Stuxnet worm 'targeted high-value Iranian assets'

[fruhmenschen]

Stuxnet worm 'targeted high-value Iranian assets'

Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed.

http://www.bbc.co.uk/news/technology-11388018

[Montag]

I remember reading an article awhile ago, that Chavez is transitioning Venezuelan government computers to Linux...

[MinM]

Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target | Threat Level | Wired.com

If Iran was the target, the United States or Israel are suspected as the likely perpetrators — both have the skill and resources to produce complicated malware such as Stuxnet. In 1981, Israel bombed Iran’s Osiraq nuclear reactor. Israel is also believed to be behind the bombing of a mysterious compound in Syria in 2007 that was believed to be an illicit nuclear facility.

Last year, an article published by Ynetnews.com, a web site connected to the Israeli newspaper Yediot Ahronot, quoted a former Israeli cabinet member saying the Israeli government determined long ago that a cyber attack involving the insertion of targeted computer malware was the only viable way to halt Iran’s nuclear program.


Read More http://www.wired.com/threatlevel/2010/0 ... z10PuyBJ5b

rigorousintuition.ca - View topic - National Cyber Range Building Attack Tools

[barracuda]

Stuxnet is pretty bitchin', traveling on USB keys, setting up shop in the PLCs of SCADA systems in order to seek out a single, specific machine configuration to wreak havoc upon. Evil genius. However, it would be a drag if this type of code becomes widespread. Every public utility in every major country in the world uses SCADA to operate municipal functions such as electrical grids, water systems and treatment plants, all kinds of stand alone systems that aren't routinely connected to the web for just this reason. Luckily, it seems the complexity of the virus will prevent widespead emulation by cyber-terrorists outside of the usual suspects within the US intelligence community.

There's a good article on this in the Christian Science Monitor,

Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."
...

"What we're seeing with Stuxnet is the first view of something new that doesn't need outside guidance by a human – but can still take control of your infrastructure," says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy's Idaho National Laboratory. "This is the first direct example of weaponized software, highly customized and designed to find a particular target."
...

"Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."

So far, Stuxnet has infected at least 45,000 computers worldwide, Microsoft reported last month. Only a few are industrial control systems. Siemens this month reported 14 affected control systems, mostly in processing plants and none in critical infrastructure. Some victims in North America have experienced some serious computer problems, Eric Byres, an expert in Canada, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct...

[82_28]

Rebuy an RJ-15 connective computer and/or modem now. As in dial-up. Take good care of the old computers you may still have laying around and/or external modems that are still CAPABLE of dial-up. BBS could be coming soon. Not like I am even remotely doing it now, but begin to collect the numbers your computer may call into in order to share data. Have a solid linux partition or use Linux exclusively. Keep it off the net unless you use it to dial up. Learn how to navigate your directories and functions without an advanced GUI. Get to know the Lynx browser:

http://en.wikipedia.org/wiki/Lynx_%28web_browser%29

Get a computer that can span the technologies of the last 30 at least years. Floppies, dial-up, decent consoles for command line input and output. None of this mumbo jumbo of today, which I do like, I like the multi-media and offerings of the latest and greatest ways to "compute".

Say, what would it take to set up an irc channel for RI and also a dial in BBS system around here? Is anybody into starting such a thing?

[Ben D]

I'm not an expert but I don't see any reason for the SCADA system to be interfaced with the internet, it should be a stand alone system.

[barracuda]

Ben, that's right, SCADA is usually isolated. That's why the thing is designed to vector through portable USB keys. Insideous.

I don't remember dealing with virus protection prior to the advent of the internet. Were there viruses that spread through floppy disks?

[Jeff]

Stuxnet worm is the 'work of a national government agency'
Malware believed to be targeting Iran's Bushehr nuclear power plant may have been created by Israeli hackers

Josh Halliday
guardian.co.uk, Friday 24 September 2010 15.35 BST

A computer worm which targets industrial and factory systems is almost certainly the work of a national government agency, security experts told the Guardian – but warn that it will be near-impossible to identify the culprit.

The "Stuxnet" computer worm, which has been described as one of the "most refined pieces of malware ever discovered", has been most active in Iran, says the security company Symantec – leading some experts to conjecture that the likely target of the virus is the controversial Bushehr nuclear power plant, and that it was created by Israeli hackers.

Speaking to the Guardian, security experts confirmed that Stuxnet is a targeted attack on industrial locations in specific countries, the sophistication of which takes it above and beyond previous attacks of a similar nature.

