I'm not an expert on Stuxnet (or really malware at all) but this whole thing seems extremely overblown.
Is it interesting that there's a piece of malware out there that targets industrial controllers? Absolutely it is. It's probably not just some bored college kid.
Is it a "cyber missile" aimed at the heart of Iran's nuclear weapons program? Probably not. Among other things, the IP ranges it's "targeting" aren't specific to Iran. Also, there's no evidence connecting it to Iran.
Whenever you see a better-than-average piece of offensive computing technology, your first thought should be "extortion", and your second (distant second) thought should be "competitive subterfuge". Extortion happens all the time, and you rarely read about it, because the targets don't want to talk about it. And, while there's never been a corroborated story about an actual cross-state offensive strike using IT technology, there have in fact been cases where industry leaders have whacked on each other using security flaws.
The reporting on Stuxnet seems too captive to tidy and palatable narratives for me to take seriously. It doesn't help that these stories are sourced mostly to SCADA security experts. There are some great people working on SCADA problems, but that field takes everything annoying about computer security PR and amplifies it.
Israel has been pretty public about its desire to stop the Iranian nuclear program.
This kind of plausibly deniable attack sounds just like what Israel has been wanting. And they have the talent to get the job done.
So why not? A nation state sabotaging an enemy's nuclear weapons without it being traced back to them. That's a pretty nice thing to have.
While what you're talking about is of course the most common scenario, it seems like a no-brainer to me that the NSA/DOD/IDF would spend money on preparing to make these kinds of attacks even if they rarely or never implement them. I don't see why the author's theory is implausible.
There is no evidence to suggest that Israel has anything to do with this. None. But here we are, speculating on whether Israel is targeting Iran with "cyber attacks". This is my problem with any story that suggests any country is using security flaws as a weapon.
As a professional matter, nothing in any of the reporting or analysis of Stuxnet suggests to me that this would have cost more than low-six figures to build cold (meaning, what it would cost to have a contractor familiar with malware and runtime security but not familiar with the particular software targeted here). It'd be significantly cheaper if you had devs with industrial controller backgrounds assisted by an exploit-dev contractor.
So, yes, Israel could have been behind this attack. And the NSA could have been behind the Twitter XSS worm. It could be Putin ordering all those DDoS extortion attempts on gambling websites. But I doubt it; it's probably just someone's scheme to make money. Talk to banking security people sometime; crazy stuff is happening every day.
I respect your expertise, but this estimate seem at odds with the mainstream reporting on the difficulty of building it. Can you elaborate why you think this could be a low 6-figure job? It seems to have used more than one 0day, for example.
One of the four "zero days" it's alleged to have targeted was disclosed last year. Two of the others are privilege escalation bugs, which probably aren't worth tens of thousands of dollars. You can probably buy real clientsides in IE or a popular plugin for far less than six figures.
Haha, it's fascinating to see someone in the security field talk about purchasing exploits. It sounds only one step removed from discussing the price to purchase a proof of the Riemann Hypothesis.
from the parent: "You can probably buy real clientsides in IE or a popular plugin for far less than six figures."
I'm pretty sure that what the parent means is that you could buy a plugin, or rather the company that writes a plugin. say, adblock (okay, adblock might be more than six figures... a less popular plugin that is still fairly widely used.) along with the rights and credentials to upload a new version. (of course, you'd pretend to be a legitimate business to do this.) Now, I don't know how IE works, but FireFox has a mechanism to automatically update plugins to their latest versions. You now insert your malicious code into the plugin and cause the auto-update to run. Assuming the infection isn't immediately obvious, you will, within a few days, infect nearly all users of that plugin.
I am pretty sure that tptacek does mean buying vulnerabilities. There are quite a few unsophisticated hackers offering exploits for sale ("serious buyers only") (e.g. on the Full-Disclosure mailing list), and the occasional debate about publishing/selling to "good guys" like Zero Day Initiative/selling to "bad guys" suggests that these sellers are, indeed, unsophisticated.
(Which is not to say that your way wouldn't work too.)
you might be right. But I know if I was to attempt to buy a botnet (note, I'm a SysAdmin, not a security expert, so I might be doing it wrong.) I'd probably try to do it as I described in my post. People put a lot of trust into popular browser add-ons, and there is very little oversight.
Stuxnet (according to some) looks like it was built to attack Iran's nuclear reactor computers. Israel has a vested interested in stopping Iran's nuclear program. Israel has the technical knowhow to design Stuxnet. Not being directly linked to the Stuxnet-as-attack thing is also in Israel's interest.
