Posts Tagged ‘Iran’

Cyber Arms Race Could Change the World Around Us

Source: RIA Novosti commentator Konstantin Bogdanov

The world is getting ready for a new arms race – this time in cyber weapons. What was previously considered to be the domain of semi-criminal marginal groups or a cheap way of expressing sociopathy is now attracting the interest of governments, who are considering producing weaponized software on an industrial scale.

Whereas before it was unclear what the endless “army cyber commands” and other sinecures were up to, the last two or three years have seen the appearance of very unpleasant evidence of serious work potentially capable of changing the image of the world as we know it.

We’ve seen nothing like this before

This was the initial reaction of Symantec analysts when they started looking into an incomprehensible computer worm nicknamed Stuxnet. Two major waves of spreading the worm were noted: the first version in summer 2009 and the second in spring 2010.

Developers found a rootkit (a set of malicious software programs that integrate into the system without being detected) which was a cyber-weapon masterpiece. According to experts, half a million euros might have been spent on developing this sophisticated piece of software. The worm was unique in every respect – it simultaneously used four earlier unknown Windows bugs and two genuine security certificates. At the same time Stuxnet carried out its main task (introduction, analysis of the environment and further expansion) in a very slow and unobtrusive manner.

The worm targeted industrial control systems, in particular a specific brand of Siemens industrial controllers. At the same time, the rootkit included control procedures for variable frequency drive converters of two specific brands (of Finnish and Iranian roots).

Moreover, experts said the worm was not rushing into these converters but gradually penetrated the industrial network, gathering information about its modes and fully establishing control over the computer monitoring system. Only once it had done this did the virus begin to gently “manipulate” parameter settings. It would take them out of action for a short time in order to disrupt the operation of the equipment.

Based on the distribution of the worm, experts established a potential target of attack: software-controlled centrifuges at the uranium-enrichment facility at Natanz, Iran.

In late November 2010, Iranian President Mahmoud Ahmadinejad said on the record that cyber attacks created “problems” in what he called a “limited” number of centrifuges. Naturally enough, this report evoked an instant response from the public and the media, crediting Stuxnet with the successful termination of Iran’s enrichment efforts.

Your hard work is not your achievement but their failing

There is, however, considerable doubt that the worm attack took place (or at least that it caused any noticeable results). Experts on computer and industrial security sounded the alarm but nuclear workers remained calm.

At any rate, IAEA experts who were directly in charge of monitoring the Natanz facility bluntly rejected any allegations that any disruptions in the work of the plant took place. Nonetheless, they admitted that the worm could in theory penetrate the facility’s computer network.

Their conclusions are understandable – there was no evidence of a drop in production at the uranium enrichment facility in Natanz, the supposed target of the attack. The rate of breakdown of centrifuges accelerated somewhat between November 2009 and January 2010, but that could be explained by the mass replacement of worn-out or low-quality Iranian-produced equipment. No evidence of any emergency at the plant was recorded.

Moreover, it seems that the worm’s developers may have outsmarted themselves. In working with frequency drive converters, they used the parameters that had been supplied by Iran through the IAEA. It is not clear whether this was a Tehran-inspired leak or whether these “brainiacs” simply used the first information that seemed authentic to them and did not bother checking it. In other words, anti-nuclear hackers were let down by the ignorance of the hardware they were planning to take over. Moreover, it is possible that the equipment at Natanz was not the intended target of the worm.

However, you could say the Iranians were lucky. The virus in the network was discovered very fast and adverse consequences were avoided. This is probably why no meaningful traces of the attack were found: the worm’s impact on Iran’s centrifuges was designed to be very subtle, causing increased wear and tear over a long period of time.

Smile you’re on camera

In the meantime, the “anonymous well-wisher” of the Iranian nuclear program has continued working. Stuxnet was followed by two most interesting rootkits: Duqu, which was discovered in September 2011, and Flame, which was intercepted in late May 2012.

Unlike the mischievous Stuxnet, which was targeted at industrial control systems, these viruses were more conventional, though no less dangerous.

Both rootkits could be described as comprehensive tracking systems that collected information from infected computers. They intercepted passwords, tracked key presses, recorded sound from an in-built microphone, took screenshots, gathered information on processed files and analyzed network traffic. This information was then encrypted and downloaded to an external master server.

Analysts believe that the approaches to the development of Stuxnet and Duqu are so similar that they may have a common platform. In any event, both rootkits are likely to have been created by the same team.

Flame is considered to be a separate product, but some of the solutions typical for it can be traced back to the first 2009 version of Stuxnet. This suggests that at least two groups of developers, who partially relied on each other’s work, might have been involved in this project.

