-
The Cable
Rand Paul: You’re Arming al Qaeda’s Allies
-
War of Ideas
No, 3-D Printing Won’t End Hunger
-
Passport
Why Does the U.S. Get All the Tornadoes?
Posted By Blake Hounshell
Monday, September 27, 2010 - 6:50 AM
Share
By now, you've probably heard of Stuxnet, the mysterious computer worm that infects Windows computers running software designed by Siemens, the German industrial giant. The software, Simatic WinCC, is what's known as a SCADA system -- "supervisory control and data acquisition" -- and it's used to help run everything from traffic systems and pipelines to nuclear plants.
Siemens has known about Stuxnet for some time, and has been tracing the worm's spread on its website. In July 2010, the company knew of only one industrial facility affected. By September 7, it was reporting that 15 systems had been hit worldwide. (The worm was first discovered in June by VirusBlokAda, a little-known Belarussian security firm.)
For months, the discussion about the virus stayed within the cybersecurity community, but once speculation began to mount that it was aimed at Iran's nuclear facilities, the news went, er, viral. Amid the uproar last week, Iranian officials admitted that their facilities had indeed been hit, though they didn't specify which ones.
Even with all the media attention, much remains mysterious about Stuxnet. We know it's a sophisticated piece of malware, one that experts say could only be produced by a high-powered team with insider knowledge of industrial software. We know it was spread using USB thumb drives. But there's a lot we don't know. Here's my attempt to lay out some of the big open questions.
1. What was the target? Although the worm has affected computers in Indonesia, India, Pakistan, and elsewhere in addition to Iran, security researchers who have been pouring over Stuxnet for months say it appears aimed at a very specific target. According to Siemens, "The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process." Two German experts, Ralph Langner and Frank Rieger, have offered competing theories as to what that target might be, both of them in Iran, where most of the affected machines are.
Langner guesses that Stuxnet is aimed at Bushehr, Iran's civilian nuclear power plant, which is slated to go online this fall. Langner's case rests largely on the fact that Bushehr runs Siemens software and that Russian contractors would have had access to the facility -- and that they would have used USB drives to set up the system.
Rieger counters that Natanz, Iran's uranium enrichment plant, is a more likely target. Not only is it more of a proliferation threat, there's suggestive evidence that it actually may have been affected by sabotage. (More on this later.) He also points out that Natanz is more likely to have the kinds of identical nodes, in this case "cascades" or groups of centrifuges, that would be susceptible to an attack.
2. Who did it? The obvious culprit is Israel, which has both the sophisticated technology and the motive to sabotage Iran's nuclear program, which it deems a mortal threat. An eerily prescient Reuters article published in July 2009 quotes Scott Borg, a U.S. cybersecurity expert, speculating that Israel might want to do so, adding that "a contaminated USB stick would be enough" to cause real damage to Iranian facilities.
Other countries, such as the United States, China, and Russia, probably have the capability, but only one -- the United States -- has a clear motive (some might add France and Germany to this list). One could spin complicated theories as to why Russia would want to sabotage its own facility, but Occam's Razor probably applies here -- and other reporting has indicated that the United States and Israel have, in fact, approved a covert sabotage campaign that may include a cyber component.
3. Did it work? Who knows? Outside analysts have been speculating for years that Western intelligence agencies have been sabotaging Iranian enrichment efforts, but they're usually talking about false-flag operations to sell Iran damaged centrifuge components. They point to signs that the number of centrifuges Iran is operating dropped precipitously last year, or unconfirmed reports of nuclear accidents, or the sudden and unexplained resignation last year of Gholam Reza Aghazadeh, the head of the Iranian nuclear program. For what it's worth, Iran denies encountering any problems as a result of Stuxnet, and there's little evidence to the contrary. But there could be hidden issues that pop up later on, or Iran could simply be lying.
4. What does it do? The reporting on this question has been maddeningly vague. Siemens says that Stuxnet "can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data," though it has been unable to verify that finding in testing. Supposedly, the worm was designed to send data to a server in Malaysia, which may or may not have been a "command center" that could seize control of PLCs or Programmable Logic Controllers, components used to operate and monitor industrial machinery. The consensus among people who've studied the code seems to be that its aim is sabotage, not simply espionage. But exactly how that was supposed to work remains unclear.
5. Why did it spread so widely? John Markoff, the longtime tech reporter for the New York Times, takes on this question in today's paper. "If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings," he writes. "The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment." He only offers one theory, however: "One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise."
A couple points here. One is that Stuxnet does not seem to have had an "impact" on all those systems, for the reason noted in #1 above: It wasn't aimed at them. Second, it may be that the worm's designers needed it to spread within Iran to be effective -- i.e. from one computer to another within the same facility, or between facilities -- but that there was no way to prevent it from propagating further. Finally, there's some debate among researchers as to whether the virus was programmed to "expire" on a certain date, supposedly in January 2009. In other words, it wasn't supposed to spread, but somehow it did anyway, possibly through Russian contractors.
