Feb
17

2011

From Russia with love

Lately the issue of Stuxnet’s spreading pattern was widely discussed. One issue that still waits for explanation is the high number of infections in India and Indonesia, which we had attributed earlier to Russian contractors. So we did some background research on the Russian-Iranian connection.

What you can read in the references given below does not directly relate to Stuxnet, but it might be more thrilling than your average TV evening programme. For example, in the nineties, Russia proposed building a uranium enrichment plant in Iran. The project didn’t materialize, allegedly because of strong US opposition. The bidder was Minatom, the predecessor of Rosatom, which later entered a strategic partnership with Siemens. Could Russian engineers with their proven excellent Siemens product know-how and deep subject matter expertise in centrifuge cascades have helped Iran with the complex I&C in Natanz? We don’t know, but we’ll find out.

References

Bukharin, O.: Understanding Russia’s uranium enrichment complex. In: Science and global security, 2004

Bukharin, O.: Russia’s gaseous centrifuge technology and uranium enrichment complex. January 2004

Freedman, R.O.: Russia, Iran and the nuclear question: The Putin record.

Islam, T.: Iran’s nuclear policy: Russia’s perspective.

Mizin, V.: The Russian-Iran nuclear connection and US policy options. In: Middle East review of international affairs, March 2004

Peterson, S.: Russian nuclear know-how pours into Iran. In: The Christian Science Monitor, June 21, 2002

Tachovsky, E.: Modern Russian-Iranian relations.

Wehling, F.: Russian nuclear and missile exports to Iran. In: The nonproliferation review, Winter 1999

Feb
16

2011

The track of the centrifuges: From Germany to Pakistan to Libya to Tennessee to…

From analysis of Stuxnet’s attack code we must infer that the attackers are in possession of an IR-1 mockup that not only allowed them to design the attack but also to test-drive it. This fact alone allows us to pin down potential suspects. As has been detailed in the well-known NYT article, places where some of the few centrifuges from Libyan origin can be found include the Dimona complex in Israel, and Oak Ridge, Tennessee.

Jeffrey Lewis has written an excellent blog post on the subject. If you can learn just one thing from his post, it’s what we encounter over and over again: No matter where you start digging in the Stuxnet saga, things are getting even more complex the deeper you dig. In an interesting and plausible twist, Jeffrey links the testing of the Libyan centrifuges to Urenco, the company where it all started. Urenco is the place where A. Q. Khan once worked and where he stole the blue prints of the G-1, the first German gas centrifuge that he then turned into the P-1 in Pakistan.

Urenco remains an interesting target for proliferants as well. One of Tehran’s big players in nukes is Sharif technical university in Tehran. Guess what, in 2003 they established a partnership with the Jülich branch of the technical university of applied sciences of Aachen. This partnership gets them as close to uranium enrichment know-how as possible, at least in terms of geographics: Jülich is a small town near the border to the Netherlands. It’s also the location of Urenco’s German headquater. It’s like going back to the roots.

Feb
14

2011

Stuxnet and the hacker nonsense

A hacker group claimed possession of Stuxnet source code, and certain media thought it was worth an article. Actually, it’s not. Stuxnet binaries are available on the Internet for everybody. Everybody can download a copy of Stuxnet and start reverse engineering the code. For some parts of the dropper, that’s actually quite easy, as Microsoft’s Bruce Dang recently explained in Berlin. The question is why anybody would take the effort to reverse engineer Windows exploits that have already been fixed by the vendor. With the exploits for the engineering software and SCADA application that’s different, but few people have recognized; hackers, CERT people and journalists not among them.

A whole different story is the controller code. Cracking the encryption and decompiling the code is comparatively easy and has been done at least by us and by Symantec, as has been proven. It can and will certainly be done by others as well. Everybody who takes the effort ends up with roughly 15,000 lines of STL code that looks to the average hacker as antiquated pre-8086 assembly language (several examples have been given in this blog).

The problem with Stuxnet’s STL code is not the exact sequence of instructions. The problem is the underlying concepts that have been used in the exploits. Hackers will have a hard time understanding these. Control system engineers won’t. So while hackers probably won’t play around with controller attacks for another several months, we cannot assume the same for some more serious potential attackers in organized crime, terrorism, and state-sponsored cyber warfare organizations.