“Olympic Games” for Iran

The intuitively obvious guess about who was behind these efforts was confirmed not long ago. In June 2012, The New York Times bluntly reported that Stuxnet and Flame were developed during the operation Olympic Games, a joint effort between two electronic intelligence agencies, the U.S. National Security Agency and Israel’s Unit 8200.

According to the newspaper’s sources, the operation was launched on the orders of George W. Bush. This is the estimated period for the development of Stuxnet and Flame. Having replaced Bush in the White House, Barack Obama ordered that this work be accelerated with a view to impeding Iran’s nuclear program. All efforts to this end were code-named Olympic Games.

On precisely the fifth day after the publication, The Wall Street Journal carried the official reaction to it: “The FBI has opened an investigation into who disclosed information about a classified U.S. cyber attack program aimed at Iran’s nuclear facilities…” No further comment is needed.

Don’t play with matches at a gas station

It does not matter whether Stuxnet’s “physical attack” on Iran’s centrifuges was a success or if it was introduced into the facility’s network but failed to do much damage.

This is a model of a cyber weapon which is aimed not so much against strictly “virtual” targets (such as private information or the proper functioning of information systems) as against the actual physical infrastructure.

Industrial control systems are widespread. They are the backbone of all automated modern production systems, including hazardous ones. Computer systems are used to run energy facilities, gas compressor stations and control traffic.

The development of an effective cyber weapon capable of putting such systems out of action could have disastrous consequences.

In this sense, we are at about the same stage as the world was between July 16 and August 6, 1945, after the United States tested its first nuclear device near Alamogordo but had not yet dropped any nuclear bombs on Japanese cities.

These new awkward cyber weapons, the development of which is sponsored by the leading powers, will be followed by others, more effective and more sophisticated. The problem is that such weapons can potentially do much more damage to advanced “critical infrastructures,” of which there is a higher number in the United States and Western Europe than in Asia. Those who have launched this race for cyber weapons are throwing stones while living in glass houses.


Iran targeted by ‘Flame’ espionage virus

Source: The Telegraph

Iranian computer networks have been targeted by a cyber espionage virus many   times more complicated than any malicious software ever seen before,   security experts have said.

The virus, named Flame or Skywiper, could only have been created by a state,   according to analysts who have investigated it and the pattern of infection.

The results of our technical analysis support the hypotheses that Skywiper was   developed by a government agency of a nation state with significant budget   and effort, and it may be related to cyber warfare activities,” said Crysys   Lab, a unit that investigates computer viruses at Budapest University.

The discover of the Flame/Skywiper, which may have been in circulation for   more than five years, offers further confirmation of the secret battle being   waged by intelligence agencies online.

Although its purpose is to steal information rather than cause physical   damage, Flame/Skywiper is said to be a much more complicated piece of   malicious software than Stuxnet, the groundbreaking virus designed to   cripple Iranian uranium enrichment.

“Information gathering from a large network of infected computers was   never crafted as carefully,” Crysys Lab said.

“It covers all major possibilities to gather intelligence, including   keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB   and system processes.”

In their preliminary   technical report, the investiagtors describe unprecedented layers of   software, designed to allow Flame/Skywiper to penetrate computer networks   undetected. The 20MB file, which infects Microsoft Windows computers, has   five encryption algorithms, exotic data storage formats and the ability to   steal documents, spy on computer users and more.

Various components of Flame/Skywiper enable those behind it, who use a network   of rapidly-shifting “command and control” servers to direct the virus, to   turn microphone into listening devices, siphon off documents and log   keystrokes.

Eugene Kaspersky, the founder of the Russian anti-virus firm Kaspersky Lab,   which has also analysed the virus, noted that “it took us 6 months to   analyze Stuxnet. [This] is 20 times more complicated”.

Iran’s Computer Emergency Response Team, Maher, today issued a statement   claiming Flame/Skywiper was “a close relation” of Stuxnet, which   has itself been linked to Duqu, another complicated information-stealing   virus is believed to be the work of state intelligence. Many experts suspect   Stuxnet was created by the United States and Israel.

Crysys Lab said the technical evidence for a link between Flame/Skywiper and   Stuxnet or Duqu was inconclusive, however. While they shared many common   components, the newly-discovered virus bears little resemblance; for   instance Flame/Skywiper does not spread itself automatically but only when   hidden controllers allow it.

In its statement, published online, Maher said selected organisations had been   given software to detect and remove the newly-discovered virus at the   beginning of May.

