Unit 8200, is the largest group within intelligence.

Yossi Melman, who covers intelligence for the newspaper Haaretz and is at work on a book about Israeli intelligence over the past decade, said in a telephone interview that he suspected that Israel was involved.

He noted that Meir Dagan, head of Mossad, had his term extended last year partly because he was said to be involved in important projects. He added that in the past year Israeli estimates of when Iran will have a nuclear weapon had been extended to 2014.

“They seem to know something, that they have more time than originally thought,” he said.

Then there is the allusion to myrtus — which may be telling, or may be a red herring.

Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus. The guava fruit is part of the Myrtus family, and one of the code modules is identified as Guava.

It was Mr. Langner who first noted that Myrtus is an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively.

“If you read the Bible you can make a guess,” said Mr. Langner, in a telephone interview from Germany on Wednesday.

Carol Newsom, an Old Testament scholar at Emory University, confirmed the linguistic connection between the plant family and the Old Testament figure, noting that Queen Esther’s original name in Hebrew was Hadassah, which is similar to the Hebrew word for myrtle. Perhaps, she said, “someone was making a learned cross-linguistic wordplay.”

But other Israeli experts said they doubted Israel’s involvement. Shai Blitzblau, the technical director and head of the computer warfare laboratory at Maglan, an Israeli company specializing in information security, said he was “convinced that Israel had nothing to do with Stuxnet.”

“We did a complete simulation of it and we sliced the code to its deepest level,” he said. “We have studied its protocols and functionality. Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment.”

Mr. Blitzblau noted that the worm hit India, Indonesia and Russia before it hit Iran, though the worm has been found disproportionately in Iranian computers. He also noted that the Stuxnet worm has no code that reports back the results of the infection it creates. Presumably, a good intelligence agency would like to trace its work.

Ethan Bronner contributed reporting from Israel, and William J. Broad from New York.

http://www.nytimes.com/2010/09/30/world ... l?_r=1&hpw

[Canadian_watcher]

I don't know..
I worked at a 'highly secure' facility and they were very careful and particular about separating the facility controls .. ie the computers that controlled the heating systems, etc from the regular business network. They were not in any way remotely the same systems.
I don't know that USB ports are even a part of that type of system, but really, why would they be?
Not to mention, of course, that outside USB sticks are not allowed into most facilities.. not that it doesn't happen, obviously, but it's so unlikely.
In addition to the programming skills you'd really need a man on the inside. Maybe you all already assume this, but I didn't see it mentioned.

sounds to me like false flag type bull right on the heels of the Cyber Warfare General's appointment.

[Penguin]

Today on Slashdot, a story claiming that Stuxnet specifically targeted nuclear enrichment centrifuges:
http://it.slashdot.org/story/10/11/16/0 ... Enrichment

"Wired is reporting that the Stuxnet worm was apparently designed to subtly interfere with uranium enrichment by periodically speeding or slowing specific frequency converter drives spinning between 807Hz and 1210Hz. The goal was not to cause a major malfunction (which would be quickly noticed), but rather to degrade the quality of the enriched uranium to the point where much of it wouldn't be useful in atomic weapons. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 at around the time the worm was spreading in Iran."

“It indicates that [Stuxnet's creators] wanted to get on the system and not be discovered and stay there for a long time and change the process subtly, but not break it,” says Liam O Murchu, researcher with Symantec Security Response, which published the new information in an updated paper (.pdf) on Friday.

The Stuxnet worm was discovered in June in Iran, and has infected more than 100,000 computer systems worldwide. At first blush it appeared to be a standard, if unusually sophisticated, Windows virus designed to steal data, but experts quickly determined it contained targeted code designed to attack Siemens Simatic WinCC SCADA systems. SCADA systems, short for “supervisory control and data acquisition,” are control systems that manage pipelines, nuclear plants, and various utility and manufacturing equipment.