It's pretty simple, if we go with the idea that Stuxnet was built to attack the nuclear program, then the circumstantial evidence points to Israel. Motive, Means, Opportunity.
That's the difference between circumstantial evidence and direct evidence:
On its own, it is the nature of circumstantial evidence for more than one explanation to still be possible. Inference from one piece of circumstantial evidence may not guarantee accuracy.
(from wikipedia)
If there was direct evidence, this would be a different discussion entirely.
This "Why Iran" stuff boils down to one SCADA security guy saying "the larger number of systems infected in Iran suggests that Iran's nuclear program is a likely target". I've paraphrased, but not by much.
As for your circumstantial evidence... what is it? I think you've conflated supposition with evidence.
"These computers aren't connected to the internet."
Right, the article seems to imply that a nuclear reactor's control system (or whatever it uses) runs Windows, and is connected to the internet. I really hope that that isn't true...
I have trouble believing that any moderately sane or respectable nation state would deploy this thing. It's roughly the equivalent of launching thousands of missiles at completely random targets around the world, but programming them to only go off if they land on the enemy, hopefully. It also opens a Pandora's box of mutations and clones. It's far too evil and stupid for any country below NK insanity levels.
You got downvoted, but I think this is exactly right: very low chance of decisive success, maximal chance of embarrassing international incident. Not a good way to attack a rival regional power.
Ok, I get your argument that this is overstated, and I wouldn't be surprised if you are right.
But why would someone have written it then? It's not like they were using it to try and steal credit card numbers of send spam emails.
It had a very specific purpose, and according to the linked article didn't seem to require manual intervention to turn on (or off?). It seems to have been a one-shot thing - wait for a specific set of events, and then run that mystery command.
Blackmail/Ransom theories are easier to believe than a state-run cyber war program - but the reported logic of the program seems to make it pretty hard to blackmail someone with. It appears to have been designed to cause maximum damage once, with as little warning as possible. That's the opposite of what you want with a ransom/blackmail situation.
Big difference between this and missiles: with missiles you have to pay extra per shot. With this, you release one into the wild and from then the marginal cost to send out more copies is orders of magnitude lower than the original development cost. As for "mutations and clones" - these are computer viruses, not the organic kind.
People can imitate the techniques and develop on them, but as long as copies from and to USB drives maintain their multiple-9s accuracy there won't be much spontaneous change outside of the deployer's control. Instead, the big uncertainty factor with worms and viruses has usually been emergent behavior when the infected computers network into one very large system, leading to behaviors that don't show up in small-scale tests. The way it's described, Stuxnet is inherently limited both by its transmission method - USB sticks - and by its target systems - large embedded systems, typically not network-connected, and with a very standard configuration provided from Siemens.
I used to do industrial controls, so let me give the unfamiliar a little background on these systems.
You have PLC's, (programmable logic controllers) often redundant sets of them for critical systems, that run the code that controls the facility. They are networked together via proprietary data networks with no internet involved. These units do not run windows, or any operating system usually. They have no USB ports, hard drives, or monitors. They are hardened against temperature, dust, and power fluctuations. Once the facility is running properly, the PLC's do everything. No human's need to make any decisions about facility operation.
However, sometimes, humans want to tweak a setpoint or override a safety interlock because they know a sensor is bad, or they want to run a certain automatic operation in manual, because something has changed in their process. For this, they have windows based graphics interfaces with pretty animated pictures of valves and motors and pumps and fans and reactors and pipes and ductwork, all of which change their state based on the status of the actual valve or motor or pump or fan. To do that, these windows based PC's are networked to the PLC's, to query them for state information. So nobody is "running a factory on windows". Think of these as terminals into your webserver. If you lose the terminal the webserver keeps on trucking. Also, just like terminals, you can have as many windows PC's as you want tied into the PLC network, so if you lose a couple, you still have others, in case there's something that you really don't want to lose visibility of.
At no point is this network tied to the internet, for obvious reasons. Usually, the drives are locked out on these systems using physical locks, so only engineering staff can load anything on them. USB is trickier, as I can imagine people hooking up legitimate devices such as sirens and flashing lights and even just speakers for audible alarms, all via USB, which exposes the USB ports to the operators.
Sounds like you haven't been in the industry in a while or we just happen to hit different cross sections. The industrial automation company I worked for bought off the shelf "Industrialized" PCs dropped in a motion controller card and went to town. Their older systems ran QNX(real time unix) with the GUI and all the data right there on the system. Their newer systems were Windows\In time(a real time windows addon) based. So yes there are people using windows to control the system. I have seen systems where there is no air gap between these windows based systems and the Internet. In fact I have remotely logged in to systems in plants via vpn and worked from home.
