DEADF007 - Is Stuxnet The Secret Weapon To Attack Iran's Nukes; Is A Virus About To Revolutionize Modern Warfare?

Tyler Durden's picture

One of the most interesting stories in the last few days, has little to do with finance and economics (at least right now), but arguably very much to do with geopolitics. A fascinating report which cites computer security experts claims that the recent uber-cryptic malware worm Stuxnet is nothing less than a weapon designed to infiltrate industrial systems, and based on attack patterns, the ultimate object of Stuxnet may be none other than Iran's Busher nuclear reactor, which could be targetted for destruction without absolutely any military intervention. Has modern warfare just become obsolete courtesy of a computer virus?

From Yahoo:

Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

A brief history of Stuxnet:

Stuxnet surfaced in June and, by July, was identified as a hypersophisticated piece of malware probably created by a team working for a nation state, say cyber security experts. Its name is derived from some of the filenames in the malware. It is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide. That much the experts discovered right away.

But what was the motive of the people who created it? Was Stuxnet intended to steal industrial secrets – pressure, temperature, valve, or other settings –and communicate that proprietary data over the Internet to cyber thieves?

And it gets much more eerie:

Since reverse engineering chunks of Stuxnet's massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

"Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world," says Langner, who last week became the first to publicly detail Stuxnet's destructive purpose and its authors' malicious intent. "This is not about espionage, as some have said. This is a 100 percent sabotage attack."

Stuxnet is so sophisticated it may revolutionize the way modern warfare if fought entirely:

Stuxnet's ability to autonomously and without human assistance discriminate among industrial computer systems is telling. It means, says Langner, that it is looking for one specific place and time to attack one specific factory or power plant in the entire world.

"Stuxnet is the key for a very specific lock – in fact, there is only one lock in the world that it will open," Langner says in an interview. "The whole attack is not at all about stealing data but about manipulation of a specific industrial process at a specific moment in time. This is not generic. It is about destroying that process."

The virus has already spread to the point where it is safe to say most critical SCADA infrastructure may already be infected.

So far, Stuxnet has infected at least 45,000 industrial control systems around the world, without blowing them up – although some victims in North America have experienced some serious computer problems, Eric Byres, a Canadian expert, told the Monitor. Most of the victim computers, however, are in Iran, Pakistan, India, and Indonesia. Some systems have been hit in Germany, Canada, and the US, too. Once a system is infected, Stuxnet simply sits and waits – checking every five seconds to see if its exact parameters are met on the system. When they are, Stuxnet is programmed to activate a sequence that will cause the industrial process to self-destruct, Langner says.

Has Stuxnet already hit its target?It might be too late for Stuxnet's
target, Langner says. He suggests it has already been hit – and
destroyed or heavily damaged. But Stuxnet reveals no overt clues within
its code to what it is after.

Will DEADF007 be the keyword that everyone will soon focus on?

Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.

"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."

And the punchline - Iran's nuclear plant may have already been destroyed without anyone firing a shot anywhere:

A geographical distribution of computers hit by Stuxnet, which Microsoft  produced in July, found Iran to be the apparent epicenter of the Stuxnet infections. That suggests that any enemy of Iran with advanced cyber war capability might be involved, Langner says. The US is acknowledged to have that ability, and Israel is also reported to have a formidable offensive cyber-war-fighting capability.

Could Stuxnet's target be Iran's Bushehr nuclear power plant, a facility much of the world condemns as a nuclear weapons threat?

Langner is quick to note that his views on Stuxnet's target is speculation based on suggestive threads he has seen in the media. Still, he suspects that the Bushehr plant may already have been wrecked by Stuxnet. Bushehr's expected startup in late August has been delayed, he notes, for unknown reasons. (One Iranian official blamed the delay on hot weather.)

There is much more to this story than merely creating page click inducing headlines. Computerworld itself is on the case:

A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran's Bushehr nuclear reactor.

That's the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they have broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker -- possibly a nation-state -- and it was designed to destroy something big.

Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company found the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers, who say they have never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran's nukes.

And ever more experts are chiming in:

Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm's attack.

Experts had first thought that Stuxnet was written to steal industrial secrets -- factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings -- a kind of fingerprint that tells it that it has been installed on a very specific programmable logic controller (PLC) device -- and then it injects its own code into that system.

