stuxnet

[reaper]

http://www.theaustralian.com.au/news/world/computer-virus-used-to-sabotage-irans-nuclear-plans-built-by-us-and-israel/story-e6frg6so-1225989304785

now I think I hacker can spend weeks getting an exploit working for some functions in a windows service, get it to spread, and do some fun stuff when their code starts running.  maybe they come from a poor country, and want to make some money, but this is government coordinated action. 

who has access to the control programs that talk to the centrifuges, who has knowledge of non standard architectures? who plans the delivery?  my guess, inside knowledge of siemons equipment, simulation of the facility, resources given for delivery possibly by the inside to a technicians laptop.  as you sum the parts up, governments are the entities with resources who can coordinate this, anything else isn't feasible.  at any step of the way, government can turn this from the impossible to the realistic.

they made this one obvious in my opinion, but the question remains, which governemnt, US + Isreal, or just Isreal?

[VaeVictis]

hm... this story is a little old

but really really cool

specific architecture targeting viruses are genius hehe

it was most likely government imo but it could have also been private sector as it actually happened and wasnt just talked about forever :p

as far as which government, it could have been ANY government with the access to the information needed, even by means not exactly legal chances are all the architecture data and value information needed could have been stored on a high security data server and been stolen, OR a country like russia could be planting spies... who knows?

any country who fears that iran could possibly harness and advanced their hold on nuclear technology could want to take down their power plant...

far as my understanding of the story went, many of those centrifuges were totally destroyed but it didnt cut production down 100% so its a failed attempt i expect to see much more sophisticated (and this one was VERY sophisticated) viruses spawn from high dollar teams to specifically target and take down similar facilities in the near future

question i am wondering... when is the usa going to see similar attacks?

[reaper]

yeah I know it's old, but it seems like it was swept under the rug.

wikipedia:
"
Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; "The attackers took great care to make sure that only their designated targets were hit...It was a marksman’s job."[29] While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012.[23]
"

why go by chance that you are going to get a USB stick to a technicians laptop, or compromise a windows machine behind a firewall, when you have to get just the right one.  this was probably their fallback method.  if they can steal private keys to sign drivers from vendors, why wouldn't they plant this on the laptop or a USB key?

[QwazyWabbit]

The initial vector was a USB key, taking advantage of Windows auto-run/auto-play feature. The reason for self-propagation was for infection of neighbor centrifuges. Each host infects 3, so the infection spreads like a nuclear chain reaction. Fitting, no?

As far as the tools are concerned, anyone can buy the PLCs, motor drives, Step7 and WinCC from Siemens but knowledge of the centrifuge configuration and how to screw them up comes from specific knowledge of the process of separating Uranium isotopes. Hiding the code inside the PLC also took detailed knowledge of the PLC processors and the instruction set and detailed knowledge of Step7. Then there is the question of motive and who would have the most interest in seeing Iran fail.

[fdrjk]

I remember krenz posted a link to a video about stuxnet earlier. It was pretty cool.


http://vimeo.com/25118844

[reaper]

what is the point of 4 windows zero days to target almost a specific machine possibly behind a firewall?   that's why I belive it was a fallback method.  also I belive Isreal's simulation of the facility and resources, along with the resources requires at every step of the way, leaves no more room for questioning.  I see the limitation of a small hacking group as a windows worm targeting windows services, which is almost a stretch and why there is only a handful of large botnets.

edit: ah I see in the wiki it says initial infection by USB stick, I guess they were trying anything and everything possible to spread it on the private networks.  I still don't belive this could be a corporation or a hacking group.  even so, I think it would take inside knowledge, unless the systems in Iran weren't as advanced as some here.

[QwazyWabbit]

edit: ah I see in the wiki it says initial infection by USB stick...

Gee, where did I see that before... oh yes, there it is.

The initial vector was a USB key, taking advantage of Windows auto-run/auto-play feature. The reason for self-propagation was for infection of neighbor centrifuges. Each host infects 3, so the infection spreads like a nuclear chain reaction. Fitting, no?

The goal was to infect as many PLC's as possible. Not just the Windows boxes they are attached to. The PAYLOAD of the whole worm is the infected PLC code.

[reaper]

you don't build something like this from a simulated system then hope it gets there, when NAT would stop this from getting on the couple laptops you want.

[QwazyWabbit]

you don't build something like this from a simulated system then hope it gets there, when NAT would stop this from getting on the couple laptops you want.

WTF you talkin' 'bout Willis?

First, you don't use SOHO routers at a nuclear centrifuge site. Real routers don't use NAT for a firewall.
Second, you MUST build something like this in a simulated system and test its ability to propagate from host to host and to infect the PLCs as designed.
Third, WinCC is not on a laptop, it's on a workstation computer, a desktop or operator panel and Step7 (A Windows application) is resident on that workstation.
Fourth, I have Step7 and I work with it almost daily in my job so I know WTF it's about and how to use it.
Fifth, I know what a PLC is and what it is capable of doing.
Sixth, the PLCs in question are Siemens design and they were running a specific drive and motor combination.
Seventh, Iran was known to be using UNLICENSED and smuggled copies of WinCC and Step7.
Eighth, you don't know what the fuck you are talking about.