As well as Iran, Flame/Skywiper infections have been detected in the West   Bank, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

Stuxnet planted by Iranian double agent for Israel

By Kevin McCaney

An Iranian double agent working for Israel used a memory stick to plant the Stuxnet virus that disrupted Iran’s nuclear program, according to a published report quoting current and former U.S. intelligence officials.

Richard Sale, writing for ISSSource, said the agent, probably a member of an Iranian dissident group, used a corrupt memory stick.32 to implant the virus at the Natanz nuclear facility, according to the sources.

Iranian proxies, dissidents acting as double agents, also have been involved in assassinating Iran’s nuclear scientists, the sources reportedly told Sale.

Stuxnet, likely the first example of weaponized malware, was already known to have spread via memory sticks, or key drives. Introduced in late 2009, it spread quickly to systems around the world, although it was designed for only one purpose: to attack a specific version of a Siemens programmable logic controller (PLC) that was used in centrifuges for uranium enrichment at Iran’s nuclear facilities.

The worm, which used four zero-day exploits in its attacks, disrupted the rotational frequency of the centrifuges, and ultimately damaged Iran’s nuclear program, according to an International Atomic Energy Agency report.

Uranium enrichment at the Natanz plant was shut down for seven days in November 2010. Reuters reported in February that engineers had finally succeeded in scrubbing Stuxnet from their systems.

Because of its complexity and its specific target, Stuxnet has been thought to be the work of a nation-state, and the United States and Israel have often been mentioned as possibly being behind it. ISSSource — or Industrial Safety and Security Source, a site that reports on manufacturing security and safety issues — has reported that Stuxnet was part of a joint U.S.-Israeli effort aimed at Iran. (The sources who told Sale about the assassination of Iranian scientists said, however, that the United States was unaware of those operations.)

Stuxnet’s success in disrupting nuclear processing in Iran has raised fears about what similarly designed malware could do if it attacked facilities in the United States and elsewhere.

In January, Kaspersky Labs said its researchers determined that Stuxnet and Duqu, a close variant that has been found gathering information on industrial systems in Europe, are likely part of a much larger family of malware, and that future Stuxnet-style attacks are likely.

That type of malware could be used to attack power grids, water processing plants and other critical infrastructure facilities. The Homeland Security Department in November confirmed earlier research showing that prisons, which use PLCs to control doors, video systems, alarms and intercoms, are vulnerable to a Stuxnet-like worm.

The fact that much of the infrastructure in the United States in privately owned, rather than government-owned as in Iran, also could complicate the response to such attacks.

The Internet and Iran – ‘It Is Possible to Pull the Plug’

The regime of President Mahmoud Ahmadinejad has threatened to completely cut Iran off from the Internet. But activists in the country are well-versed in circumventing official censorship. In a conversation with SPIEGEL, Internet expert Philip Howard explains how they do it and says that complete digital isolation is virtually impossible.

SPIEGEL: Iran has announced its intention to completely cut itself off from the Internet. Is such a thing realistic?

Howard:The government in Tehran has already shown itself to be capable of such a thing. Following the controversial re-election of President Mahmoud Ahmadinejad in June 2009, the country was cut off for about 24 hours. But when a regime shuts down the Internet, it is usually also a last, desperate measure.

SPIEGEL: Even in 2009, the country wasn’t completely offline.

Howard: The Iranian government asked the three largest Internet service providers to shut down, but they didn’t bother with the smaller ones. What many states don’t understand is that digital networks are essentially networks. When you remove two or three important nodes, other nodes pick up the traffic. And there are always a few activists who are prepared and have their satellite phones ready. They set up connections to Internet service providers in Europe and they work out other ways of getting out a little bit of information.

SPIEGEL: Instead of using landlines, some Iranian bloggers have taken to using satellite dishes to access the Internet.

Howard: That, though, is relatively difficult from a technical point of view. It’s not easy to adapt the satellite dishes…

SPIEGEL: … which are increasingly being destroyed by special police units…

Howard: …and access the web via providers in Dubai or Cyprus. It is difficult to say if this route will remain open when the regime imposes its total boycott.

SPIEGEL: How else could a complete boycott be circumvented?

Howard: Universities often have their own distinct connections to one another. Major trading houses or major financial centers also sometimes have backup connections. They are electronic networks that may be distinct from what the regime shuts off.

SPIEGEL: There is no way for Tehran to go back to a time before the World Wide Web?