6. Why would anyone run a nuclear plant using Windows? I've got no answer for this one.
Who doesn't assume that windows is full of back doors inserted by the NSA (or another no such agency)?
The price of import dependency
This is the price of having to import most components from outside countries. You have to buy what is available, not what you really want. If the control systems you can get are Windows based, then that is what you use. A bigger mystery is why they didn't take better steps to keep their systems off the internet and to control items like USB drives. The Pentagon had a big problem with USB drives 2 years ago that carried some Chinese malware. The malware took advantage of a Windows flaw that made it impossible to turn off "autorun". Microsoft didn't fix that flaw for a very long time afterward - nearly a year!!
Here's one theory, which is admittedly based entirely on open source information that may not be entirely accurate. In late July and early August two petrochemical factories in southern Iran exploded purportedly due to technical errors. In addition, there have been a number of gas pipeline explosions also ostensibly due to unintentional human error. The Natanz facility has apparently lost 3,000 of its 9,000 centrifuges without declared cause. Likewise, the Bushehr reactor was supposed to go online weeks ago, but has not. The source of the infection appears to be a Russian contractor with extensive work in Iran. I don't want to sound like a conspiracy theorist, but there are tons of Jewish Russian emigres to Israel that are computer engineers. Israel has long had one of the most advanced high tech sectors. In an unexplained incident, the Israelis barred the Ipad from launching in April because it supposedly uses a more powerful Wifi, which now seems to have been so strictly enforced lest it interfere with their national security electronic operations. In this vein, the Israeli version of the NSA (Unit 8200) has been highlighted recently in news articles as has the Israeli initiation electronically of a kill switch for Syrian radar during the 2007 raid and their theft of Syrian nuclear plans via a Trojan horse. Ehud Barak (Israel's defense minister) recently appeared on Fox News and stated that Iran's goal of nuclear weapons capability was now 1.5-2 years and not the 1 year previously stated. I think the Israelis (Unit 8200? the Mossad?) in conjunction with the NSA have penetrated Iran's computer infrastructure and whenever an industrial plant/critical infrastructure goes online it mysteriously fails. I think the reason the free world is not confident about their ability to take down the Iranian regime's nuclear weapons program solely this way is because of the redundancy in terms of sites and that eventually the Iranians will wisen up. A cyber attack makes sense because it avoids claims of responsibility, which fits with President Obama's MO (think drone strikes in which he displays tourette's with the hellfire missile button) and the Israelis desire to avoid a transparent casus belli that would engender Hezbollah rocket attacks, possibly with Syrian/Iranian provided chemical weapons. Adding to the intrigue, a Syrian/North Korean/Iranian chemical weapons plant in Syria mysteriously exploded in 2007. Remarkable that 70 years after Teller, Bohrs, Einstein, Fineman, Oppenheimer and other Jewish European/American scientists as well as non-Jewish American/European scientists inaugurated the atomic bomb, a 21st century version of this group has now created a guided cyber missile to destroy the Iranian regime's pursuit of a nuclear weapon. This is particularly astounding since it's not only a cyber weapon, but light years ahead of anyone else. It's as if air to surface missiles had not been invented and the free world already has JDAMs. I should say that I believe the Iranian regime has enslaved a great people, the Persian people and 2,000 years after King Cyrus of Persia helped the Jews build their second state of Israel, the third Jewish state of Israel will return the favor. Ironically, Ahmadenijad has threatened to wipe Israel off the map, but if not for the Osirak attack, Iran would have been wiped off the map as Saddam Hussein used WMD (chemical) in the Iraq-Iran war.
I believe the Israelis are the primary architects not merely because they are unabashedly aggressive in preventing their sworn enemies from acquiring nuclear capabilities (Syria-2007, Iraq -1981), but unlike the United States would not hesitate to launch a covert first strike. This is confirmed by the prescient reuters article as well as the US statement concerning its unwillingness to strike preemptively through cyber war. Taking into consideration the technical aspects, the Israelis also emerge as the most likely driver of this project. Apparently, the zero day vulnerabilities of Microsoft were exploited in addition to Siemens PLC vulnerabilities and stolen certificates from a Taiwanese company. I have a hard time believing the US would conduct corporate espionage on an American based firm. I doubt the Israelis would have any moral qualms developing an asset at Microsoft or simply stealing the information. Certainly, the constant shuttling of Ehud Barak to DC recently cannot all be explained by an obsession with Israel's qualitative military advantage, which they manage to maintain despite all of these meetings. Clearly, he has been updating Sec Def Gates on Iran mono a mono. Sec Def Gates leaked memo in January about the lack of contingency plans for confronting Iran militarily also began six months before the virus was first noted. Clearly, he knew about it and realized that this would potentially spark a regional conflagration, when the Stuxnet effects were understood by its victims. As for the theory about the issues with projects going online: PLCs supposedly control critical functions of industrial production. I think the virus is written in a way that activates a change in parameters, when an industrial activity starts up as opposed to merely cause self destruction, when initially infected. This allows for greater deniability as well more harm since time/money/manpower has been completely invested and lost. This virus has supposedly been around since early 2009, coinciding with President Obama's tenure. The Israelis may have decided to undertake this while George W. Bush was in office to hedge their bets in case the new commander in chief did not have the willingness to confront Iran. I think whatever systems are infected are already inexorably sabotaged.