Researchers determined that Stuxnet was designed to intercept commands sent from the SCADA system to control a certain function at a facility, but until Symantec’s latest research it was not known what function was being targeted for sabotage. Symantec still has not determined what specific facility or type of facility Stuxnet targeted, but the new information lends weight to speculation that Stuxnet was targeting the Bushehr or Natanz nuclear facilities in Iran as a means to sabotage Iran’s nascent nuclear program.

Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds – between 807Hz and 1210Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.

The malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz. Information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred.

Researchers who have spent months reverse-engineering the Stuxnet code say its level of sophistication suggests that a well-resourced nation-state is behind the attack. It was initially speculated that Stuxnet could cause a real-world explosion at a plant, but Symantec’s latest report makes it appear that the code was designed for subtle sabotage. Additionally, the worm’s pinpoint targeting indicates the malware writers had a specific facility or facilities in mind for their attack, and have extensive knowledge of the system they were targeting.

The worm was publicly exposed after VirusBlokAda, an obscure Belarusian security company, found it on computers belonging to a customer in Iran — the country where the majority of the infections occurred.

German researcher Ralph Langner was the first to suggest that the Bushehr nuclear power plant in Iran was the Stuxnet target. Frank Rieger, chief technology officer at Berlin security firm GSMK, believes it’s more likely that the target in Iran was a nuclear facility in Natanz. The Bushehr reactor is designed to develop non-weapons-grade atomic energy, while the Natanz facility, a centrifuge plant, is designed to enrich uranium and presents a greater risk for producing nuclear weapons.

Original story at http://www.wired.com/threatlevel/2010/11/stuxnet-clues/
http://www.wired.com/images_blogs/threa ... ossier.pdf

Hmm.

[Luther Blissett]

An American intelligence asset or just some random self-perceived hero or group making a judgment call?
It seems very sophisticated, moreso than the intelligence community would lead me to believe they have the capability for.

[MinM]

Iran Bomb Blast Kills Nuclear Scientist Majid Shahriari In Tehran

TEHRAN, Iran — Assailants on motorcycles attached magnetized bombs to the cars of two nuclear scientists in Tehran on Monday, killing one and wounding another who is on a U.N. sanctions list for suspect activity. The president accused Israel and the West of being behind the attacks.

The wounded scientist, Fereidoun Abbasi, is specified by a 2007 U.N. resolution for sanctions because of suspected links to secret nuclear activities, describing him as a Defense Ministry scientist. Iranian media said he was a member of Iran's Revolutionary Guard, the country's strongest military force.

The other scientist, who died in the attack and does not appear in any U.N. resolutions, was involved in a major project with Iran's nuclear agency, said the agency's chief, Ali Akbar Salehi, though he did not give specifics.

Iranian officials said they suspected the assassination was part of a covert campaign aimed at damaging the country's nuclear program, which the United States and its allies say is intended to build a weapon – a claim Tehran denies. At least two other Iranian nuclear scientists have been killed in recent years, one of them in an attack similar to Monday's.

"Undoubtedly, the hand of the Zionist regime and Western governments is involved in the assassination," President Mahmoud Ahmadinejad told a press conference. He said the attack would not hamper the nuclear program.

Asked about the Iranian accusations, Israeli government spokesman Mark Regev said Israel did not comment on such matters. Washington has strongly denied any link to previous attacks.

The two separate attacks, as described by Iranian officials, appeared sophisticated.

In each case, assailants on motorcycles approached the cars as they were moving through Tehran and attached magnetized bombs to the vehicles, Tehran police chief Hossein Sajednia said. The bombs exploded seconds later, he said, according to the state news agency IRNA.

He said no one has been arrested in connection with the attack nor no one has so far claimed responsibility.

The bombings both took place in the morning, but there were conflicting reports on what time each took place. The bombs went off in two separate locations, in north and northeast Tehran, that lie about a 15-minute drive apart without traffic.

The slain scientist, Majid Shahriari, was a member of the nuclear engineering faculty at Shahid Beheshti University in Tehran. His wife, who was in the car with him, was wounded.

Shahriari cooperated with the Atomic Energy Organization of Iran, said Salehi, a vice president who heads the organization. "He was involved in one of the big AEOI projects, which is a source of pride for the Iranian nation," Salehi said, according to IRNA, without giving any details on the project. Salehi also said the killed scientist was one of his own students.

