Breaking news: 417 = centrifuge safety system

On Nov 13, we published that there are two potential targets for the 417 attack: A high level controller for the uranium enrichment centrifuges, or the steam turbine controller for Bushehr.

When I was reading through ISIS‘ report on the centrifuges for the third or fourth time, suddenly a coin dropped inside my head. It made a loud noise.

An IR-1 centrifuge cascade consists out of 164 centrifuges. Haven’t we seen the number 164 before? Yes, we have. The 417 attack code operates on an array of 164 x 6 inputs. So if a 417 takes care of dumping the uranium hexafluoride in the event of rotor imbalance, and that is disabled by the attack code, the gas helps the rotor cracking, and worse coming to worse, all that precious gas spills when the centrifuge breaks.

So after all here’s some good news before the year ends: The whole idea and procedure of the attack will be fully understood soon. Stay tuned for details.

Ralph Langner



The short path from cyber missiles to dirty digital bombs

More and more details of the Stuxnet malware and its purpose become clear. Stuxnet appears to be the first real cyber warfare attack in history, with “real” meaning that the virus caused physical destruction of heavily fortified military targets, some of them buried 75 feet underground. Plans had been made to destroy these targets by air strikes when it became clear that sanctions alone would not stop Tehran on its way to nuclear weapon capability. Both Israel and the United States had not only planned for military action, but, in the case of Israel, even done rehearsals.

Iran’s president Ahmadinejad himself confirmed on November 29, 2010 that uranium enrichment centrifuges had been damaged by Stuxnet. The Bushehr nuclear power plant that was scheduled to go operational on August 21, 2010, did not – because of “technical problems”. Since the official explanation of what these problems are (first, it was “severe hot weather”, thereafter “a leak”) seem to be blunt attempts to fool the public, it can be suspected that Stuxnet is also responsible for Bushehr’s delay. Iran confirmed on September 25, 2010 that computer systems in the Bushehr nuclear power plant were infected by Stuxnet.

If we assume that Stuxnet managed to severely damage the steam turbine in the Bushehr nuclear power plant, repairing or replacing that turbine may cost a significant amount of money (up to several million dollars). The material damage on the centrifuges depends on how many centrifuges have been destroyed. Presently it looks like more than 1,000 centrifuges have been damaged in the Natanz facility alone, with unknown damage in Fordow and, certainly, in any unknown centrifuge plants. All this translates to another multi-million dollar damage. And replacing the damaged parts takes time. Parts for gas centrifuges and power plant turbines cannot be ordered on Ebay. They won’t be delivered by UPS overnight, but in some cases through complex smuggling networks. Getting new parts on site may take many months; in the case of the steam turbine probably over a year. During this timeframe, the Iranian nuclear program is severely crippled. Read more »



Cascade crippling

To get another idea of how cyber forensics work, check out this preliminary report from ISIS on Stuxnet’s potential impact on the centrifuge cascades in Natanz. David Albright and his team did a great job here. Even if you’re in a hurry, do not miss to read at least the last section, titled ”A Final Concern”.



Stuxnet hall of fame

Before this remarkable year finishes, I would like to point out some remarkable people. Certainly they are all related to Stuxnet in one or the other way.

1. Gabriel (technical mastermind behind the attacks)

As it is known from the feature movies on the subject (“Live free or die hard”, “Password: Swordfish”), evil hackers are called Gabriel. So let’s continue the tradition. Because of Gabriel’s work, critical parts of ISA-99, NERC CIP, and NIST need to be rewritten. Stuxnet even calls for a new product generation of controllers with digitally signed code. Gabriel’s masterpiece is a man-in-the-middle attack on controllers, providing the legitimate controller code with pre-recorded input signals. Quite an achievement in history; such an attack had never even been discussed before. Unfortunately, only a handful of people recognize the achievement, which goes far beyond the Windows 0days. However, I am confident that Gabriel is happy with me recognizing the magnitude of his skills. Since the attackers used to leave messages in Stuxnet, here’s a message for Gabriel: 240107. Don’t bother to google.

