Iran under cyber attack?
Discussion
http://www.bbc.co.uk/news/technology-11388018
"Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed."
http://www.langner.com/en/
Stuxnet is a directed attack -- 'hack of the century'
Hamburg, Sep 13, 2010
German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware that appeared to be a miracle. Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss' conference in Rockville.
Stuxnet logbook, Sep 16 2010, 1200 hours MESZ
With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.
Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.
Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.
Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.
Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).
Interpretation: Stuxnet manipulates a fast running process. Based on process conditions, the original code that controls this fast running process will no longer be executed. (Some people will now want to have their process engineers explain what the DEADF could mean.) After the original code is no longer executed, we can expect that something will blow up soon. Something big.
Ralph's analysis
Now that everybody is getting the picture let's try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?
1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).
2. The attack involves heavy insider knowledge.
3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
4. The target must be of extremely high value to the attacker.
5. The forensics that we are getting will ultimately point clearly to the attacked process -- and to the attackers. The attackers must know this. My conclusion is, they don't care. They don't fear going to jail.
6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently.
Fascinating stuff.
"Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed."
http://www.langner.com/en/
Stuxnet is a directed attack -- 'hack of the century'
Hamburg, Sep 13, 2010
German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware that appeared to be a miracle. Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss' conference in Rockville.
Stuxnet logbook, Sep 16 2010, 1200 hours MESZ
With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.
Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.
Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.
Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.
Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).
Interpretation: Stuxnet manipulates a fast running process. Based on process conditions, the original code that controls this fast running process will no longer be executed. (Some people will now want to have their process engineers explain what the DEADF could mean.) After the original code is no longer executed, we can expect that something will blow up soon. Something big.
Ralph's analysis
Now that everybody is getting the picture let's try to make sense out of the findings. What do they tell us about the attack, the attackers, and the target?
1. This is sabotage. What we see is the manipulation of one specific process. The manipulations are hidden from the operators and maintenance engineers (we have the intercepts identified).
2. The attack involves heavy insider knowledge.
3. The attack combines an awful lot of skills -- just think about the multiple 0day vulnerabilities, the stolen certificates etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents house. To me, it seems that the resources needed to stage this attack point to a nation state.
4. The target must be of extremely high value to the attacker.
5. The forensics that we are getting will ultimately point clearly to the attacked process -- and to the attackers. The attackers must know this. My conclusion is, they don't care. They don't fear going to jail.
6. Getting the forensics done is only a matter of time. Stuxnet is going to be the best studied piece of malware in history. We will even be able to do process forensics in the lab. Again, the attacker must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analzyed, the attack won't work any more. It's a one-shot weapon. So we can conclude that the planned time of attack isn't somewhen next year. I must assume that the attack did already take place. I am also assuming that it was successful. So let's check where something blew up recently.
Fascinating stuff.
petemurphy said:
Marf said:
petemurphy said:
does iran etc use windows - always wondered if msoft put in back doors etc for the gov
Besides, you don't need back doors to comprimise a windows system, especially when your ultimate target is an integrated control system which will not run on windows.
IainT said:
Marf said:
IainT said:
More than a little guesswork and hyperbole in there.
ExpandIainT said:
Given this is implicated in attacking Siemens systems and they've not been involved in Iran for 30 years.
How do you know that? It could be legacy equipment?petemurphy said:
quite a cool idea really - why risk a military attack with bombs that might not work, is risky and will be a pr disaster when they can hack in and get the power plant to explode by itself ( or at least stop it working ) and then condem the country's safety record etc.
scary really
geeks rule
Exactly, as technology integrates more and more with everything, you don't need a physical presence to cause damage to your enemies. Just down their IT infrastructure and go from there,scary really
geeks rule
Opulent said:
bob1179 said:
However, you could cause some real damage to an operating plant with very little effort once you are inside the control system.
Physical damage? Are they actually talking about trying to physically blow up a power station/facility, over a computer network? Is that likely, or even possible?http://arstechnica.com/tech-policy/2012/06/confirm...
Confirmed: US and Israel created Stuxnet, lost control of it
Stuxnet was never meant to propagate in the wild.
Confirmed: US and Israel created Stuxnet, lost control of it
Stuxnet was never meant to propagate in the wild.
hairykrishna said:
Marf said:
http://arstechnica.com/tech-policy/2012/06/confirm...
Confirmed: US and Israel created Stuxnet, lost control of it
Stuxnet was never meant to propagate in the wild.
For a given value of 'confirmed'. The NYT article is slightly suspect to me, there are no named sources and the journalist concerned is flogging his new book about 'secret wars'.Confirmed: US and Israel created Stuxnet, lost control of it
Stuxnet was never meant to propagate in the wild.
General James E Cartwright, head of a small cyberoperation inside the United States Strategic Command, developed the plan to create Stuxnet. The first stage involved planting code that extracted maps of the air-gapped computer networks that supported nuclear labs and reprocessing plants in Iran.
Jimbeaux said:
Several topics, this one included, are this week's hot news as apparently, someone at the White House has leaked classified information to the NYT in an apparent attempt to show things the Obama team is doing so as to garner favor. Washinton is abuzz.
Is this leak over and above what's being discussed in the book that apparently confirms America's involvement in these viruses? There was an NYT article last week which gave a synopses of the book.http://www.amazon.co.uk/Confront-Conceal-Obamas-Su...
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff