«

»

Jan
10

2011

What Stuxnet is all about

Once upon a time, some organization which follows the nuclear situation in Iran closely determined that international sanctions and sabotage would not be sufficient to stop the growing enrichment capability in Natanz. Iran was installing new centrifuges at a speed that would get them in reach of the bomb soon. In the search for an alternative to conventional warcraft, somebody figured out that sabotage is not limited to 20th century style messing with mechanical and electrical component characteristics. Cyber sabotage could achieve much more. If any target would justify a full-blown cyberwar strike for the first time in history, those centrifuges certainly would. It looked like it would have been stupid and irresponsible not to try.

The attackers didn’t have to start from scratch. Offensive cyber capability was already at their disposal. Detailed intelligence on the centrifuge plant was there, down to instrumentation and wiring details. An IR-1 centrifuge simulator and model plant were there. Detailed lab research results on control system vulnerabilities and exploits was available. In-depth controller product know-how was accessible. Generous funding and support from top decision makers were available. The organizational resources for planning and executing a major strike against a rogue nation state were available. The willingness to define a new standard of cyber warfare was present, along with the boldness to try it out in the open with no rehearsal and only vague (and unrealistic) theories about collateral damage.

And so, somewhere back in late 2007 or early 2008, operation Myrtus was given a go. Myrtus is a multi-year cyberwar campaign aiming to corrupt the Iranian uranium enrichment program up to the point where the cost for Tehran to pursue this program under tightening sanctions gets too high, or until some twist of fate, like a regime change, terminates the threat of a nuclear armed Iran. The technical way to achieve this is to significantly reduce the output of low enriched uranium by stealthy process manipulations, along with causing several hundred centrifuges to explode every now and then – all this under the radar of safety systems and process alarms in a manner that must have driven maintenance engineers in Natanz crazy.

A flaw in the attack concept was the idea that even after Stuxnet was discovered by antivirus companies, nobody would be able to figure out what it was all about. For some funny reason, the organizations with the known capability and the publicly assumed responsibility of analyzing the core attack routines — ICS-CERT and the vendor — either didn’t do so or did not publish their results, and it looks like the attackers had bet on that. However, even after Tehran has a clue what’s going on, they have little chance to protect themselves from follow-up attacks.

Myrtus is the Advanced Persistent Threat (APT) executed by a cyber superpower. Tehran should consider if it isn’t outright silly to attempt withstanding this threat. In the moment when they will have cleaned up all systems, a new dropper exploiting new Windows 0day vulnerabilities will likely be underway already. Maintenance in Natanz will have an even bigger problem in figuring out whether the latest rotor cracks and poor LEU outputs are due to defect components, operator inability, or Stuxnet 2.0. The cyberwar nightmare for Tehran may have only just begun.