What part of "It was launched from a USB drive" do you not understand? Firewalls and routers are irrelevant.

[reaper]

WTF you talkin' 'bout Willis?

First, you don't use SOHO routers at a nuclear centrifuge site. Real routers don't use NAT for a firewall.
Second, you MUST build something like this in a simulated system and test its ability to propagate from host to host and to infect the PLCs as designed.
Third, WinCC is not on a laptop, it's on a workstation computer, a desktop or operator panel and Step7 (A Windows application) is resident on that workstation.
Fourth, I have Step7 and I work with it almost daily in my job so I know WTF it's about and how to use it.
Fifth, I know what a PLC is and what it is capable of doing.
Sixth, the PLCs in question are Siemens design and they were running a specific drive and motor combination.
Seventh, Iran was known to be using UNLICENSED and smuggled copies of WinCC and Step7.
Eighth, you don't know what the fuck you are talking about.


What part of "It was launched from a USB drive" do you not understand? Firewalls and routers are irrelevant.

You can see Symantec noted what countries the PCs were infected in.  That's because while it was spread with a USB stick to the target, and possibly started with an infected USB stick, it's a computer worm.  The use of NAT and firewalls have a drastic effect on computer worms.  If they weren't in place, the propagation of the worm wouldn't just be exponentially more effective, it'd take down backbones.

It's possibly you just release it, and it gets where it needs to go, whether that be from a direct TCP connection, or a technicians laptop with a compromised USB stick.  However, that's unlikely, because you go: TCP.SYN destination and you never get there, because of NAT, a firewall that opens holes by two factor authentication, whatever.  The chance of getting to the machines with software you need to infect and PLCs you need to talk to is a shot in the dark.  That's why conflicker infected USB sticks, also note they used the vulnerability conflicker used.   If it's in the unlicensed software, what's the need for the computer worm?  The worm is probably their fallback method, trying to get data on USB sticks, or maybe get lucky and inject the systems they need to start spreading on private networks.  Given the resources used, they probably just infected what they wanted to directly and have a setup where it could be something like your standard windows worm.

Take for example conflicker, it accesses a vulnerable function after negotiating an SMB session, via RPC, either directly on TCP port 445, or via the Netbios API (UDP 137,138;TCP 135,139).  The use of NAT severely limits worm propagation, you'd need your session to be part of the port translation table and communication to go back and forth to place your shellcode, in other words, you can't do it.    The same as a firewall, except it's not looking at a table with port numbers, it's tracking the session information, and denying traffic from the outside in.  Computer worms, firewalls, NAT, USB sticks is all pretty related..

[reaper]

Isreal/US: we got this plan to fuck up Iran's nuclear facility, set them back a bit.

Isreal/US: okay, how can we make it not look like a direct attack

Isreal/US:a computer worm could do it, but it's not a sure thing by any means, we'd have to get lucky and hope it gets to about 10 machines that could get it there - highly unlikely.  we'll put it on a USB stick from one of our insiders

* two Iranian nuclear scientists dead shortly after - possibly insiders

that's not a conspiracy, that's what happened, except it's unknown if the US was working with Isreal and what parties Isreal brought in.

[QwazyWabbit]

The delivery of the USB stick didn't have to be knowingly done by an insider. It is possible the stick was infected while the person who possessed it wasn't in immediate possession of it. Then he unknowingly carried it with him into the facility. Or the worm could have been targeted to his laptop and it infected the USB devices he used for transferring data at Natanz since that is one of the characteristics of Stuxnet.

You cannot say "that's what happened". You don't know what happened, you weren't there. Therefore you cannot say with any certainty what actually occurred. You need to learn the difference between knowledge and conjecture. Unless, of course, it's in the Bible, then God said it so you can be certain it's true.

It would be more worthwhile discussing this with you if you learned to spell Israel.

[reaper]

I don't care about the spelling of Israel.  As well, I already pointed out why that scenario is highly unlikely.  It's not just: it looks like a duck, it quacks like a duck, it's a duck; any other explanation is borderline impossible, and why go with the impossible when the probable is a simple logical conclusion.  As far as the direct attack on the laptop, the same applies, just to a lesser extent.  You don't build something like this with such a specific goal in mind and prey you win the lottery, you make sure it happens.

One of the many more likely scenarios: nuclear technician puts USB stick on workstation, government has perfect coverup.  Although I agree targeting the laptop indirectly is a possibility, I just don't consider it likely.  How exactly are you going to do this by the way (short of some kind of spy type espionage)?  It's not like they have a shortage of defectors either, Iran has more people that want to flee than the USSR did, and many are fond of the US.  If you have the simulated systems and resources to put this together, and you're not going for a direct attack, surely you'd attempt to cover it up, no?

 

[reaper]

More evidence could be gathered and I suspect it would agree with the common theory of what entities or what types of entities were behind this.  Considering the propogation algorithms (geolookups etc), what percentage of industrial facilities were infected?  I suspect you would not see close to 100% infection rate of systems in common configurations, and not the configuration of the actual systems deemed to be the target; the systems that determine infection rate directly from worm propogation.