"They (Iran's enemies) are mistaken if think they can shake us," Salehi said, weeping, as he spoke later on state TV.

The AEOI is in charge of Iran's nuclear activities, including its uranium enrichment program, which the United Nations has demanded be halted.

The other attack targeted Abbasi, who was wounded along with his wife.

Abbasi is on a sanctions list under U.N. Security Council resolution 1747, passed in 2007, which described him as a Defense Ministry scientist with links to the Institute of Applied Physics,working closely with Mohsen Fakhrizadeh, a scientist believed to be heading secret nuclear projects.

A pro-government website, mashreghnews.ir, said Abbasi holds a Ph.D. in nuclear physics and is a Revolutionary Guard member. It said he was also a lecturer at Imam Hossein University, affiliated to the Guard. The United States accuses the Guard of having a role in Iran's nuclear program.

The site said Abbasi was a laser expert at Iran's Defense Ministry and one of few top Iranian specialists in nuclear isotope separation.

Isotope separation – meaning the isolating of a specific isotope of an element – is a process needed for a range of purposes, from producing enriched uranium fuel for a reactor, to manufacturing medical isotopes to producing a bomb.

Iran says its nuclear program is intended entirely for peaceful purposes, including producing electricity. The U.N. has demanded a halt to uranium enrichment because it can be used to produce reactor fuel or a bomb, but Tehran insists it has a right to pursue the technology.

Iran has continued to portray its nuclear program as being under constant pressure from the West and its allies. These include alleged abductions of nuclear officials and, more recently, a computer worm known as Stuxnet that experts say was calibrated to destroy uranium-enrichment centrifuges by sending them spinning out of control. Iran says its experts stopped Stuxnet from affecting systems at its nuclear facilities.

Monday's attacks bore close similarities to another in January that killed Tehran University professor Masoud Ali Mohammadi, a senior physics professor. He was killed when a bomb-rigged motorcycle exploded near his car as he was about to leave for work.

There are several active armed groups that oppose Iran's ruling clerics, but it's unclear whether they could have carried out the apparently coordinated bombings in the capital. Most anti-government violence in recent years has been isolated to Iran's provinces such the border with Pakistan where Sunni rebels are active and the western mountains near Iraq where Kurdish separatists operate.

In 2007, state TV reported that nuclear scientist, Ardeshir Hosseinpour, died from gas poisoning. A one-week delay in the reporting of his death prompted speculation about the cause, including that Israel's Mossad spy agency was to blame.

The latest attacks come a day after the release of internal State Department memos by the whistle-blower website WikiLeaks, including several that vividly detail Arab fears over Iran's nuclear program and its growing political ambitions in the region. In some memos, U.S. diplomats say Arab leaders advocated a U.S.-led attack on Iranian nuclear facilities.

Ahmadinejad dismissed the leaks as "mischief" aimed at damaging Tehran's ties with the Arab world.

[MinM]

Ralph Langner, an independent computer security expert, solved Stuxnet.

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program.

In recent days, the retiring chief of Israel’s Mossad intelligence agency, Meir Dagan, and Secretary of State Hillary Rodham Clinton separately announced that they believed Iran’s efforts had been set back by several years. Mrs. Clinton cited American-led sanctions, which have hurt Iran’s ability to buy components and do business around the world.

The gruff Mr. Dagan, whose organization has been accused by Iran of being behind the deaths of several Iranian scientists, told the Israeli Knesset in recent days that Iran had run into technological difficulties that could delay a bomb until 2015. That represented a sharp reversal from Israel’s long-held argument that Iran was on the cusp of success.

The biggest single factor in putting time on the nuclear clock appears to be Stuxnet, the most sophisticated cyberweapon ever deployed.

In interviews over the past three months in the United States and Europe, experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009.

Many mysteries remain, chief among them, exactly who constructed a computer worm that appears to have several authors on several continents. But the digital trail is littered with intriguing bits of evidence.