Because of the complexity of the attack, the target "must be of extremely high value to the attacker," Langner wrote in his analysis.

The evidence supporting that the attack is truly focusing on Iran is moving beyond the merely circumstantial:

This specific target may well have been Iran's Bushehr reactor, now
under construction, Langner said in a blog post. Bushehr reportedly
experienced delays last year, several months after Stuxnet is thought to
have been created, and, according to screenshots of the plant posted by UPI, it uses the Windows-based Siemens PLC software targeted by Stuxnet.

Another article by Computerworld discusses the lack of patching of a bug which Windows promised had been fixed, yet which allowed the entry of the virus into attacked systems. One wonders why Windows may have misrepresented this weakness...

Microsoft confirmed Wednesday that it overlooked the vulnerability when it was revealed last year.

The vulnerability in Windows Print Spooler service was one of four
exploited by Stuxnet, a worm that some have suggested was crafted to sabotage an Iranian nuclear reactor.

Last week, researchers at both Kaspersky Lab and Symantec, the firms that had reported the bug to Microsoft
in July and August, respectively, said the print spooler vulnerability
had not been publicly disclosed before they found Stuxnet was using the
flaw.

Yesterday Microsoft this omission:

"Microsoft is aware of claims that the print spooler vulnerability in
MS10-061 was partially discussed in a publication in April 2009," said
company spokesman Dave Forstrom in an e-mail Wednesday. "These claims
are accurate. Microsoft was not directly made aware of this
vulnerability nor its publication at the time of release."

And for the paranoid, there are at least two other unpatched bugs which allow Stuxnet to enter any system it desires:

The security firms also notified Microsoft of two other unpatched bugs that the Stuxnet worm exploited. Those flaws, which can be used by attackers to upgrade access privileges on compromised PCs to administrator status, will be patched in a future update, Microsoft said last week. It has not set a timetable for the fixes, however.

Little information is available about the two lesser vulnerabilities. Danish bug tracker Secunia, for example, has posted only bare-bones advisories, noting that one affects Windows XP while the other affects Vista and Windows Server 2008 machines.

In other words, the entire world could very well be open to attacks by the most sophisticated targeted virus ever created, whose sole purpose may be the eradication of targets which previously involved the involvement of armed combat.

Is the face of warfare about to change forever?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
hedgeless_horseman's picture

Shielded vacuum tubes, bitches!!!!!!!!!

mikla's picture

Ah, THERE it is!

void thinkHappyThoughts(const char* message)

{

  if(message

     &&

     !strcmp(message, "DEADF007"))

  { // Uncomment the following line to re-enable

     // reactor destruction.

//     KillEveryoneNow();

  }

}

Cognitive Dissonance's picture

KillEveryoneNow();

Ummm, this is a local issue, right?

LOL

Andrew G's picture

The only thing that can now save the world - if Windows messes up and throws BSOD!

jimijon's picture

Thankfully the "offending" line of code was commented out.

StychoKiller's picture

Anyone using WindBloze OS for industrial control processes, deserves to go up in smoke!  Linux (and BSD!) rulez!

A Nanny Moose's picture

Nonsense. First of all, PEBKAC is the biggest security vulnerability. I am no fan of Windoze, or Mc iPhail, but all operating systems have vulnerabilities. Changing platforms is merely obfuscation, which only buys time. Then there is the matter of the average dipshit user being able to actually use the fucking thing without needing to be an engineer to complete their mundane make-work in the average word processor

I have hardened a Windoze XP, SP 1 based PLC and the network such that Stuxnet has no available infection vectors. None of these task based machines need a fucking print spooler, server/workstation services, USB ports, or goddam autoplay bullshit. It comes down to turning off that which you don't need (key difference between Windoze and IX distros), securing the network infrastructure, and the threat of termination of employment for people who fuck it up (good luck with this in unionized utilities).

 

hbjork1's picture

Posted on this elsewhere but worth the note.

In case everyone has forgotten or for those that don't read, during the late 50's and into early 60's there was something goiing on called the "Cold War".  The Russian Migs would occassionally turn on their afterburners and make a supersonic dash toward the Alaskan US boundry line only to turn at the last second recording data on electronic responses.  Curtis LeMay's Strategic Air Command (alledgedly) had 1/3 of the flyable long range bombers in the air at all times.  Of those, 1/3 were (alledgedly) loaded with nuclear weapons.  A book, "Blind Man's Bluff" was written about the submariners cold war that was going on at the same time. 

The USA operated up to 4 nuclear reactors at a place called "The Savannah River Plant".  The controllers for everything were hardwired, set and monitered by staff.  It was labor intensive but there were no "computers" that were not part of the hardwired system. 

The research group had computers with tubes that were coded for calculation using bits and bites.  

No doubt controls were "upgraded" through the years.  But Savannah River probably produced enough plutonium and tritium to last all the decades since.

The Iranian technical people that I have had interface with through the decades were very bright, just as smart as the Americans.  IMO, they would be able to eventually do as well as we did during the early years. 

IMO, as applies to being effective in disabling Iranian fissionable materials production, this virus thing is science fiction.

And, EMP is different.  That is comparing apples to hand grenades. 

Marley's picture

Agreed, do you think that after going through the QA review and safety evaluation process required to even get software into a nuclear plant, let alone going operational, you'd attach the system to the "internet"?  In the end analysis, most actionable impulses in a power plant, including newclear plants (:, boil down to contact points, relays, and/or other mechanical control scemes. Most computer control systems are supervisory or if they do lead, contain a fail safe criteria with another computer supervising.  Imagine what would happen if you lost control power at a nuc. or the grid goes down isolating the plant from the rest of the world? This does happen.   For this reason, most US plant have designed in safety criteria for just this type of problem.  Thus the need for the fail safe modes close, open, or stay in place.  Besides, a good reactor operator and engineer, provided with current schematics, could shut most plants down with jumpers and blocks. With regards to a turbine shaft over spinning, the admission valve to the steam chest is controlled by a dead man switch based on centrifugal force.  And lastly, regardless of all the hype the public has heard, Nuclear Power Plants Can Not Explode Like A Nuclear Bomb!  Period.

RockyRacoon's picture

Good to hear someone pronounce "newclear" right.  That "newkuler" really gets me.

trav7777's picture

Sure they can...the accident at Chernobyl involved a criticality incident due to negative void coefficient.  If hell breaks loose, SCRAM can be done manually with boric acid

Marley's picture

Operative words are Nuclear Bomb.  Steam explosions, Hydrogen explosions, while not desirable, are not the proverbial "mushroom cloud".   They are also included in the design basis.  Dirty bomb, yes.  Fission reaction, no.  Chernobyl was an example of an extremely irresponsible design, being a graphite water cooled reactor built in a light metal building.  The lead up to the chemical reaction, hydrogen meet oxygen, was a test of a new voltage regulator design that could have been conducted on any turbine generator set in any fossil fueled power plant.  Also a very irresponsible act, a special test in the US and strictly reviewed and controlled.  The reactor was brought into and out of criticality repeatedly in a short period of time.  The control rods overheated and wouldn't drop.  The pile overheated, cracked, and introduced the coolant, water, to the mix.  Research why you don't want to throw water on over heated graphite, if you don't already know.  The British discovered this in the eary 50's at Windscale and is why graphite designs were frowned upon in the US.  Ft. St. Vrain, in Colorado was an exception, a Gulf Atomic design, but the coolant was helium.  Research half-life of any helium isotope.  The over all design was great.  Very low personnel exposures, high temperatures great for the supercritical rankine  cycle.  Great location for skiing.  Only problem was the steam motivated fans to circulate the Helium through the core.  British designs used electric motors.  Also, "criticality incident due to negative void coefficient"?  No insult intended, seems like an oxymorn.  Maybe referring to the repeative criticality of the test?  And yes, the coolant, water, boiled in the reactor, creating a negative void coefficient?  Or a combination of words designed to create hyperbole, not on your part though.  You need water to moderate the fission process to maintain criticality so I don't understand.  Obviously I've too much time on my hands, but then again, I could be spiritualy creating my own reality, sorry.

suckapump's picture

FreeBSD,  bitchez!!!!

I don't know why you got junked for this. I thought it was hilarious.

schoolsout's picture

Say it wasn't targeted at a Nuke plant or something similar, but somehow in the comps that store all of that fancy digital $$$/paper?

 

 

THE 4th Quadrant's picture

One of the problems with a culture that watches too many movies is that people start to think in linear relationship to their favorite blockbusters.

Believing that every last control system in a plant is connected directly to the Internet without a firewall, exposed, and vulnerable. Spectacular, oh my!

Long live the movies without them there would be no Tyler.

schoolsout's picture

I was just asking a question.  I know very little about firewalls and whatever else about computers. 

UGrev's picture

This virus was a clear hybrid approach. Social engineering and virus deployment. Any cracker would try to bank on some stooge getting the virus on his home computer.. infecting a thumb-drive and then bringing it into work.  This virus was NOT intended to enter via the internet.. sheesh. 

barkingbill's picture

wow thats pretty clever. 

UGrev's picture

brute force doesn't always work. This is what I call a parasite, not a virus, because the host is you! and you infect the machines when you slap in a thumb drive. This is exactly how I would do it.  Get into a windows users box.. put some parasite onto your system (built in C++) and wait for you to knowingly or unknowingly contact someone down the grapevine of 6 degrees of separation and see what happens. I'm just curious about how many virus writers know the ins and outs of Nuclear computer architecture and the software that is used and how to infect that software.  

If this is what it is, and it's really a virus specifically targeting a reactor site, then who ever did it has connections of the not so legal type, is another government agency or is just pipe-dreaming that it will work.  I'm thinking the latter. 

THE 4th Quadrant's picture

You also have a flair for the dramatic. Funny how so many superior thinkers discount the work of others just because they live in a foreign country, a line in the sand makes you the one and only.

Iranians could never engineer an impenetrable network. They don't know how to craft packets that would never be recognized or routeable on networks known as the Internet.

They would never be able to create their own operating systems, or intrusion detection systems. They are not me or mines therefore they are inferior.

--Disappointed

LowProfile's picture

If that's the case, then it's clearly sabotage via physically infiltrating.  Not quite what most computer users think when you say "computer virus".

UGrev's picture

and what better saboteur than someone who has know idea he's doing it. 

VegasBD's picture

i remember a bank thinking it was invincible to a virus, so they hired a company to hack in. that company instead created a small virus, put it on about 20 thumb drives and left them around the bank parking lot, on cars, planters, etc. some employees picked them up, plugged them into their workstations and clicked vacationpictures.exe and bam, done deal.

 

best way to hack a computer is social engineering people. ask kevin mitnik

UGrev's picture

Yeah, people think cracking is about sitting around writing invasive code when, in fact, that's like the last thing you do. Script kiddies will just plunk away like that. Real cracking is a skill and it's time intensive. You have to pick your target and truly, you have to understand humanity. People do things, say things, and throw away UNBELIEVABLE types of personal info without shredding.  People.. do yourself a favor.. SHRED EVERYTHING that has your name on it... twice. 

divide_by_zero's picture

That's allegedly how the Chinese cleaned out the Pentagon several years ago.

sgt_doom's picture

Negative, the way the Pentagon was cleaned out (and now some of that stuff appears recently at Wikileaks and has made the international news) was by someone there giving a honey trap (as in TOR sites) to a neocon PAC, who was spotted by the Chinese Ghostnet, which stealthily piggybacked on it, and was in turn piggybacked by others and hence ended up at Wikileaks.

This stuff can get fairly circuitous and hairy.

sgt_doom's picture

You are sooooo on target, UGrev, my good fellow!

Unless, there happens to be some delivery method extant which is unknown to us?

Can't think of one offhand, unless they have some open satellite connection, you have to be right.

LowProfile's picture

ZH's editors need to be a bit more selective.

I would imagine critical control systems wouldn't be connected at all.

Greyzone's picture

Flash drive.

Russian contractor.

Putin: "Sorry, Mr. Obama, I can't shut them down. I need the cash from this deal."

Obama: "Ok, finish the reactor but make sure this little package gets installed too and you get a bonus from us. Collect from Iran, collect from us, just make sure our little package gets delivered, ok?"

Putin: "Done."

Crabshack's picture

It seems silly but most of the control systems are connected to the net full time.  Those Siemens controllers are no different than that used in any high rise, school, hospital, etc.  The Siemens package controls lighting, building access, HVAC, etc.  

A school for instance would have a terminal onsite for the Janitor/Engineer staff to monitor.  Then the local school board, monitoring company, alarm company, fire monitoring company, service company, original installing contractor all have access.  Typically the program works automatically turning lights on and off, doors locked or open, temperature set here, etc.  But, if you have a problem you get an alarm situation which then alerts all of the people above by email, call, text, page, etc.

