Archive

Posts Tagged ‘Stuxnet’

Stuxnet planted by Iranian double agent for Israel

By Kevin McCaney

An Iranian double agent working for Israel used a memory stick to plant the Stuxnet virus that disrupted Iran’s nuclear program, according to a published report quoting current and former U.S. intelligence officials.

Richard Sale, writing for ISSSource, said the agent, probably a member of an Iranian dissident group, used a corrupt memory stick.32 to implant the virus at the Natanz nuclear facility, according to the sources.

Iranian proxies, dissidents acting as double agents, also have been involved in assassinating Iran’s nuclear scientists, the sources reportedly told Sale.

Stuxnet, likely the first example of weaponized malware, was already known to have spread via memory sticks, or key drives. Introduced in late 2009, it spread quickly to systems around the world, although it was designed for only one purpose: to attack a specific version of a Siemens programmable logic controller (PLC) that was used in centrifuges for uranium enrichment at Iran’s nuclear facilities.

The worm, which used four zero-day exploits in its attacks, disrupted the rotational frequency of the centrifuges, and ultimately damaged Iran’s nuclear program, according to an International Atomic Energy Agency report.

Uranium enrichment at the Natanz plant was shut down for seven days in November 2010. Reuters reported in February that engineers had finally succeeded in scrubbing Stuxnet from their systems.

Because of its complexity and its specific target, Stuxnet has been thought to be the work of a nation-state, and the United States and Israel have often been mentioned as possibly being behind it. ISSSource — or Industrial Safety and Security Source, a site that reports on manufacturing security and safety issues — has reported that Stuxnet was part of a joint U.S.-Israeli effort aimed at Iran. (The sources who told Sale about the assassination of Iranian scientists said, however, that the United States was unaware of those operations.)

Stuxnet’s success in disrupting nuclear processing in Iran has raised fears about what similarly designed malware could do if it attacked facilities in the United States and elsewhere.

In January, Kaspersky Labs said its researchers determined that Stuxnet and Duqu, a close variant that has been found gathering information on industrial systems in Europe, are likely part of a much larger family of malware, and that future Stuxnet-style attacks are likely.

That type of malware could be used to attack power grids, water processing plants and other critical infrastructure facilities. The Homeland Security Department in November confirmed earlier research showing that prisons, which use PLCs to control doors, video systems, alarms and intercoms, are vulnerable to a Stuxnet-like worm.

The fact that much of the infrastructure in the United States in privately owned, rather than government-owned as in Iran, also could complicate the response to such attacks.

Mossad’s Miracle Weapon: Stuxnet Virus Opens New Era of Cyber War

By Holger Stark

The complex on a hill near an interchange on the highway from Tel Aviv to Haifa is known in Israel simply as “The Hill.” The site, as big as several soccer fields, is sealed off from the outside world with high walls and barbed wire — a modern fortress that symbolizes Israel’s fight for survival in the Middle East. As the headquarters of Israel’s foreign intelligence agency, the Mossad, this fortress is strictly off-limits to politicians and journalists alike. Ordinarily, it is the Mossad that makes house calls, and not the other way around.

 

The agency’s strict no-visitors policy was temporarily relaxed on a Thursday in early January, when a minibus with darkened windows pulled into a parking lot in front of a nearby movie theater. The journalists inside were asked to hand over their mobile phones and audio recorders. Meïr Dagan, the powerful head of the Mossad, had invited them to the facility. It was his last day in a position he had held for seven years. On that January day, the journalists were there to document his legacy: the Mossad’s fightagainst the Iranian nuclear program.

He spoke passionately about the risks of a possible military strike against Iran, saying that he believed that such an attack would lead to a conflagration in the region that would include a war with Hezbollah and Hamas, and possibly with Syria. And anyone who believed that a military strike could stop Tehran’s nuclear program was wrong, said Dagan. It could slow down the program, he added, but only temporarily. For this reason, the outgoing Mossad chief was against bombs — but in favor of anything that could set back the Iranian nuclear program without starting a conventional war.

Delay was the new magic word. And to that end, the Mossad head had created a miracle weapon that everyone in the room on that January day knew about, but which Dagan did not mention by name: Stuxnet.

Stuxnet, a computer virus that can infiltrate highly secure computers not connected to the Internet, a feat previously believed to be virtually impossible, entered the global political arena more than a year ago, in June 2010. The virus had attacked computers at Iran’s Natanz nuclear facility, where scientists are enriching uranium, and manipulated the centrifuges to make them self-destruct. The attack penetrated into the heart of the Iranian nuclear program.

Stuxnet is the world’s first cyber-weapon of geopolitical significance. Frank Rieger of the legendary German hacker organization Chaos Computer Club calls it “a digital bunker buster.” The virus represents a fundamentally new addition to the arsenal of modern warfare. It enables a military attack using a computer program tailored to a specific target.

One year later, there is not an Internet security firm or government of a major country that is not addressing Stuxnet and its consequences, as well as taking action as a result. To learn more about Stuxnet and understand what is behind the virus, SPIEGEL traveled to Israel — the country where the cyber-weapon was invented.

Following the Trail

The Israeli branch of the US computer security firm Symantec is housed in a nondescript modern complex in Tel Aviv, a 15-minute drive from Ben Gurion International Airport. Sam Angel, the head of Symantec Israel, meets visitors in the underground garage and takes them to the conference room on the fourth floor. At the beginning of his PowerPoint presentation, Angel says: “Stuxnet is the most sophisticated attack we have ever seen. This sort of an attack, on a mature, isolated industrial system is completely unusual.” He projects a map onto the wall, showing the countries where such an attack has taken place: Iran, Indonesia, Malaysia and Belarus, where a man named Sergey Ulasen discovered Stuxnet.

Ulasen, who works in the research and development department at the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.

 

When the engineers at Symantec got to work, they came across two computers that had directed the attacks. One of the servers was in Malaysia and the other was in Denmark, and they were reachable through the addresses http://www.todaysfutbol.com and http://www.mypremierfutbol.com. They had been registered, under a false name and with a forged credit card, through one of the world’s largest Internet registration companies, a firm based in the US state of Arizona. Symantec rerouted the incoming and outgoing communication at the two servers to its computer center in Dublin, which enabled it to monitor the activity of the virus. Whoever had launched Stuxnet had gotten away, but at least Symantec could follow the trail they had left behind.

The rerouting of communication made it possible to obtain an overview of the countries in which the virus was active. According to that analysis, Stuxnet had infected about 100,000 computers worldwide, including more than 60,000 in Iran, more than 10,000 in Indonesia and more than 5,000 in India. The inventors programmed Stuxnet so that the virus, as a first step, tells the two command-and-control servers if the infected computer is running Step 7, an industrial software program developed by the German engineering company Siemens. Step 7 is used to run the centrifuges at Iran’s Natanz facility.

The plant near Natanz, located in the desert 250 kilometers (156 miles) south of Tehran, is protected with military-level security. The aluminum centrifuges, which are housed in bunkers, are 1.8 meters (5 foot 10 inches) tall and 10 centimeters (four inches) in diameter. Their purpose is to gradually increase the proportion of uranium-235, the fissile isotope of uranium. There is a rotor inside the centrifuges that rotates at a speed of 1,000 times per second. In the process, uranium hexafluoride gas is centrifuged, so that uranium-235 accumulates in the center. The process is controlled by a Siemens system that runs on the Microsoft Windows operating system.