Howard: A complete partition is not possible. As long as there are a few lines open, activists will find a way to use them. The US is working on developing the ability to send digital packets that are invisible and are only interpretable for other machines that you set up on the network that know what to look for. It’s called a dark Web infrastructure and you can use it to take advantage of networks belonging to universities or companies that we don’t normally think of as being part of the Internet.

SPIEGEL: From a technical perspective, what would an attempt to cut a country off from the Internet look like?

Howard: You have to try to reconfigure things so that all of the Internet service providers go through one “Internet exchange point.” At the time of the unrest in Iran, there were a few Internet exchange points. Now, it looks as though the regime has found some of the smaller ones and shut them down and rerouted all of the traffic to one. Then it is possible to pull the plug on that one Internet exchange point.

SPIEGEL: Were Tehran to make such a move, the price would be high. The country would become even more isolated.

Howard: And the price wouldn’t just be political. Were Iran to disconnect its oil industries from global information flows, the impact on those industries’ ability to deliver what little they can sell would be enormous. When Hosni Mubarak shut off the Internet in Egypt during the protests there, the impact was disastrous. The five days offline cost the Egyptian economy an estimated €250 million.

SPIEGEL: President Ahmadinejad has indicated he wants to provide an alternative, a so-called intranet which will allow Iranians to communicate among themselves.

Howard: It is certainly possible. China has the best example of a national network that is relatively disconnected from the rest of the global information infrastructure. The Chinese have built software that basically mimics anything we develop in the West and embed surveillance algorithms deeply into them. But I’d be very surprised if the Iranians were able to launch all of this.

SPIEGEL: So all this talk about a gigantic intranet, it is just propaganda?

Howard: It is mostly a political threat. Their goal probably isn’t to totally disconnect. The idea is probably to slow down the Internet traffic so much that you can use a program to inspect each piece of information that comes and goes. It’s a very inefficient way of doing censorship, but it is the most effective.

SPIEGEL: Iran’s blogger scene is considered particularly adept at avoiding censorship.

Howard: There are not many Muslim countries which have a population as networked as that of Iran. Ten million Iranians are regular Internet users. Particularly the politically engaged youth know the web and know the tricks.

SPIEGEL: Tricks to get around having to use the government-controlled servers, you mean?

Howard: Proxy servers are one of the things that activists have put to work for themselves. So when the state tries to shut down the Internet or when you learn that an authoritarian regime is watching particular sites or trying to disable YouTube or Twitter, proxy servers are very helpful as ways of getting around those. They open doors where other doors have been shut. I’ve also heard that gaming consoles such as PlayStation or Xboxes can be turned into devices for sending out information without having to go through Internet exchange points.

SPIEGEL: But the regime too has a fair amount of know-how.

Howard: We know that the Iranians possess high-grade censorship programs. Some of the systems come from companies such as Nokia-Siemens. And the best commercial grade censorship software comes out of Silicon Valley. The same software that we might use to prevent our children from looking at porn on the Internet is basically the same software that is sold to regimes, but instead of entering pornography-related terms, you put in terms like student union, protest or democratization.

SPIEGEL: The US government has approved around $70 million to set up so-called shadow networks to help dissidents communicate independent of the official Internet.

Howard: I don’t think you can read this to say that the US is interested in supporting dissidents around the world. I think you can read it to suggest that the US likes to be able to control the software and maybe turn it off when necessary.

SPIEGEL: Still, even if the Iranians are Internet savvy, it didn’t seem to help them much. The Green Revolution was brutally put down.

Howard:But the mullahs are split in a way that they never have been before. And the world saw that Persians took to the streets and were willing to face tear gas and rubber bullets, just like in Egypt and Tunisia. The Internet was useful by enabling journalists to publish stories overseas that they couldn’t publish at home. We are seeing the same thing in Libya, Syria and Yemen, although I don’t think the Internet has the same logistical function in those countries as it did in Tunisia and Egypt.

SPIEGEL: And Iran, it would seem, had its chance but wasn’t quite able to pull it off.

Howard: I don’t think of it as a failed revolution. I think of it as the one that almost happened. The democratization efforts didn’t prevail, but the system of political communication in that country has so significantly changed that the next time they rig an election, it will be very difficult to pull off peacefully.

Interview conducted by Dieter Bednarz and Hilmar Schmundt

Mossad’s Miracle Weapon: Stuxnet Virus Opens New Era of Cyber War

By Holger Stark

The complex on a hill near an interchange on the highway from Tel Aviv to Haifa is known in Israel simply as “The Hill.” The site, as big as several soccer fields, is sealed off from the outside world with high walls and barbed wire — a modern fortress that symbolizes Israel’s fight for survival in the Middle East. As the headquarters of Israel’s foreign intelligence agency, the Mossad, this fortress is strictly off-limits to politicians and journalists alike. Ordinarily, it is the Mossad that makes house calls, and not the other way around.