> dropped in a motion controller card and went to town
Perhaps we were working on systems of a different scale. Most of the facilities I controlled had on the order of 2000 - 5000 I/O points and stretched over several multistory buildings. It sounds like you're doing motion control of a pick and place machine or something similar. That's also fun, especially now that you can do so much with optical recognition.
Yeah we mostly did smaller systems. On bigger jobs we tended to do it as several smaller systems working together. The largest system we ever did was a several hundred I\O points but that was over maybe 20 systems(we did all product movement between machines in the place.)
Thanks. I took a tour of a lumber mill one time that was all automated. It was pretty cool. To be honest, the way these nuke plants are described is less secure than the lumber mill. I really, really hope that's just really terrible reporting.
Here's a much-less-sensationalist description (from symantec.com):
Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.
Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.
They are not. In almost any serious industrial automation application there are Windows computers, but they are only user interface to some backend system (that usually runs on some obscure virtual machine running in some even more obscure RTOS on very specialized hardware)
Shadowrun only feels fun when you know it's a game of fantasy. When cyberpunk concepts previously only seen in the pages of a William Gibson book start erupting into this mundane, boring world of the daily commute and the weekly shop, unfolding into the public consciousness like an ink-stained, holographic neon rose, the fantasy doesn't seem so much fun any more when you're looking at it from the inside. Not so jolly when it ceases to be a game.
I'm confused. What is the method of delivery for this program? I sure hope no one is hooking up nuclear power plants to the tubes in such a way that it's even possible for the computers that control the reaction are able to make talkies to anything. That just sounds like a really bad idea. And the plot for a really bad Hollywood action flick.
In this case through USB keys. Presumably people updating software on the machines or running diagnostics. Possibly USB dongles to unlock the machines.
Right, but I'm assuming that there are controls over nuclear control machines. That would seem to render this method of "attack" rather impractical unless you had an inside man. In which case it seems a rather round about method of sabotage vs just planting a bomb or yanking some wires or something.
From the article, speculation is that the virus was embedded on the USB drive of a contractor who works on multiple setups, possibly without his or her knowledge; one of the virus's most interesting features is that it can then spread, without user intervention, as soon as the USB drive is plugged into a vulnerable machine, and from that machine can spread onto other USB drives plugged in later.
It doesn't take an inside man - only an inside snippet of code, which you can foist on an unsuspecting worker or consultant. Also, the chain of transmission can be indirect, so that even if you can't get a physical item into the target, you can plant it somewhere else where it eventually spread to the target (only so many degrees of separation between any two power plants, it seems)
The problem I have is that a contractor should not be allowed to bring in a USB dongle to plug into a machine onside. Hell the machines shouldn't have accessible USB ports at all. My other problem is that even if they are allowed to plug their personal USB stick into a machine, control computers should be completely isolated from the machines a random contractor would have access to. I mean seriously? Why would they even be able to talk to one another?
Flash drive. There's a number of flash drives that autoexecute when inserted into a computer. These are a known vector for software infections.
As far as I know, ram doesn't generally hold memory after it's been powered down. Ram sticks don't make sense as a vector for a virus as far as I can tell.
You could put data on there, sure, but typically the OS won't try to execute garbage data left over from a previous boot - it'll just get overwritten. I suppose you could have it swap out data after boot, but there are easier ways when you have physical access.
Is it interesting that there's a piece of malware out there that targets industrial controllers? Absolutely it is. It's probably not just some bored college kid.
Is it a "cyber missile" aimed at the heart of Iran's nuclear weapons program? Probably not. Among other things, the IP ranges it's "targeting" aren't specific to Iran. Also, there's no evidence connecting it to Iran.
Whenever you see a better-than-average piece of offensive computing technology, your first thought should be "extortion", and your second (distant second) thought should be "competitive subterfuge". Extortion happens all the time, and you rarely read about it, because the targets don't want to talk about it. And, while there's never been a corroborated story about an actual cross-state offensive strike using IT technology, there have in fact been cases where industry leaders have whacked on each other using security flaws.
The reporting on Stuxnet seems too captive to tidy and palatable narratives for me to take seriously. It doesn't help that these stories are sourced mostly to SCADA security experts. There are some great people working on SCADA problems, but that field takes everything annoying about computer security PR and amplifies it.