Iran under cyber attack?
Discussion
http://www.bbc.co.uk/news/technology-11388018
"Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed."
http://www.langner.com/en/
Stuxnet is a directed attack -- 'hack of the century'
Hamburg, Sep 13, 2010
German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware that appeared to be a miracle. Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss' conference in Rockville.
Stuxnet logbook, Sep 16 2010, 1200 hours MESZ
With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.
Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.
Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.
Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.
Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).
Interpretation: Stuxnet manipulates a fast running process. Based on process conditions, the original code that controls this fast running process will no longer be executed. (Some people will now want to have their process engineers explain what the DEADF could mean.) After the original code is no longer executed, we can expect that something will blow up soon. Something big.
Ralph's analysis
Now that everybody is getting the picture let's try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?
1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).
2. The attack involves heavy insider knowledge.
3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
4. The target must be of extremely high value to the attacker.
5. The forensics that we are getting will ultimately point clearly to the attacked process -- and to the attackers. The attackers must know this. My conclusion is, they don't care. They don't fear going to jail.
6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently.
Fascinating stuff.
"Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed."
http://www.langner.com/en/
Stuxnet is a directed attack -- 'hack of the century'
Hamburg, Sep 13, 2010
German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware that appeared to be a miracle. Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss' conference in Rockville.
Stuxnet logbook, Sep 16 2010, 1200 hours MESZ
With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.
Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.
Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.
Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.
Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).
Interpretation: Stuxnet manipulates a fast running process. Based on process conditions, the original code that controls this fast running process will no longer be executed. (Some people will now want to have their process engineers explain what the DEADF could mean.) After the original code is no longer executed, we can expect that something will blow up soon. Something big.
Ralph's analysis
Now that everybody is getting the picture let's try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?
1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).
2. The attack involves heavy insider knowledge.
3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
4. The target must be of extremely high value to the attacker.
5. The forensics that we are getting will ultimately point clearly to the attacked process -- and to the attackers. The attackers must know this. My conclusion is, they don't care. They don't fear going to jail.
6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently.
Fascinating stuff.
petemurphy said:
Marf said:
petemurphy said:
does iran etc use windows - always wondered if msoft put in back doors etc for the gov
Besides, you don't need back doors to comprimise a windows system, especially when your ultimate target is an integrated control system which will not run on windows.
Marf said:
IainT said:
More than a little guesswork and hyperbole in there.
ExpandGiven this is implicated in attacking Siemens systems and they've not been involved in Iran for 30 years.
IainT said:
Marf said:
IainT said:
More than a little guesswork and hyperbole in there.
ExpandIainT said:
Given this is implicated in attacking Siemens systems and they've not been involved in Iran for 30 years.
How do you know that? It could be legacy equipment?Marf said:
IainT said:
Marf said:
IainT said:
More than a little guesswork and hyperbole in there.
ExpandIainT said:
Given this is implicated in attacking Siemens systems and they've not been involved in Iran for 30 years.
How do you know that? It could be legacy equipment?I have a real interest in this due to the fact I work in the power generation industry. The systems we use are specific and custom designed by the supplier. However, you could cause some real damage to an operating plant with very little effort once you are inside the control system.
Edited by bob1179 on Thursday 23 September 14:09
bob1179 said:
Marf said:
IainT said:
Marf said:
IainT said:
More than a little guesswork and hyperbole in there.
ExpandIainT said:
Given this is implicated in attacking Siemens systems and they've not been involved in Iran for 30 years.
How do you know that? It could be legacy equipment?I have a real interest in this due to the fact I work in the power generation industry. The systems we use are specific and custom designed by the supplier. However, you could cause some real damage to an operating plant with very little effort once you are inside the control system.
Edited by bob1179 on Thursday 23 September 14:09
scary really
geeks rule
petemurphy said:
quite a cool idea really - why risk a military attack with bombs that might not work, is risky and will be a pr disaster when they can hack in and get the power plant to explode by itself ( or at least stop it working ) and then condem the country's safety record etc.
scary really
geeks rule
Exactly, as technology integrates more and more with everything, you don't need a physical presence to cause damage to your enemies. Just down their IT infrastructure and go from there,scary really
geeks rule
Effectively this is not too hard to actually do.
All this bks of it targets specific stuff is not hard core coding, is more than likely knows that the file 'masterContol.xml' exists in a dir called '/opt/siemems/51controlunit' and just looks for that file.
If the file is not there, then it does nothing.. if it is then I performs a few checks and runs the small code to reprogram the firmware or something.
Its nice and easy to get a usb to run a program when put in a machine automatically.
The actual coding could be knocked up and tested in a few hours, however who would want to run this is a different matter, as targeting that software is quite specific.
/edit now read the above, its slightly more complex, but not out the realms of a novice hacker really.
All this bks of it targets specific stuff is not hard core coding, is more than likely knows that the file 'masterContol.xml' exists in a dir called '/opt/siemems/51controlunit' and just looks for that file.
If the file is not there, then it does nothing.. if it is then I performs a few checks and runs the small code to reprogram the firmware or something.
Its nice and easy to get a usb to run a program when put in a machine automatically.
The actual coding could be knocked up and tested in a few hours, however who would want to run this is a different matter, as targeting that software is quite specific.
/edit now read the above, its slightly more complex, but not out the realms of a novice hacker really.
clown said:
3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
This is pure ste, hacking protection on some games now is far far far more complex that this. (remember these programs are not really designed to stop people from hacking them, as they are controlled systems [stand alone]) And most games are hacked by bedroom coders, who use hugely complex techniques to get around various methods. Edited by joe_90 on Monday 27th September 12:45
bob1179 said:
However, you could cause some real damage to an operating plant with very little effort once you are inside the control system.
Physical damage? Are they actually talking about trying to physically blow up a power station/facility, over a computer network? Is that likely, or even possible?I'm no computer expert, but it's very remeniscent of 80's films where a computer can do anything, from starting a car to opening a seismic rift. Superman 3, anyone?
Opulent said:
bob1179 said:
However, you could cause some real damage to an operating plant with very little effort once you are inside the control system.
Physical damage? Are they actually talking about trying to physically blow up a power station/facility, over a computer network? Is that likely, or even possible?Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff