Vanity Fair reporter freak-out

Vanity Fair had an article about Stuxnet. Here’s some background information on this creative piece of embarrassment.
Read more »



Security bloggers network award finalist

I almost missed it, but our blog had been nominated as a finalist for the 2011 security bloggers network awards. Thanks to the jury (Bill Brenner of CSOOnline, Ellen Messmer of Network World, Kelly Jackson-Higgins of Dark Reading and Larry Walsh of Channelnomics) for recognizing our work.

Ralph Langner



See Ralph at TED

Ralph is going to speak next week at TED conference. The challenging task: Explain Stuxnet in ten minutes or less.



Intercept, infect, infiltrate

Several journalists had asked if it would be possible that the attackers intercepted some of the control system shipments to Iran, installed Stuxnet on the controllers, and let them loose again on their way to Natanz. After all, it is known that this had been done before as some kind of best practice for sabotage.

While that is possible, it doesn’t make sense, since new controllers will be fully configured by local engineers during commissioning. However, that doesn’t invalidate the intercept scenario as such. For years, Siemens uses USB sticks to deliver license keys. So when you purchase a license of the Simatic Manager engineering software, you’ll get a license key on USB along with the distribution medium (CD). You definitely got to plug that USB stick into the engineering station in order to install the software. Infecting the license keys from an intercepted shipment would guarantee that the virus ends up on good targets, from which it can spread further. We don’t say that this is the way it happened, we just say this is a valid scenario.

Note: Eric Byres, Andrew Ginter and Joel Langill have just released a very good joint white paper on infection paths.



Matching Langner’s Stuxnet analysis and Symantec’s dossier update

Symantec recently issued an update on their Stuxnet dossier, and many people wonder how their updated information might fit together with ours, so let’s take a look. Read more »



The cyber arms race and what we can do about it

Back in November 2010, Andrew Ginter wrote a blog post in which he put Symantec’s Stuxnet dossier in the context of irresponsible disclosure. In a nutshell, Andrew argued that publishing technical analysis of cyberwar weapons in the midst of an ongoing cyber battle may enable the victim to better defend against the attack. In other words, the good guys would publicly deliver cyber reconnaissance for free, and that could become a problem if the attacked are bad guys. Read more »



RSA conference and DoD’s take on cyber terrorism

I was planning to attend RSA conference, but unfortunately it didn’t work out. In the end it boiled down mostly to a monetary issue. In a blunt attempt to save the $2000+ attendance fee, I offered to do a presentation, but RSA said the agenda had already been closed. So I couldn’t take the opportunity to meet several friends (I do have friends), several other people who may view me as an enemy, and a whole bunch of interesting people as well. If I had gone to the Moscone Center, one of the sessions that I would have attended was Tuesday’s presentation by William Lynn on DoD’s cyber strategy. Read more »



From Russia with love

Lately the issue of Stuxnet’s spreading pattern was widely discussed. One issue that still waits for explanation is the high number of infections in India and Indonesia, which we had attributed earlier to Russian contractors. So we did some background research on the Russian-Iranian connection.

What you can read in the references given below does not directly relate to Stuxnet, but it might be more thrilling than your average TV evening programme. For example, in the nineties, Russia proposed building a uranium enrichment plant in Iran. The project didn’t materialize, allegedly because of strong US opposition. The bidder was Minatom, the predecessor of Rosatom, which later entered a strategic partnership with Siemens. Could Russian engineers with their proven excellent Siemens product know-how and deep subject matter expertise in centrifuge cascades have helped Iran with the complex I&C in Natanz? We don’t know, but we’ll find out.


Bukharin, O.: Understanding Russia’s uranium enrichment complex. In: Science and global security, 2004

Bukharin, O.: Russia’s gaseous centrifuge technology and uranium enrichment complex. January 2004

Freedman, R.O.: Russia, Iran and the nuclear question: The Putin record.

Islam, T.: Iran’s nuclear policy: Russia’s perspective.

Mizin, V.: The Russian-Iran nuclear connection and US policy options. In: Middle East review of international affairs, March 2004

Peterson, S.: Russian nuclear know-how pours into Iran. In: The Christian Science Monitor, June 21, 2002

Tachovsky, E.: Modern Russian-Iranian relations.

Wehling, F.: Russian nuclear and missile exports to Iran. In: The nonproliferation review, Winter 1999



The track of the centrifuges: From Germany to Pakistan to Libya to Tennessee to…

From analysis of Stuxnet’s attack code we must infer that the attackers are in possession of an IR-1 mockup that not only allowed them to design the attack but also to test-drive it. This fact alone allows us to pin down potential suspects. As has been detailed in the well-known NYT article, places where some of the few centrifuges from Libyan origin can be found include the Dimona complex in Israel, and Oak Ridge, Tennessee.

Jeffrey Lewis has written an excellent blog post on the subject. If you can learn just one thing from his post, it’s what we encounter over and over again: No matter where you start digging in the Stuxnet saga, things are getting even more complex the deeper you dig. In an interesting and plausible twist, Jeffrey links the testing of the Libyan centrifuges to Urenco, the company where it all started. Urenco is the place where A. Q. Khan once worked and where he stole the blue prints of the G-1, the first German gas centrifuge that he then turned into the P-1 in Pakistan.

Urenco remains an interesting target for proliferants as well. One of Tehran’s big players in nukes is Sharif technical university in Tehran. Guess what, in 2003 they established a partnership with the Jülich branch of the technical university of applied sciences of Aachen. This partnership gets them as close to uranium enrichment know-how as possible, at least in terms of geographics: Jülich is a small town near the border to the Netherlands. It’s also the location of Urenco’s German headquater. It’s like going back to the roots.



Stuxnet and the hacker nonsense

A hacker group claimed possession of Stuxnet source code, and certain media thought it was worth an article. Actually, it’s not. Stuxnet binaries are available on the Internet for everybody. Everybody can download a copy of Stuxnet and start reverse engineering the code. For some parts of the dropper, that’s actually quite easy, as Microsoft’s Bruce Dang recently explained in Berlin. The question is why anybody would take the effort to reverse engineer Windows exploits that have already been fixed by the vendor. With the exploits for the engineering software and SCADA application that’s different, but few people have recognized; hackers, CERT people and journalists not among them.

A whole different story is the controller code. Cracking the encryption and decompiling the code is comparatively easy and has been done at least by us and by Symantec, as has been proven. It can and will certainly be done by others as well. Everybody who takes the effort ends up with roughly 15,000 lines of STL code that looks to the average hacker as antiquated pre-8086 assembly language (several examples have been given in this blog).

The problem with Stuxnet’s STL code is not the exact sequence of instructions. The problem is the underlying concepts that have been used in the exploits. Hackers will have a hard time understanding these. Control system engineers won’t. So while hackers probably won’t play around with controller attacks for another several months, we cannot assume the same for some more serious potential attackers in organized crime, terrorism, and state-sponsored cyber warfare organizations.

Older posts «

» Newer posts