In early 2008 the German company Siemens cooperated with one of the United States’ premier national laboratories, in Idaho, to identify the vulnerabilities of computer controllers that the company sells to operate industrial machinery around the world — and that American intelligence agencies have identified as key equipment in Iran’s enrichment facilities.

Seimens says that program was part of routine efforts to secure its products against cyberattacks. Nonetheless, it gave the Idaho National Laboratory — which is part of the Energy Department, responsible for America’s nuclear arms — the chance to identify well-hidden holes in the Siemens systems that were exploited the next year by Stuxnet.

The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

The attacks were not fully successful: Some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. Nor is it clear the attacks are over: Some experts who have examined the code believe it contains the seeds for yet more versions and assaults.

“It’s like a playbook,” said Ralph Langner, an independent computer security expert in Hamburg, Germany, who was among the first to decode Stuxnet. “Anyone who looks at it carefully can build something like it.” Mr. Langner is among the experts who expressed fear that the attack had legitimized a new form of industrial warfare, one to which the United States is also highly vulnerable.

Officially, neither American nor Israeli officials will even utter the name of the malicious computer program, much less describe any role in designing it.

But Israeli officials grin widely when asked about its effects. Mr. Obama’s chief strategist for combating weapons of mass destruction, Gary Samore, sidestepped a Stuxnet question at a recent conference about Iran, but added with a smile: “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”

In recent days, American officials who spoke on the condition of anonymity have said in interviews that they believe Iran’s setbacks have been underreported. That may explain why Mrs. Clinton provided her public assessment while traveling in the Middle East last week.

By the accounts of a number of computer scientists, nuclear enrichment experts and former officials, the covert race to create Stuxnet was a joint project between the Americans and the Israelis, with some help, knowing or unknowing, from the Germans and the British.

The project’s political origins can be found in the last months of the Bush administration. In January 2009, The New York Times reported that Mr. Bush authorized a covert program to undermine the electrical and computer systems around Natanz, Iran’s major enrichment center. President Obama, first briefed on the program even before taking office, sped it up, according to officials familiar with the administration’s Iran strategy. So did the Israelis, other officials said. Israel has long been seeking a way to cripple Iran’s capability without triggering the opprobrium, or the war, that might follow an overt military strike of the kind they conducted against nuclear facilities in Iraq in 1981 and Syria in 2007.

Two years ago, when Israel still thought its only solution was a military one and approached Mr. Bush for the bunker-busting bombs and other equipment it believed it would need for an air attack, its officials told the White House that such a strike would set back Iran’s programs by roughly three years. Its request was turned down.

Now, Mr. Dagan’s statement suggests that Israel believes it has gained at least that much time, without mounting an attack. So does the Obama administration.

For years, Washington’s approach to Tehran’s program has been one of attempting “to put time on the clock,” a senior administration official said, even while refusing to discuss Stuxnet. “And now, we have a bit more.”

Finding Weaknesses

Paranoia helped, as it turns out.

Years before the worm hit Iran, Washington had become deeply worried about the vulnerability of the millions of computers that run everything in the United States from bank transactions to the power grid.

Computers known as controllers run all kinds of industrial machinery. By early 2008, the Department of Homeland Security had teamed up with the Idaho National Laboratory to study a widely used Siemens controller known as P.C.S.-7, for Process Control System 7. Its complex software, called Step 7, can run whole symphonies of industrial instruments, sensors and machines.

The vulnerability of the controller to cyberattack was an open secret. In July 2008, the Idaho lab and Siemens teamed up on a PowerPoint presentation on the controller’s vulnerabilities that was made to a conference in Chicago at Navy Pier, a top tourist attraction.

“Goal is for attacker to gain control,” the July paper said in describing the many kinds of maneuvers that could exploit system holes. The paper was 62 pages long, including pictures of the controllers as they were examined and tested in Idaho.

In a statement on Friday, the Idaho National Laboratory confirmed that it formed a partnership with Siemens but said it was one of many with manufacturers to identify cybervulnerabilities. It argued that the report did not detail specific flaws that attackers could exploit. But it also said it could not comment on the laboratory’s classified missions, leaving unanswered the question of whether it passed what it learned about the Siemens systems to other parts of the nation’s intelligence apparatus.