Latest figures, from August, show 60% of computers infected by Stuxnet are located in Iran – dramatically up from July, when it accounted for less than 25% of infections, research by Symantec shows, with the graph below (from 4 August) showing the prevalence in other countries by comparison. The company estimates that the group building Stuxnet would have been well-funded, comprising between five and 10 people, and that it would have taken six months to prepare.

Alan Bentley, senior international vice president at security firm Lumension, said Stuxnet is "the most refined piece of malware ever discovered", and that the worm was significant because "mischief or financial reward wasn't its purpose, it was aimed right at the heart of a critical infrastructure".

...

http://www.guardian.co.uk/technology/20 ... nal-agency

[Canadian_watcher]

FWIW:

The Curious Case of Stuxnet Gets Curiouser
The case surrounding Stuxnet, which some security and intelligence specialists are calling the first known precision malware weapon designed to bring down a specific real-world industrial facility, is getting curiouser.

As researchers untangled the encryption and complex code base, suspicion has grown that Stuxnet was created by U.S. or Israeli intelligence in order to disrupt a specific Iranian nuclear facility. (RCP unpacked Stuxnet's nasty implications for the Microsoft channel in a blog post earlier this week. The worm uses four zero-day Windows vulnerabilities as part of its attack.)

A front-page article in The New York Times today moves the story forward with news that the text string "Myrtus," found within the Stuxnet code, is at the center of much of the debate about who might be behind Stuxnet's development.

According to the Times: "Myrtus is an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively."

The debate, according to the newspaper, currently centers on whether an Esther reference is the correct interpretation of the Stuxnet code string, and if so, whether it represents a smoking gun or a red herring. This case is as subtle and fascinating as a John Le Carre novel.

Posted by Scott Bekker on September 30, 2010 at 2:42 PM

source: http://www.networkworld.com/news/2010/093010-stuxnet-code-hints-at-possible.html

Security researchers today offered another tantalizing clue about the possible origins of the notorious Stuxnet worm, but cautioned against reading too much from the obscure tea leaves.

In a paper released today and presented at a Vancouver, British Columbia security conference, a trio of Symantec researchers noted that Stuxnet includes references in its code to the 1979 execution of a prominent Jewish Iranian businessman.

Blue Coat Web Security Report: Download now
Buried in Stuxnet's code is a marker with the digits "19790509" that the researchers believe is a "do-not infect" indicator. If the marker equals that value, Stuxnet stops in its tracks, and does not infect the targeted PC.

The researchers -- Nicolas Falliere, Liam O Murchu and Eric Chen -- speculated that the marker represents a date: May 9, 1979.

"While on May 9, 1979, a variety of historical events occurred, according to Wikipedia "Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community," the researchers wrote.

Elghanian, a prominent Jewish-Iranian businessman, was charged with spying for Israel by the then-new revolutionary government of Iran, and executed May 9, 1979.

According to a contemporary account in Time magazine, Elghanian was the first Jewish Iranian to be executed by the revolutionary government, which seized power after the Shah of Iran, Mohammad Reza Pahlavi, fled the country in January 1979.

"Elghanian, who was convicted of spying for Israel, was said to have made huge investments in Israel and to have solicited funds for the Israeli army, which the prosecution claimed made him an accomplice 'in murderous air raids against innocent Palestinians,'" reported Time.

But Falliere, O Murchu and Chen warned against jumping to the natural conclusion, that the reference pointed to Israel as the origin of Stuxnet. "Attackers would have the natural desire to implicate another party," they said.

source: http://www.networkworld.com/news/2010/093010-stuxnet-code-hints-at-possible.html

[justdrew]

Ben, that's right, SCADA is usually isolated. That's why the thing is designed to vector through portable USB keys. Insideous.

I don't remember dealing with virus protection prior to the advent of the internet. Were there viruses that spread through floppy disks?

oh hell yeah, they were called "boot sector" viruses mostly, but there were other kinds of floppy based viruses. Even Apple hardware had them in abundance. disk traders would pick it up especially. once an infected floppy was in the computer, it would infect into memory, then load itself onto any future floppies put into the computer.

stuxnet is just plain horrific, I would hate to have to deal with an infestation of that.

There's another thing making the rounds especially in large enterprise environments called QAKbot which is also rather annoying, but it doesn't rootkit the system to prevent you from seeing it (although actually, it may be doing that in some recent versions) So far I've only seen it hide istelf from the windows GUI, files were still visible in DOS mode.