The agency’s strict no-visitors policy was temporarily relaxed on a Thursday in early January, when a minibus with darkened windows pulled into a parking lot in front of a nearby movie theater. The journalists inside were asked to hand over their mobile phones and audio recorders. Meïr Dagan, the powerful head of the Mossad, had invited them to the facility. It was his last day in a position he had held for seven years. On that January day, the journalists were there to document his legacy: the Mossad’s fightagainst the Iranian nuclear program.

He spoke passionately about the risks of a possible military strike against Iran, saying that he believed that such an attack would lead to a conflagration in the region that would include a war with Hezbollah and Hamas, and possibly with Syria. And anyone who believed that a military strike could stop Tehran’s nuclear program was wrong, said Dagan. It could slow down the program, he added, but only temporarily. For this reason, the outgoing Mossad chief was against bombs — but in favor of anything that could set back the Iranian nuclear program without starting a conventional war.

Delay was the new magic word. And to that end, the Mossad head had created a miracle weapon that everyone in the room on that January day knew about, but which Dagan did not mention by name: Stuxnet.

Stuxnet, a computer virus that can infiltrate highly secure computers not connected to the Internet, a feat previously believed to be virtually impossible, entered the global political arena more than a year ago, in June 2010. The virus had attacked computers at Iran’s Natanz nuclear facility, where scientists are enriching uranium, and manipulated the centrifuges to make them self-destruct. The attack penetrated into the heart of the Iranian nuclear program.

Stuxnet is the world’s first cyber-weapon of geopolitical significance. Frank Rieger of the legendary German hacker organization Chaos Computer Club calls it “a digital bunker buster.” The virus represents a fundamentally new addition to the arsenal of modern warfare. It enables a military attack using a computer program tailored to a specific target.

One year later, there is not an Internet security firm or government of a major country that is not addressing Stuxnet and its consequences, as well as taking action as a result. To learn more about Stuxnet and understand what is behind the virus, SPIEGEL traveled to Israel — the country where the cyber-weapon was invented.

Following the Trail

The Israeli branch of the US computer security firm Symantec is housed in a nondescript modern complex in Tel Aviv, a 15-minute drive from Ben Gurion International Airport. Sam Angel, the head of Symantec Israel, meets visitors in the underground garage and takes them to the conference room on the fourth floor. At the beginning of his PowerPoint presentation, Angel says: “Stuxnet is the most sophisticated attack we have ever seen. This sort of an attack, on a mature, isolated industrial system is completely unusual.” He projects a map onto the wall, showing the countries where such an attack has taken place: Iran, Indonesia, Malaysia and Belarus, where a man named Sergey Ulasen discovered Stuxnet.

Ulasen, who works in the research and development department at the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.


When the engineers at Symantec got to work, they came across two computers that had directed the attacks. One of the servers was in Malaysia and the other was in Denmark, and they were reachable through the addresses and They had been registered, under a false name and with a forged credit card, through one of the world’s largest Internet registration companies, a firm based in the US state of Arizona. Symantec rerouted the incoming and outgoing communication at the two servers to its computer center in Dublin, which enabled it to monitor the activity of the virus. Whoever had launched Stuxnet had gotten away, but at least Symantec could follow the trail they had left behind.

The rerouting of communication made it possible to obtain an overview of the countries in which the virus was active. According to that analysis, Stuxnet had infected about 100,000 computers worldwide, including more than 60,000 in Iran, more than 10,000 in Indonesia and more than 5,000 in India. The inventors programmed Stuxnet so that the virus, as a first step, tells the two command-and-control servers if the infected computer is running Step 7, an industrial software program developed by the German engineering company Siemens. Step 7 is used to run the centrifuges at Iran’s Natanz facility.

The plant near Natanz, located in the desert 250 kilometers (156 miles) south of Tehran, is protected with military-level security. The aluminum centrifuges, which are housed in bunkers, are 1.8 meters (5 foot 10 inches) tall and 10 centimeters (four inches) in diameter. Their purpose is to gradually increase the proportion of uranium-235, the fissile isotope of uranium. There is a rotor inside the centrifuges that rotates at a speed of 1,000 times per second. In the process, uranium hexafluoride gas is centrifuged, so that uranium-235 accumulates in the center. The process is controlled by a Siemens system that runs on the Microsoft Windows operating system.