Feb
16

2011

The track of the centrifuges: From Germany to Pakistan to Libya to Tennessee to…

From analysis of Stuxnet’s attack code we must infer that the attackers are in possession of an IR-1 mockup that not only allowed them to design the attack but also to test-drive it. This fact alone allows us to pin down potential suspects. As has been detailed in the well-known NYT article, places where some of the few centrifuges from Libyan origin can be found include the Dimona complex in Israel, and Oak Ridge, Tennessee.

Jeffrey Lewis has written an excellent blog post on the subject. If you can learn just one thing from his post, it’s what we encounter over and over again: No matter where you start digging in the Stuxnet saga, things are getting even more complex the deeper you dig. In an interesting and plausible twist, Jeffrey links the testing of the Libyan centrifuges to Urenco, the company where it all started. Urenco is the place where A. Q. Khan once worked and where he stole the blue prints of the G-1, the first German gas centrifuge that he then turned into the P-1 in Pakistan.

Urenco remains an interesting target for proliferants as well. One of Tehran’s big players in nukes is Sharif technical university in Tehran. Guess what, in 2003 they established a partnership with the Jülich branch of the technical university of applied sciences of Aachen. This partnership gets them as close to uranium enrichment know-how as possible, at least in terms of geographics: Jülich is a small town near the border to the Netherlands. It’s also the location of Urenco’s German headquater. It’s like going back to the roots.

Feb
14

2011

Stuxnet and the hacker nonsense

A hacker group claimed possession of Stuxnet source code, and certain media thought it was worth an article. Actually, it’s not. Stuxnet binaries are available on the Internet for everybody. Everybody can download a copy of Stuxnet and start reverse engineering the code. For some parts of the dropper, that’s actually quite easy, as Microsoft’s Bruce Dang recently explained in Berlin. The question is why anybody would take the effort to reverse engineer Windows exploits that have already been fixed by the vendor. With the exploits for the engineering software and SCADA application that’s different, but few people have recognized; hackers, CERT people and journalists not among them.

A whole different story is the controller code. Cracking the encryption and decompiling the code is comparatively easy and has been done at least by us and by Symantec, as has been proven. It can and will certainly be done by others as well. Everybody who takes the effort ends up with roughly 15,000 lines of STL code that looks to the average hacker as antiquated pre-8086 assembly language (several examples have been given in this blog).

The problem with Stuxnet’s STL code is not the exact sequence of instructions. The problem is the underlying concepts that have been used in the exploits. Hackers will have a hard time understanding these. Control system engineers won’t. So while hackers probably won’t play around with controller attacks for another several months, we cannot assume the same for some more serious potential attackers in organized crime, terrorism, and state-sponsored cyber warfare organizations.

Feb
01

2011

The virtual Chernobyl

…is just that: virtual. Any speculation that Stuxnet could trigger a thermonuclear explosion in Bushehr is completely unfounded. First, Stuxnet does not target Bushehr. Second, even if it did, it could not mess with the systems in the primary circuit. The funny thing is, the Russians know that very well.

If there is one thing that we can learn from the situation in Bushehr it seems to be that contrary to Iran’s statements from last year, Stuxnet seems to have infected not only office systems in the nuke plant, which seemed highly questionable already months ago. Second, it would certainly be a good idea for Iran to clean up all systems before going operational in Bushehr (and before resuming operations in Natanz) as any further attempts to remove the virus when the plant is running will be much harder or even impossible. As long as there is even a single system in the nuclear program still infected with Stuxnet, those centrifuges continue to be at risk.

Jan
31

2011

Cracking the profiles

When you think long enough about the cascade shape and have all the numerical values available, it gets easy to determine how the attack profiles mentioned earlier are constructed. Profile one is simply the cascade shape. Profile four is the cumulative number of centrifuges from the shape. Profile two is the delta, it computes by subtracting profile one from profile four. Profile three is profile two plus one. So after all, they’re not profiles in the sense that they would be processed sequentially stage by stage. They appear to be more like patterns that are associated with the individual enrichment stages.