2. Ralf Rosen (Langner Communications)

Ralf contributed an awful lot to our Stuxnet analysis. When we were sitting together on Sep 17 to discuss topics for my WeissCon presentation, Ralf was the one who realized: “Shit. Stuxnet’s attack technology can be copied easily. That’s what we need to focus on.” Which lead immediately to our security advisory, and to a detailed list of recommendations for asset owners, vendors, and security companies eight hours later the same day. (The presentation had then to be done on the flight to Dulles, and I’m happy nobody seemed to recognize…) However, after thirteen years with the company, Ralf decided to leave us by the end of this year for a much more tranquil job. I can’t blame him after all the stress with Stuxnet, working 24 hour shifts, including weekends, with the icing on the cake being to learn that Stuxnet experts live dangerously. Some other old timers in the company say Ralf may come back soon. Anyway, in the meantime we have an open job position and will be seriously looking at resumes from hot shots with a good background in controllers and security.

3. M (a reporter)

I had never thought this could happen: The only person I have met outside of our team who appeared to be really determined about finding out what Stuxnet is all about is a reporter who came a long way and spent a long time interviewing me. Not a vendor representative, CERT guy, politician, crime fighter, technical expert, analyst – a reporter. It changed my view about the media very much to the better. Chances are you’ll read M’s story soon. I don’t know what exactly he is going to tell, but I trust it’ll be terrific.

4. Joe Weiss (Applied Control Systems)

I must admit that in summer, Joe was starting to go on my nerves because he pushed Stuxnet hard – especially as a key topic for his annual conference. However, after all it appeared that Joe’s instinct was right. He focused the control system security community’s attention on the subject when it was just starting to get red hot. This makes it easy to forgive him for letting Siemens get away with a bizarre opening presentation, informing the crowd how wonderfully NERC CIP compliant their energy product (SPPA-T3000) is. I realized only weeks later how closely the presentation was related to the subject. Many others certainly won’t.

5. Dale Peterson (Digital Bond)

On September 16, 2010, we published that Stuxnet was apparently targeting the Iranian nuclear program. Today, this seems so trivial that few analysts and reporters deem it worthwhile to mention that it was our discovery. Mid-September, this was considerably different. When we came out with the Bushehr story, nobody wanted to believe it. Our press releases were simply ignored by all the media which later educated the public on the subject, quoting self-proclaimed experts who had never gotten near a Stuxnet-infected site, or had any idea about what a Siemens controller does. During those early days, Dale was the only person with the guts to support our version of the plot – at a time when others were still fantasizing that Stuxnet could be about intellectual property theft. Dale’s support meant a lot to us.

6. Nicholas Falliere (Symantec)

Nicholas is the guy on Symantec’s team who brought in PLC experience. Without his work, we might never have become motivated to take a closer look at Stuxnet. Since Nicholas appears to live in France, we assume that his major expertise is with Schneider controllers, and that he came across Siemens products only briefly. The more remarkable is his work. Great job.

7. Michael Assante (NBISE)

It doesn’t take much to like Mike. He’s young, talented, a brilliant presenter, and he has guts. In his testimony before the US Senate in the hearing on Stuxnet’s implications for US cricital infrastructure protection, he dared to say: “We’re running out of time”. He also addressed the issue of digital safety systems, which, I predict, will heat up soon in the wake of Stuxnet. Ok, you got to search hard for these topics in his testimony, because Mike being Mike, he said so much more in so little time. However, the topic he spent most of his time on – education – isn’t bad either. With so many experts telling you Stuxnet and its descendants can be stopped by more firewalls, more defense-in-depth, more of everything we had before that made Stuxnet possible, it is good to hear somebody telling that good security starts with people – especially when trying to address threats that hadn’t been thought possible before. Your firewall won’t think out of the box. Your best talent might.