The presentation at the Chicago conference, which recently disappeared from a Siemens Web site, never discussed specific places where the machines were used.

But Washington knew. The controllers were critical to operations at Natanz, a sprawling enrichment site in the desert. “If you look for the weak links in the system,” said one former American official, “this one jumps out.”

Controllers, and the electrical regulators they run, became a focus of sanctions efforts. The trove of State Department cables made public by WikiLeaks describes urgent efforts in April 2009 to stop a shipment of Siemens controllers, contained in 111 boxes at the port of Dubai, in the United Arab Emirates. They were headed for Iran, one cable said, and were meant to control “uranium enrichment cascades” — the term for groups of spinning centrifuges.

Subsequent cables showed that the United Arab Emirates blocked the transfer of the Siemens computers across the Strait of Hormuz to Bandar Abbas, a major Iranian port.

Only months later, in June, Stuxnet began to pop up around the globe. The Symantec Corporation, a maker of computer security software and services based in Silicon Valley, snared it in a global malware collection system. The worm hit primarily inside Iran, Symantec reported, but also in time appeared in India, Indonesia and other countries.

But unlike most malware, it seemed to be doing little harm. It did not slow computer networks or wreak general havoc.

That deepened the mystery.

A ‘Dual Warhead’

No one was more intrigued than Mr. Langner, a former psychologist who runs a small computer security company in a suburb of Hamburg. Eager to design protective software for his clients, he had his five employees focus on picking apart the code and running it on the series of Siemens controllers neatly stacked in racks, their lights blinking.

He quickly discovered that the worm only kicked into gear when it detected the presence of a specific configuration of controllers, running a set of processes that appear to exist only in a centrifuge plant. “The attackers took great care to make sure that only their designated targets were hit,” he said. “It was a marksman’s job.”

For example, one small section of the code appears designed to send commands to 984 machines linked together.

Curiously, when international inspectors visited Natanz in late 2009, they found that the Iranians had taken out of service a total of exactly 984 machines that had been running the previous summer.

But as Mr. Langner kept peeling back the layers, he found more — what he calls the “dual warhead.” One part of the program is designed to lie dormant for long periods, then speed up the machines so that the spinning rotors in the centrifuges wobble and then destroy themselves. Another part, called a “man in the middle” in the computer world, sends out those false sensor signals to make the system believe everything is running smoothly. That prevents a safety system from kicking in, which would shut down the plant before it could self-destruct.

“Code analysis makes it clear that Stuxnet is not about sending a message or proving a concept,” Mr. Langner later wrote. “It is about destroying its targets with utmost determination in military style.”

This was not the work of hackers, he quickly concluded. It had to be the work of someone who knew his way around the specific quirks of the Siemens controllers and had an intimate understanding of exactly how the Iranians had designed their enrichment operations.

In fact, the Americans and the Israelis had a pretty good idea.

Testing the Worm

Perhaps the most secretive part of the Stuxnet story centers on how the theory of cyberdestruction was tested on enrichment machines to make sure the malicious software did its intended job.

The account starts in the Netherlands. In the 1970s, the Dutch designed a tall, thin machine for enriching uranium. As is well known, A. Q. Khan, a Pakistani metallurgist working for the Dutch, stole the design and in 1976 fled to Pakistan.

The resulting machine, known as the P-1, for Pakistan’s first-generation centrifuge, helped the country get the bomb. And when Dr. Khan later founded an atomic black market, he illegally sold P-1’s to Iran, Libya, and North Korea.

The P-1 is more than six feet tall. Inside, a rotor of aluminum spins uranium gas to blinding speeds, slowly concentrating the rare part of the uranium that can fuel reactors and bombs.

How and when Israel obtained this kind of first-generation centrifuge remains unclear, whether from Europe, or the Khan network, or by other means. But nuclear experts agree that Dimona came to hold row upon row of spinning centrifuges.