Feb
01

2011

The virtual Chernobyl

…is just that: virtual. Any speculation that Stuxnet could trigger a thermonuclear explosion in Bushehr is completely unfounded. First, Stuxnet does not target Bushehr. Second, even if it did, it could not mess with the systems in the primary circuit. The funny thing is, the Russians know that very well.

If there is one thing that we can learn from the situation in Bushehr it seems to be that contrary to Iran’s statements from last year, Stuxnet seems to have infected not only office systems in the nuke plant, which seemed highly questionable already months ago. Second, it would certainly be a good idea for Iran to clean up all systems before going operational in Bushehr (and before resuming operations in Natanz) as any further attempts to remove the virus when the plant is running will be much harder or even impossible. As long as there is even a single system in the nuclear program still infected with Stuxnet, those centrifuges continue to be at risk.

Jan
31

2011

Cracking the profiles

When you think long enough about the cascade shape and have all the numerical values available, it gets easy to determine how the attack profiles mentioned earlier are constructed. Profile one is simply the cascade shape. Profile four is the cumulative number of centrifuges from the shape. Profile two is the delta, it computes by subtracting profile one from profile four. Profile three is profile two plus one. So after all, they’re not profiles in the sense that they would be processed sequentially stage by stage. They appear to be more like patterns that are associated with the individual enrichment stages.

Jan
30

2011

Applying Aqazadeh’s revelations to Stuxnet forensic analysis

A good strategy in cyber forensics is to not only look at the code, but also, and predominantly, at the data. Data structures may reveal much more about a cyber attack than code. Just remember the thing with the 6×31 drives in the 315 forensics: It was data and configuration that delivered the most striking evidence, not code. That having said, let’s go back to the 417 attack. Read more »

Jan
16

2011

Technical Stuxnet article in Control magazine

Ralph has written a short technical article on Stuxnet for control system engineers that was printed in Control magazine (January 2011 edition) and is also available online.

Jan
10

2011

What Stuxnet is all about

Once upon a time, some organization which follows the nuclear situation in Iran closely determined that international sanctions and sabotage would not be sufficient to stop the growing enrichment capability in Natanz. Iran was installing new centrifuges at a speed that would get them in reach of the bomb soon. In the search for an alternative to conventional warcraft, somebody figured out that sabotage is not limited to 20th century style messing with mechanical and electrical component characteristics. Cyber sabotage could achieve much more. If any target would justify a full-blown cyberwar strike for the first time in history, those centrifuges certainly would. It looked like it would have been stupid and irresponsible not to try. Read more »

Jan
06

2011

Cascade cluster performance manipuation

This cascade cluster performs poorly. The black line gives an idea why. Black line corresponds to the right vertical axis, cascade lines to the left. (Data extracted from actual 417 attack code.)

Jan
05

2011

Stuxnet eats LEU

While we, as many others, have believed for some time that Stuxnet’s goal would be to crash IR-1 centrifuges, code analysis of the 417 attack code shows that things are not that simple. Ok, this shouldn’t surprise anyone who followed the Stuxnet saga for a while; this damn virus just keeps coming up with new surprises. Besides cracking centrifuges, another major goal of the attack seems to be the reduction of LEU output (LEU = Low Enriched Uranium).

The following diagram shows four attack profiles of the 417 code that can be thought of as performance diagrams. The vertical axis denotes the number of centrifuges in a cascade. So does the horizontal axis, only that the attackers chose to group the 164 centrifuges that make up a cascade in 15 groups for ease of operation. For example, the 15 to the right end of the horizontal axis corresponds to centrifuges 161 to 164, for example, and the 10 corresponds to centrifuges 81 to 104. An IR-1 cascade is linear, meaning that 164 centrifuges are piped together in one line. UF6 is fed into centrifuge 1 and enriched. From there, it is passed to centrifuge 2, and so on, up to centrifuge 164, and from there to the next cascade.

Now let’s take a closer look at those attack profiles. In an ideal world, performance would probably be linear, resulting in a straight line from down left to up right. The next best thing to ideal seems to be profile 4 in the graph; that’s as good as it got in Natanz. Profile 2 and 3, almost identical, leave something to be desired. But profile 1 is really shitty. Every time profile 1 is activated, somebody is missing LEU output.

Older posts «

» Newer posts