8. Melissa Hathaway (Hathaway Global)

When I met Melissa, she knew little about Stuxnet. Days after we talked, she tells the New York Times that asset owners should prepare for copycat attacks within 90 days. Whew! If only more people were so quick in getting the point. Anybody who ever questioned Melissa’s capabilities just because she is a good-looking woman should better shut up.

9. Mike Peters (FERC)

I met Mike only once, at WeissCon 2010. Mike did a presentation that did not focus on Stuxnet at all. However, most of what he said would help asset owners to prepare against Stuxnet-inspired attacks. One of Mike’s most prominent messages is: Simply assume the threat is there, so work on your vulnerabilities. If somebody would find a way to clone Mike, this would be an extremely good starting point for an organized program for critical infrastructure protection in the wake of Stuxnet.

10. Anonymous friends

There are several more people I would like to point out and thank, but I guess, or know positively, that they prefer to remain anonymous.

Happy holidays to all of you.

Ralph Langner



Stuxnet 2.0, or: The sustained DoN threat

Many reporters these days ask about cyber warfare in the wake of Stuxnet, and what kind of Stuxnet-inspired attacks we should prepare for. Here’s one very easy answer. The next full-scale Stuxnet-inspired attack, let’s call it Stuxnet 2.0, will likely hit targets in Natanz, Fordow, and Bushehr. That’s right, the very same targets of Stuxnet 1.0. How is that? Simple: After having recovered from Stuxnet 1.0, which will probably be somewhere in 2012, Iran will attempt to continue its nuclear program. Since the first cyber strike worked so well, it would be outright stupid to send the B-2s next time. As long as another cyber attack has any chance for success, it will certainly be attempted.

Here’s the best part of the plot. Stuxnet’s digital warheads are reusable. Unlike explosives, they can be used over and over again, because the vulnerabilities that Stuxnet exploits on the controllers, and even some in the engineering software, can’t be “patched”. These very same vulnerabilities will still be there in 2012. The only thing that the attackers need to change is the dropper part, i.e. the Windows exploits. Let’s assume that an organization with demonstrated command of multiple 0days that took Microsoft months to get rid of, and more than one stolen digital signature in the drawer, will have more goodies in stock. Assembling these for version 2.0, along with some improvements from lessons learned, will be a walk in the park compared to producing the first release version.

In other words: The nuclear threat from Iran, should it exist, has been significantly reduced by a software-based DoN attack that appears to be reproducible (DoN = Denial-of-Nukes). Therefore it should be no surprise that the attackers don’t hesitate to fall back to 20th-century-style gunfire and explosives in attempts to reduce Iran’s defensive cyber capabilities by assassinating their anti-Stuxnet talent.



Turbine trouble

We are presently working on process forensics for the Stuxnet attacks. As you will remember, Stuxnet does not attack control systems, but what the hijacked control systems control. In one case this is gas centrifuges for uranium enrichment, in the other case this seems to be a big steam turbine in a nuclear power plant. So in order to understand the attacks, we need the expertise of centrifuge and turbine experts. Fortunately, we have access to several.

One of them on the turbine side is Robert Aleksick from CSI Technologies. Robert pointed out several ways to damage a steam turbine as published in a training manual. As noted earlier, at this time we no longer believe that the 417 attack intends to blow up the turbine by overspeed. It looks like a more subtle type of attack; perhaps a combination of induced bearing vibration and cutting lubrication at the same time. We’ll see much more clearly here with the help of a Teleperm equipped power plant operator that we hope to find soon.

Robert also referenced to an incident at the Fermi NPP in Newport, Michigan where the power plant suffered an outage of over a year due to turbine problems. Even though these were apparently unrelated to a cyber attack, it is easy to see how even minor problems induced by what also could have been a manipulation of turbine control can lead to a long outage window.