“They’ve long been an important part of the complex,” said Avner Cohen, author of “The Worst-Kept Secret” (2010), a book about the Israeli bomb program, and a senior fellow at the Monterey Institute of International Studies. He added that Israeli intelligence had asked retired senior Dimona personnel to help on the Iranian issue, and that some apparently came from the enrichment program.

“I have no specific knowledge,” Dr. Cohen said of Israel and the Stuxnet worm. “But I see a strong Israeli signature and think that the centrifuge knowledge was critical.”

Another clue involves the United States. It obtained a cache of P-1’s after Libya gave up its nuclear program in late 2003, and the machines were sent to the Oak Ridge National Laboratory in Tennessee, another arm of the Energy Department.

By early 2004, a variety of federal and private nuclear experts assembled by the Central Intelligence Agency were calling for the United States to build a secret plant where scientists could set up the P-1’s and study their vulnerabilities. “The notion of a test bed was really pushed,” a participant at the C.I.A. meeting recalled.

The resulting plant, nuclear experts said last week, may also have played a role in Stuxnet testing.

But the United States and its allies ran into the same problem the Iranians have grappled with: the P-1 is a balky, badly designed machine. When the Tennessee laboratory shipped some of its P-1’s to England, in hopes of working with the British on a program of general P-1 testing, they stumbled, according to nuclear experts.

“They failed hopelessly,” one recalled, saying that the machines proved too crude and temperamental to spin properly.

Dr. Cohen said his sources told him that Israel succeeded — with great difficulty — in mastering the centrifuge technology. And the American expert in nuclear intelligence, who spoke on the condition of anonymity, said the Israelis used machines of the P-1 style to test the effectiveness of Stuxnet.

The expert added that Israel worked in collaboration with the United States in targeting Iran, but that Washington was eager for “plausible deniability.”

In November, the Iranian president, Mahmoud Ahmadinejad, broke the country’s silence about the worm’s impact on its enrichment program, saying a cyberattack had caused “minor problems with some of our centrifuges.” Fortunately, he added, “our experts discovered it.”

The most detailed portrait of the damage comes from the Institute for Science and International Security, a private group in Washington. Last month, it issued a lengthy Stuxnet report that said Iran’s P-1 machines at Natanz suffered a series of failures in mid- to late 2009 that culminated in technicians taking 984 machines out of action.

The report called the failures “a major problem” and identified Stuxnet as the likely culprit.

Stuxnet is not the only blow to Iran. Sanctions have hurt its effort to build more advanced (and less temperamental) centrifuges. And last January, and again in November, two scientists who were believed to be central to the nuclear program were killed in Tehran.

The man widely believed to be responsible for much of Iran’s program, Mohsen Fakrizadeh, a college professor, has been hidden away by the Iranians, who know he is high on the target list.

Publicly, Israeli officials make no explicit ties between Stuxnet and Iran’s problems. But in recent weeks, they have given revised and surprisingly upbeat assessments of Tehran’s nuclear status.

“A number of technological challenges and difficulties” have beset Iran’s program, Moshe Yaalon, Israel’s minister of strategic affairs, told Israeli public radio late last month.

The troubles, he added, “have postponed the timetable.”

http://www.nytimes.com/2011/01/16/world ... s&emc=tha2

[JackRiddler]

.

Okay, I wanted to start a new thread on yesterday's admissions via NY Times and the US network news, but in the holy name of thread consolidation and all that, I'll pose the question here:

What's this really all about?

Meaning, specifically:

1) Who thinks this story even happened in the way now presented quasi-officially by the US and Israel?

2) Why are they admitting their roles and publicizing the details of this covert operation? No matter what, there is a motive other than la la, in the name of transparency we'd like to tell you about this act of war against a sovereign nation we jointly committed the other month!

And assuming all details of the story as given are true...

3) Since this is an act of war, how are they going to justify their outrage if there is any kind of retaliation -- especially if it's retaliation in kind.

Also, can anyone point me to official Iranian reaction on this, if any? They've said Stuxnet didn't affect their centrifuges at all, but this has not made much of a splash against the self-congratulations of the US media. I also don't see a reaction to this latest claim.