Jan
30

2011

Applying Aqazadeh’s revelations to Stuxnet forensic analysis

A good strategy in cyber forensics is to not only look at the code, but also, and predominantly, at the data. Data structures may reveal much more about a cyber attack than code. Just remember the thing with the 6×31 drives in the 315 forensics: It was data and configuration that delivered the most striking evidence, not code. That having said, let’s go back to the 417 attack. Read more »

Jan
16

2011

Technical Stuxnet article in Control magazine

Ralph has written a short technical article on Stuxnet for control system engineers that was printed in Control magazine (January 2011 edition) and is also available online.

Jan
10

2011

What Stuxnet is all about

Once upon a time, some organization which follows the nuclear situation in Iran closely determined that international sanctions and sabotage would not be sufficient to stop the growing enrichment capability in Natanz. Iran was installing new centrifuges at a speed that would get them in reach of the bomb soon. In the search for an alternative to conventional warcraft, somebody figured out that sabotage is not limited to 20th century style messing with mechanical and electrical component characteristics. Cyber sabotage could achieve much more. If any target would justify a full-blown cyberwar strike for the first time in history, those centrifuges certainly would. It looked like it would have been stupid and irresponsible not to try. Read more »

Jan
06

2011

Cascade cluster performance manipuation

This cascade cluster performs poorly. The black line gives an idea why. Black line corresponds to the right vertical axis, cascade lines to the left. (Data extracted from actual 417 attack code.)

Jan
05

2011

Stuxnet eats LEU

While we, as many others, have believed for some time that Stuxnet’s goal would be to crash IR-1 centrifuges, code analysis of the 417 attack code shows that things are not that simple. Ok, this shouldn’t surprise anyone who followed the Stuxnet saga for a while; this damn virus just keeps coming up with new surprises. Besides cracking centrifuges, another major goal of the attack seems to be the reduction of LEU output (LEU = Low Enriched Uranium).

The following diagram shows four attack profiles of the 417 code that can be thought of as performance diagrams. The vertical axis denotes the number of centrifuges in a cascade. So does the horizontal axis, only that the attackers chose to group the 164 centrifuges that make up a cascade in 15 groups for ease of operation. For example, the 15 to the right end of the horizontal axis corresponds to centrifuges 161 to 164, for example, and the 10 corresponds to centrifuges 81 to 104. An IR-1 cascade is linear, meaning that 164 centrifuges are piped together in one line. UF6 is fed into centrifuge 1 and enriched. From there, it is passed to centrifuge 2, and so on, up to centrifuge 164, and from there to the next cascade.

Now let’s take a closer look at those attack profiles. In an ideal world, performance would probably be linear, resulting in a straight line from down left to up right. The next best thing to ideal seems to be profile 4 in the graph; that’s as good as it got in Natanz. Profile 2 and 3, almost identical, leave something to be desired. But profile 1 is really shitty. Every time profile 1 is activated, somebody is missing LEU output.

Dec
31

2010

Year-end roundup

After the significant discoveries of the last days, let’s end the year with an up-to-date bottom line.

1. It is beyond reasonable doubt that Stuxnet was developed to delay the Iranian uranium enrichment program by physically damaging centrifuges.

2. The attack was not designed for one simultaneous big bang. It was designed to proceed slowly and incrementally. We expect that right now, many more centrifuges than the 984 mentioned in the ISIS report have been damaged by Stuxnet. (The next IAEA inspection, scheduled to take place in about two months, will give clarity.)

3. A full analysis of the attack is possible without even getting near the control system cabinets in Natanz. All that is needed is a good understanding of how an IR-1 cascade is organized and operated, along with some basic information on the instrumentation.

4. The forces behind such a high-profile attack can be traced easily. Stuxnet required an extreme amount of intelligence about the Natanz plant layout, a full understanding of the IR-1 operation (presumably with a mockup test system available), and an extreme amount of insider knowledge of the Siemens products involved. This limits the search for the originators to very few organizations in the world.

5. Stuxnet’s attack code, available on the Internet, provides an excellent blueprint and jump-start for developing a new generation of cyber warfare weapons. It must be assumed that nation states with any intent to build up cyber warfare capability, such as China and Russia, are already in the process of analyzing the code down to the last bit, and are developing concepts and tools for similar attacks. The targets for these future weapons will most likely not be located in the Middle East.

Best wishes for 2011 from the Langner team

Older posts «

» Newer posts