While it is possible that the Germans are involved too, I believe the Brits have played a part as well. The NSA and their British counterpart GCHQ work closely together. GCHQ is one of the most sophisticated electronic government agencies in the world. In addition, a GCHQ employee, Gareth Williams, was murdered a month ago. He was apparently working closely with the NSA and seconded to MI6 on a cyber weapons project. He had spent the past year on sabbatical after working at Fort Meade (NSA). This may be trivial, but his father is an employee at Wylfa nuclear power station and, in an indirect way, he likely understood how to take down a similar installation. Also, a middle eastern person between 20-30 was reportedly seen leaving the apartment building. Maybe the Iranians could only get to him because the Iranian regime has a presence there as opposed to the US or Israel. He was killed in August by which time the Iranians were likely aware of the malware (it was initially reported by a Bulgarian firm in June). Not to be a master of the obvious, but regardless, his death is tragic.
First of all, I own seven computers, only one of which is a Windows box (XP). Windows is _not_ my favorite operating system.
1. In response to the hidden trap door theories, MS provides the source code for its Windows systems to people who have a legitimate need to see it. This includes foreign governments that are concerned about trap doors. If MS removed a trap door before allowing an expert to see the source code, it would be simple to detect. If you have the source code, you can compile it, and then compare the compiled files with the Windows files in use. If there are any differences, then you know that the source code you are viewing is not the source code that MS used to compile the files that it distributes. So MS has no way of hiding a trap door from the governments and experts it allows to view the source code.
2. Before the Internet, viruses spread via floppy disks. Computer labs had rules against bringing in your own floppy disks and installing your own software. This wasn't a perfect solution, but it worked pretty well. There's a very simple solution for viruses that depend on the Internet; disconnect the computer from the Internet. In this case, while the worm reportedly depends on a security hole in Windows, it spread to the Iranian systems via the current equivalent of an infected floppy disk; an infected USB memory stick. And its functioning depends at least partly on using the Internet to connect to an outside system. So the critical security failures here had nothing to do with Windows, but were due to policies that allowed a contractor to insert a USB stick of unknown provenance into a critical system drive, and allowed the same critical system to connect to the Internet.
3. Windows is by far the most common OS in use today. Basing your control system on Windows means that most of the people using the control system will be familiar with the OS, which in turn reduces training costs and operator errors. Most security failures are due to either bad policy or lax enforcement. Basing a control system on a more secure OS won't eliminate the majority of security failures. Switching from Windows to another OS would have raised user costs without a corresponding increase in security. And given the sophistication of the Stuxnet worm and the laxness of Iranian security, the experts that created Stuxnet probably could have figured out a way to crack any other OS.
John Markoff, the longtime tech reporter for the New York Times, takes on this question in today's paper. "If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings".
The above is so far off target that it would seem to be driven by solely by political considereations.
Markoff is most likely sympathetic to Iran and against sanctions, and considers Stuxnet a "terrorist attack".
Many of Stuxnet's features are totally groundbreaking and one of those features is that it will only do harm to an envirironment that meets a whole array of very specific criteria.
"The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment".
What harm did Stuxnet do to those computers?
Stuxnet is not about destroying computers!
Markoff writes for the NYT which I stopped reading many moons ago because of its extreme left wing bias and this widely publized drivel simply confirms the correctness of my decision.
Passport, FP’s flagship blog, brings you news and hidden angles on the biggest stories of the day, as well as insights and under-the-radar gems from around the world.
Read More
May/June 2013
-
Profile
-
FP Power Map
-
Think Again
Follow us on Twitter | Visit us on Facebook | Follow us on RSS | Subscribe to Foreign Policy
About FP | Meet the Staff | Foreign Editions | Reprint Permissions | Advertising | Writers’ Guidelines | Press Room | Work at FP
Services:Subscription Services | Academic Program | FP Archive | Reprint Permissions | FP Reports and Merchandise | Special Reports | Buy Back Issues
Privacy Policy | Disclaimer | Contact Us
11 DUPONT CIRCLE NW, SUITE 600 | WASHINGTON, DC 20036 | Phone: 202-728-7300 | Fax: 202-728-7342
FOREIGN POLICY is published by the FP Group, a division of The Washington Post Company
All contents ©2013 The Foreign Policy Group, LLC. All rights reserved.
(6)
HIDE COMMENTS LOGIN OR REGISTER REPORT ABUSE