From intuition, albeit in the absence of evidence we can get at, I shall begin by floating a downright hopeful hypothesis, to which I am not married:

Whether or not Stuxnet infiltrated Iranian systems, and whether or not it did physical damage to the Iranian centrifuges... and I would bet against that...

The screech-for-war faction of Israel and the Pentagon neocons have failed. They've been screeching for more than four years and, clearly, they will not be getting the US to perpetrate the desired "bunker busting" nuclear holocaust in Iran before 2013 at the earliest, if ever. Continued screeching makes them look weak, but just stopping makes them look like losers. They need to save face. This tale allows them to declare victory, by taking credit for the non-existent "technical difficulties" that caused a "delay" in the non-existent Iranian weapons program.

This may even be a prelude to a deal to normalize relations with Iran.

.

[Nordic]

Yeah, Jack, I'm with you, I smell bullshit.

[8bitagent]

Wasn't Siemens, along with Bayer and IBM some of the chief components to the wiping out of six million plus Jews under Hitler?

Perhaps "stuxnet" is the first salvo in the new phase of major cyber warfare by the West...wonder what ol' Wheeler would have thought.

[DrVolin]

.

...how are they going to justify their outrage if there is any kind of retaliation

.

Would they need to? This whole thing is typical of gangster behaviour, which is why I am not surprised. I don't know whether it is true, but it certainly is plausible.

[Nordic]

http://www.almanar.com.lb/newsSite/News ... anguage=en

ht: http://alethonews.wordpress.com/

Russia: Stuxnet Could Have Triggered a Disaster
Readers Number : 226

27/01/2011 Russia’s envoy to NATO Dmitry Rogozin urged NATO on Wednesday to join Moscow in investigating who created and unleashed the Stuxnet which could have triggered a disaster comparable to the one in Chernobyl 25 years ago.

Rogozin told journalists at NATO headquarters that the virus could have caused the control system of Iran's Bushehr nuclear reactor to malfunction, leading to the release of poisonous radioactive dust into the atmosphere, as happened in Chernobyl.

Chernobyl's reactor No. 4 exploded in 1986, spewing radiation over a large swath of northern Europe. Hundreds of thousands of people were resettled from areas contaminated with radiation fallout in Ukraine, Belarus and Russia. Related health problems still persist.

"This is a security-related issue," Rogozin said. "We insist that we have an investigation with the NATO-Russia Council."

[JackRiddler]

.

Yeah, the Russians will get to the bottom of this total mystery somehow!

You know, the juxtaposition of the Stuxnet roll-out with the actual killings of Iranian scientists reminds me of Woodward's biometric infrared drone satellite wonder-weapon surge that supposedly killed the entire Iraqi Sunni insurgency to the man, a combo technology which probably really was implemented with whatever results it had or didn't have, but presented afterwards via Woodward as an attempt to take the stink off the actual strategies that "worked," which everyone could see operating from afar, of fomenting sectarian civil war, arming and training death squads, torture, gulags, ethnic cleansing, fake terrorist infiltration ("Al Qaeda in Iraq") and, of course, payoffs to the insurgents.

.

[hanshan]

.

Yeah, the Russians will get to the bottom of this total mystery somehow!

You know, the juxtaposition of the Stuxnet roll-out with the actual killings of Iranian scientists reminds me of Woodward's biometric infrared drone satellite wonder-weapon surge that supposedly killed the entire Iraqi Sunni insurgency to the man, a combo technology which probably really was implemented with whatever results it had or didn't have, but presented afterwards via Woodward as an attempt to take the stink off the actual strategies that "worked," which everyone could see operating from afar, of fomenting sectarian civil war, arming and training death squads, torture, gulags, ethnic cleansing, fake terrorist infiltration ("Al Qaeda in Iraq") and, of course, payoffs to the insurgents..

i.e., Jack, just business as usual, eh?



...

[JackRiddler]

i.e., Jack, just business as usual, eh?



...

That might be a way to describe it. What's your point?

.