The first thing they do is log on and see what the problem is.  80% of the problems can be fixed online.  In some cases, like a blown motor the service contractor will see no amperage draw (say).  He will make sure the backup fired up automatically and then schedule a call for replacement.  

Right now I could log onto about 10 different buildings and boil the receptionist.  Log on, find unit supplying reception, increase setpoint 10 degrees and voila.

On a fancy install the "control" guys would integrate their system into the company's larger network.  BUT, most of the time the control guys are part of the building's contruction.  Wires are pulled at contruction time for the company's network but no servers and switches are installed until the building is finished and operating.

These control packages from Siemens do run on windoze based computers, so if you can hack a Windows XP login then you can screw with most of the buildings out there which are under control.  The PLC controllers all get a set of limits and functions programmed in.  They can run automatically if the control system goes down, lightning zaps a computer, hard drive fail, etc.  For instance a boiler in a school will run within a set of limits by itself.  So, these guys are hackin in and changing the limits on the actual controllers.

I am fairly sure that power plants would be secured better than schools and office buildings but you better believe that Siemens Engineering group would have remote access to that reactors control system.  Monitorring, upgrades, startups, changeover, repairs, etc. would all be aided by Siemens from somewhere in the world.   If they (or anyone) has access then it can be snooped and then spoofed.

To be honest nobody normally would think of a pump controller as a potential target.  Until it is pumping heavy water.  :)  Typically accounting, HR, company research, back officey stuff is secure but some computer sitting in the stinky janitor's room is wide open.

 

 

 

 

 

sushi's picture

To follow up to your post: During the cold war there was an rupture/explosion of a Russian pipeline system. Director of the CIA Casey claimed that this was the result of the US ensuring that industrial products sold to the USSR contained defects that would result in operational failure.

In addition the beta release of Windows 2000 server contained an encryption key folder labelled "NSA key." It was believed that this was a backdoor key which give NSA access to any encrypted Windows system.

Finally, if the industrial control system runs on the Windows platform, ask yourself how you get OS updates? When you download and install MS-061 do you have any idea what that contains or what it does? And how do you know that your version of MS-601 is the same as my version of MS-601?

Going to be hard to increase US exports if people become aware that any sophisticated product can be trashed by a desk jockey in Langley VA.

sgt_doom's picture

And don't forget that secret M$ dll file.

ShankyS's picture

Since the market is about to go range bound till 3:00 as usual I have time to read this.

Nihilarian's picture

Just watch "Independence Day", same plot.

 

Sudden Debt's picture

The Aliens died because they didn't have McAfee Upgrades turned on!!!

Let's just hope the Iranians don't have their antivirus programms up to date or there goes Obama's secret weapon...

surfsup's picture

emp, far more efficient...

Turd Ferguson's picture

I hear ya. Perhaps the virus gives some degree of plausible deniability?

centerline's picture

Complete autonomy I would think.  Plausible deniability for sure.

surfsup's picture

Or the fiction necessary to substantiate the alleged need for an internet wide kill switch.  Also strikes me as so "2000" in regards to the date roll over issue...  

Sudden Debt's picture

DO THEY HAVE COMPUTERS IN IRAN?!!!

 

I SAY WE BEAT THEM IN A GAME OF SOLDIERS OF FORTUNE!!

LAN PARTY!!!!!!

Bob's picture

Fuck 'n A!  I was typing that exact comment but thought better of it . . . then came back and here it was!

Who do you work for, cm????????

carbonmutant's picture

I was up a little late last night "TCB"...LOL

Bob's picture

What's TCB?

Seriously, something very weird is going on here.  Now our posts, originally stamped one minute apart, now appear to be one hour apart.

WTF????

Is it what I said about the fucking FBI on Tuesday?  I mean, really, this is truly fucking weird

They can still kiss my ass, but still, inquiring minds wanna know.

kathy.chamberlin@gmail.com's picture

BoB i love you.

really really strange things are happening on this website. plus my firefox browser. plus time suspension on this website. huge time lapses.

Bob's picture

OK, thanks for the love, luv.  I don't think that quite captures what I'm describing here.  We'll see what the webmaster has to say. 

cougar_w's picture

Sorry. I've been fucking with you. I'll stop now.

 

 

 

 

No actually that was me fucking with you just now. But yes, I will stop as promised.