The malware situation is getting so bad some drastic changes may be needed and soon but all possibilities involve significant negative ramifications.

[Ben D]

Ben, that's right, SCADA is usually isolated. That's why the thing is designed to vector through portable USB keys. Insideous.

I'm still skeptical about this story. For the Bushehr SCADA system to be infected according to my present understanding, a USB memory stick would first have to be infected while being used on an internet connection. Then an employee would need to bring this contaminated memory stick over to the non-internet interfaced SCADA system and use it there in order to pass on the infection. And in addition this presupposes that the Bushehr SCADA system hardware actually employs standard USB compatible adapter ports and software.

[barracuda]

I'm not saying you aren't correct to be suspicious, Ben, but the Siemens componentry for industrial SCADA instrumentation and control systems isn't usually integrated into a proprietary workstation. It's usually found working with a Dell box running Windows. I found this vague notice on their website:

Updates on computer virus alert for certain Windows operating systems

Unprotected Windows components in control systems SPPA-T3000 and SPPA-T2000 can potentially become infected. So far, intensive investigations and analysis that we have carried out show no indication that the malware has a negative impact on the SPPA-T3000 and SPPA-T2000 control systems.


For more detailed information about SPPA-T3000 and SPPA-T2000 control systems please contact Maggie Yu. Email: maggie.yu@siemens.com

Phone: 678-256-1603

Information about this topic in combination with PCS7/WinCC can be found at the following internet site:

SIMATIC WinCC/SIMATIC PCS7: Information concerning Malware/Virus/Trojan

And this is the page on the SPPA-T3000, which seems to be running on Windows.

Every municipal SCADA system I've come into contact with has used off the shelf boxes, at least for control display.

[Ben D]

How is it known that Bushehr actually uses a Siemens SKADA system and who is the original source to make the claim that it Bushehr was definitely targeted?

http://news.yahoo.com/s/csm/20100924/ts_csm/328049_1

There is no independent confirmation that Bushehr or Natanz or anyplace else has been attacked by a directed cyberweapon. But competing theories are emerging about Stuxnet's target. Here are two from a cybersecurity duo from Germany who have worked, separately, on deconstructing Stuxnet – and why they think what they do.

Ralph Langner is no Middle East policy wonk or former diplomat privy to insider information. He is a German software security engineer with a particular expertise in industrial control system software created by industrial giant Siemens for use in factories, refineries, and power plants worldwide.

This week, Mr. Langner became the first person to detail Stuxnet's peculiar attack features. He explained, for example, how Stuxnet "fingerprints" each industrial network it infiltrates to determine if it has identified the right system to destroy. Stuxnet was developed to attack just one target in the world, Langner says and other experts confirm. His best guess as to the target?

Ralph Langner would enjoy the marketing opportunity. http://www.langner.com/en/

[crikkett]

I'm still skeptical about this story. For the Bushehr SCADA system to be infected according to my present understanding, a USB memory stick would first have to be infected while being used on an internet connection. Then an employee would need to bring this contaminated memory stick over to the non-internet interfaced SCADA system and use it there in order to pass on the infection. And in addition this presupposes that the Bushehr SCADA system hardware actually employs standard USB compatible adapter ports and software.

What if a smart-card or RFID passkey/ID card were used instead of a USB card?

If I were writing this movie it'd go down that way.

[crikkett]

I'm not saying you aren't correct to be suspicious, Ben, but the Siemens componentry for industrial SCADA instrumentation and control systems isn't usually integrated into a proprietary workstation. It's usually found working with a Dell box running Windows. I found this vague notice on their website:

Updates on computer virus alert for certain Windows operating systems

Unprotected Windows components in control systems SPPA-T3000 and SPPA-T2000 can potentially become infected. So far, intensive investigations and analysis that we have carried out show no indication that the malware has a negative impact on the SPPA-T3000 and SPPA-T2000 control systems.


For more detailed information about SPPA-T3000 and SPPA-T2000 control systems please contact Maggie Yu. Email: maggie.yu@siemens.com

Phone: 678-256-1603

Information about this topic in combination with PCS7/WinCC can be found at the following internet site:

SIMATIC WinCC/SIMATIC PCS7: Information concerning Malware/Virus/Trojan

And this is the page on the SPPA-T3000, which seems to be running on Windows.

Every municipal SCADA system I've come into contact with has used off the shelf boxes, at least for control display.

This may explain why Microsoft is reporting the number of infected machines worldwide. I was curious about that.