Back in November 2010, Andrew Ginter wrote a blog post in which he put Symantec’s Stuxnet dossier in the context of irresponsible disclosure. In a nutshell, Andrew argued that publishing technical analysis of cyberwar weapons in the midst of an ongoing cyber battle may enable the victim to better defend against the attack. In other words, the good guys would publicly deliver cyber reconnaissance for free, and that could become a problem if the attacked are bad guys. Read more »
I was planning to attend RSA conference, but unfortunately it didn’t work out. In the end it boiled down mostly to a monetary issue. In a blunt attempt to save the $2000+ attendance fee, I offered to do a presentation, but RSA said the agenda had already been closed. So I couldn’t take the opportunity to meet several friends (I do have friends), several other people who may view me as an enemy, and a whole bunch of interesting people as well. If I had gone to the Moscone Center, one of the sessions that I would have attended was Tuesday’s presentation by William Lynn on DoD’s cyber strategy. Read more »
Lately the issue of Stuxnet’s spreading pattern was widely discussed. One issue that still waits for explanation is the high number of infections in India and Indonesia, which we had attributed earlier to Russian contractors. So we did some background research on the Russian-Iranian connection.
What you can read in the references given below does not directly relate to Stuxnet, but it might be more thrilling than your average TV evening programme. For example, in the nineties, Russia proposed building a uranium enrichment plant in Iran. The project didn’t materialize, allegedly because of strong US opposition. The bidder was Minatom, the predecessor of Rosatom, which later entered a strategic partnership with Siemens. Could Russian engineers with their proven excellent Siemens product know-how and deep subject matter expertise in centrifuge cascades have helped Iran with the complex I&C in Natanz? We don’t know, but we’ll find out.
Bukharin, O.: Understanding Russia’s uranium enrichment complex. In: Science and global security, 2004
Bukharin, O.: Russia’s gaseous centrifuge technology and uranium enrichment complex. January 2004
Freedman, R.O.: Russia, Iran and the nuclear question: The Putin record.
Islam, T.: Iran’s nuclear policy: Russia’s perspective.
Mizin, V.: The Russian-Iran nuclear connection and US policy options. In: Middle East review of international affairs, March 2004
Peterson, S.: Russian nuclear know-how pours into Iran. In: The Christian Science Monitor, June 21, 2002
Tachovsky, E.: Modern Russian-Iranian relations.
Wehling, F.: Russian nuclear and missile exports to Iran. In: The nonproliferation review, Winter 1999
From analysis of Stuxnet’s attack code we must infer that the attackers are in possession of an IR-1 mockup that not only allowed them to design the attack but also to test-drive it. This fact alone allows us to pin down potential suspects. As has been detailed in the well-known NYT article, places where some of the few centrifuges from Libyan origin can be found include the Dimona complex in Israel, and Oak Ridge, Tennessee.
Jeffrey Lewis has written an excellent blog post on the subject. If you can learn just one thing from his post, it’s what we encounter over and over again: No matter where you start digging in the Stuxnet saga, things are getting even more complex the deeper you dig. In an interesting and plausible twist, Jeffrey links the testing of the Libyan centrifuges to Urenco, the company where it all started. Urenco is the place where A. Q. Khan once worked and where he stole the blue prints of the G-1, the first German gas centrifuge that he then turned into the P-1 in Pakistan.
Urenco remains an interesting target for proliferants as well. One of Tehran’s big players in nukes is Sharif technical university in Tehran. Guess what, in 2003 they established a partnership with the Jülich branch of the technical university of applied sciences of Aachen. This partnership gets them as close to uranium enrichment know-how as possible, at least in terms of geographics: Jülich is a small town near the border to the Netherlands. It’s also the location of Urenco’s German headquater. It’s like going back to the roots.
A hacker group claimed possession of Stuxnet source code, and certain media thought it was worth an article. Actually, it’s not. Stuxnet binaries are available on the Internet for everybody. Everybody can download a copy of Stuxnet and start reverse engineering the code. For some parts of the dropper, that’s actually quite easy, as Microsoft’s Bruce Dang recently explained in Berlin. The question is why anybody would take the effort to reverse engineer Windows exploits that have already been fixed by the vendor. With the exploits for the engineering software and SCADA application that’s different, but few people have recognized; hackers, CERT people and journalists not among them.
A whole different story is the controller code. Cracking the encryption and decompiling the code is comparatively easy and has been done at least by us and by Symantec, as has been proven. It can and will certainly be done by others as well. Everybody who takes the effort ends up with roughly 15,000 lines of STL code that looks to the average hacker as antiquated pre-8086 assembly language (several examples have been given in this blog).
The problem with Stuxnet’s STL code is not the exact sequence of instructions. The problem is the underlying concepts that have been used in the exploits. Hackers will have a hard time understanding these. Control system engineers won’t. So while hackers probably won’t play around with controller attacks for another several months, we cannot assume the same for some more serious potential attackers in organized crime, terrorism, and state-sponsored cyber warfare organizations.
…is just that: virtual. Any speculation that Stuxnet could trigger a thermonuclear explosion in Bushehr is completely unfounded. First, Stuxnet does not target Bushehr. Second, even if it did, it could not mess with the systems in the primary circuit. The funny thing is, the Russians know that very well.
If there is one thing that we can learn from the situation in Bushehr it seems to be that contrary to Iran’s statements from last year, Stuxnet seems to have infected not only office systems in the nuke plant, which seemed highly questionable already months ago. Second, it would certainly be a good idea for Iran to clean up all systems before going operational in Bushehr (and before resuming operations in Natanz) as any further attempts to remove the virus when the plant is running will be much harder or even impossible. As long as there is even a single system in the nuclear program still infected with Stuxnet, those centrifuges continue to be at risk.
When you think long enough about the cascade shape and have all the numerical values available, it gets easy to determine how the attack profiles mentioned earlier are constructed. Profile one is simply the cascade shape. Profile four is the cumulative number of centrifuges from the shape. Profile two is the delta, it computes by subtracting profile one from profile four. Profile three is profile two plus one. So after all, they’re not profiles in the sense that they would be processed sequentially stage by stage. They appear to be more like patterns that are associated with the individual enrichment stages.
A good strategy in cyber forensics is to not only look at the code, but also, and predominantly, at the data. Data structures may reveal much more about a cyber attack than code. Just remember the thing with the 6×31 drives in the 315 forensics: It was data and configuration that delivered the most striking evidence, not code. That having said, let’s go back to the 417 attack. Read more »