Greater Egret

Monday, September 27, 2010

Stuxnet Worm Ouroboros

The breaking story of the computer virus that has attacked the Iranian nuclear program reads like a Le Carre spy thriller. A photograph that was inadvertently disseminated by the Iranians themselves last year showed a computer screen with a little red box clearly visible. A box that alerted every computer security hack in the world that the Iranian nuclear program was essentially unsecured.

I just can't for the life of me think of who might be responsible for the virus. I just hope that the perpetrator is brought to justice. Because who knows how long it will be before they can get this whole mess under control? How will the Iranians be able to arm themselves with nukes if they are sitting around waiting for their Mcafee update?

The virus apparently attacked the inner workings of a Siemens software system that had been appropriated from the russians. Unsuspecting engineers reportedly brought it in on their flash drives. As effective as a well placed missile aimed at a nuclear reactor like say, Osirak, but this time delivered in a bevy of 0's and 1's.

"We had anticipated that we could root out the virus within one to two months," Hamid Alipour, deputy head of Iran's Information Technology Co., a part of the ministry of communication and information technology, told the Islamic Republic News Agency. "But the virus is not stable, and since we started the cleanup process three new versions of it have been spreading," he said. Darn it, that's awful.

The worm reprograms the critical function software once it is inside the target system. Researchers still do not know which system it ultimately had in its sights or what type of sabotage was intended. Or even what future damage may occur as  result of the breach.

Iranian officials said Saturday that they had been hit by "electronic warfare" and acknowledged that the worm had infected more than 30,000 computers, including personal computers owned by employees of the nuclear power plant near Bushehr. According to Israeli sources, the real target was the uranium enrichment facility at Natanz - where the centrifuge operational capacity has dropped over the past year by 30 percent after an unknown attack. The new analysis, based on the characteristic behavior of the Stuxnet worm, contradicts earlier assessments that the target was the nuclear reactor at Bushehr.

According to Haaretz Yossi Melman:

The Bushehr reactor, however, is considered less of a security threat than Natanz by the intelligence communities in both Israel and the United States. Because intelligence analysts believe Iran would have enough material for at least two nuclear bombs if it enriched the uranium held at Natanz from 3.5 percent to 90 percent, every scenario for an Israeli or American attack on Iran's nuclear facilities has put Natanz high on the list of potential targets.
There have been reports in the past of other alleged efforts by Israel and the West to undermine the Iranian nuclear project, some of which also targeted Natanz. These efforts included infiltrating the purchasing networks Iran set up to acquire parts and material for the centrifuges at Natanz and selling damaged equipment to the Iranians. The equipment would then be installed on site and sabotage the centrifuges' work.
The centrifuge - a drum with rotors, an air pump, valves and pressure gauges - is an extremely sensitive system. Generally, 164 centrifuges are linked into a cascade, and several cascades are then linked together. But the centrifuges need to operate in complete coordination to turn the uranium fluoride (UF6 ) they are fed into enriched uranium. Their sensitivity makes them particularly vulnerable to attacks, since damage to a single centrifuge can create a chain reaction that undermines the work of one or more entire cascades.
The International Atomic Energy Agency, whose inspectors regularly visit Natanz, has reported that of the more than 9,000 centrifuges installed on the site, less than 6,000 are operational. The agency did not provide an explanation of this 30 percent drop in capacity compared to a year ago, but experts speculated that the centrifuges were damaged by flawed equipment sold by Western intelligence agencies through straw companies.
The recent revelations about the Stuxnet worm might provide new insights into the problems encountered by the enrichment facility. German computer expert Frank Rieger wrote in Frankfurter Allgemeine Zeitung on Sunday that Wikileaks, a website specializing in information leaked from government agencies, reported in June on a mysterious accident at Natanz that paralyzed part of the facility. Rieger now thinks the Wikileaks report was connected to the Stuxnet worm. He noted that whoever developed the virus refined its programming to allow it to damage small, sensitive components like regulators, valves and pressure gauges, all of which are found in centrifuges.         

The long term impact may be negligible.   Iran has enough enriched uranium now in its possession for nuclear weapons. Russian security expert Eugene Kaspersky believes that this virus is a first strike in a new era in cyber warfare. This Computer World article deals how the worm spreads back to previously scrubbed pc's. And this one, also from Computer World that shows how the worm took advantage of  spooler zero days, including one that was not known to the public at large. ZDNet notes that the password for the system was public knowledge. An interesting take from the NYT that takes the position that only a nation state could be capable of such a concerted attack, perhaps a nation like Israel. Our own pentagon will neither confirm or deny. Christian Science Monitor had an excellent article.

And another great CSM article where I found this snippet: 

...A journalist's photo from inside the Bushehr plant in early 2009, which Langner found on a public news website, shows a computer-screen schematic diagram of a process control system – but also a small dialog box on the screen with a red warning symbol. Langner says the image on the computer screen is of a Siemens supervisory control and data acquisition (SCADA) industrial software control system called Simatic WinCC – and the little warning box reveals that the software was not installed or configured correctly, and was not licensed. That photo was a red flag that the nuclear plant was vulnerable to a cyberattack, he says.
"Bushehr has all kinds of missiles around it to protect it from an airstrike," Langner says. "But this little screen showed anyone that understood what that picture meant ... that these guys were just simply begging to be [cyber]attacked."
The picture was reportedly taken on Feb. 25, 2009, by which time the reactor should have had its cybersystems up and running and bulletproof, Langner says. The photo strongly suggests that they were not, he says. That increases the likelihood that Russian contractors unwittingly spread Stuxnet via their USB drives to Bushehr, he says.

It remains to be seen just how deep this cyber bomb has burrowed. And how would you like to be Microsoft, scurrying around trying to make security patches for software that just may have been damaged by their very own United States of America? Or is this another case of the zionist entity perfidiously making Achmadinejad their beehatch?

1 comment:

grumpy said...

...that Achmad, he's a real piece of work...i love the George Blanda graphic, and the Marcus Aurelius quote.