417 installed in Bushehr NPP

In order to determine what’s going on in Bushehr, we thought we simply ask the manufacturer of the steam turbine: Power Machines Corp. in Russia (see email). If anybody knows details about that big 1000-Megawatt turbine in Bushehr, it’s certainly them. However, that would have been too easy. Russia chose not to respond; perhaps because of being under NDA. So we did some independent research. In order to understand the following, we have to explain the Siemens product structure in some detail. Read more »



Notes on Ralph’s interview with Dale Peterson

My friend Dale Peterson interviewed me several days ago for his podcast series, and certainly the interview focused on Stuxnet. For all who take the effort to listen to the lengthy podcast, I apologize for appearing fuzzy – I was coming from a one-hour dentist appointment, couldn’t feel half of my face, and could still hear the sound of the driller in my head. Anyway since Dale had requested the interview some time ago, I didn’t want to reschedule.

One topic that Dale raised in the interview is the performance of DHS in the Stuxnet saga. Unfortunately I realized only afterwards what the simple reason for the anemic nonsense that DHS has published on the virus seems to be: Stuxnet is classified. However, they can’t tell you it’s classified, since this would be evidence for US participation in Stuxnet. It’s classified that it’s classified. Therefore, you see only those three bizarre ICS-CERT advisories that we have blogged about earlier.

Read more »



Our Stuxnet timeline

Several reporters asked for our Stuxnet timeline, so here it is:

July 15, 2010
First heard about Stuxnet

August 26, 2010
Obtained copy of Stuxnet from the Internet and started lab analysis

September 8, 2010
Informed key people in the control system security community that Stuxnet is a cyber warfare weapon

September 13, 2010
Published that Stuxnet is a 100% directed attack

September 14, 2010
Published a step-by-step guide how to analyze Stuxnet in a lab environment, along with lab configuration details and video capture of Stuxnet traffic in Wireshark

September 16, 2010
Published first details on controller code injection, including the DEADF007 string
Published information on data blocks 890 and 8063
Published that Stuxnet’s target appears to be the Iranian nuclear program, especially the Bushehr nuclear power plant

September 17, 2010
Published an advisory that the control system vulnerabilities exploited by Stuxnet cannot be patched
Published recommended mitigation strategies for asset owners, vendors, and security companies to address the threat of Stuxnet-inspired malware

September 19, 2010
Informed DHS & INL about the threat posed by Stuxnet-inspired malware
Informed a US congressperson about the threat posed by Stuxnet-inspired malware

September 21, 2010
Technical briefing on Stuxnet by Ralph for the control system security community at WeissCon in Rockville, MD, especially focusing on how to address the threat of Stuxnet-inspired malware

September 26, 2010
In an interview with German nationwide TV (“Die Tagesschau”), Ralph says that potential targets for Stuxnet are the Bushehr NPP, the uranium enrichment facilities in Natanz, or both

October 11, 2010
Open letter to Symantec addressing their ill-informed assessment of the threat posed by Stuxnet-inspired malware, pointing out in detail why Stuxnet can be copied easily, and can be re-used by follow-up attackers without insider knowledge

November 13, 2010
Confirmed Symantec’s discovery that the 315 attack code manipulates a 6 x 31 drive array, eight hours after published by Symantec
Identified the K-1000-60/3000-3 steam turbine in the Bushehr NPP as the potential target for the 417 attack code

November 14, 2010
Published intelligence on attacker profiling, pointing out that a coalition of nation states appears to be behind Stuxnet, limiting the circle of suspects to Israel, USA, Germany, Russia

November 15, 2010
Published possible ways to destroy gas centrifuges with the 315 attack code, some of which are later supported by ISIS’ centrifuge expert David Albright
Published that the 417 attack code does a man-in-the-middle on the controller, feeding fake input data to the legitimate controller program

November 19, 2010
Published that the preparation for operation Myrtus must have taken several years

December 6, 2010
Announced mitigation tool for Stuxnet-inspired malware: The Langner Controller Integrity Checker



417 state machine

Symantec has so many nice diagrams in their Stuxnet dossier that we thought we should draw one, too. Here is the state machine of the 417 attack code.

Older posts «

» Newer posts