WarSclerotic

Cyberwar: The meaning of Stuxnet | The Economist.

A sophisticated “cyber-missile” highlights the potential—and limitations—of cyberwar

Sep 30th 2010

IT HAS been described as “amazing”, “groundbreaking” and “impressive” by computer-security specialists. The Stuxnet worm, a piece of software that infects industrial-control systems, is remarkable in many ways. Its unusual complexity suggests that it is the work of a team of well-funded experts, probably with the backing of a national government, rather than rogue hackers or cyber-criminals (see article). It is designed to infect a particular configuration of a particular type of industrial-control system—in other words, to disrupt the operation of a specific process or plant. The Stuxnet outbreak has been concentrated in Iran, which suggests that a nuclear facility in that country was the intended target.

This is, in short, a new kind of cyber-attack. Unlike the efforts to disrupt internet access in Estonia or Georgia (blamed on Russia), or the attacks to break into American systems to steal secrets (blamed on China), this was a weapon aimed at a specific target—it has been called a “cyber-missile”. One or more governments (the prime suspects are Israel and America) were probably behind it. After years of speculation about the potential for this sort of attack, Stuxnet is a worked example of cyberwar’s potential—and its limitations.

Much of the discussion of cyberwar has focused on the potential for a “digital Pearl Harbour”, in which a country’s power grids and other critical infrastructure are disabled by attackers. Many such systems are isolated from the internet for security reasons. Stuxnet, which exploits flaws in Microsoft Windows to spread on to stand-alone systems via USB memory sticks, shows they are more vulnerable than most people thought. The outbreak emphasises the importance of securing industrial-control systems properly, with both software (open-source code can be more easily checked for security holes) and appropriate policies (banning the use of memory sticks). “Smart” electricity grids, which couple critical infrastructure to the internet, must be secured carefully.

Stuxnet is also illuminating in another way: it reveals the potential for cyber-weapons that target specific systems, rather than simply trying to cause as much mayhem as possible. It infected several plants in Germany, for example, but did no harm because they were not the target it was looking for. Such specificity, along with the deniability and difficulty of tracing a cyber-weapon, has obvious appeal to governments that would like to disable a particular target while avoiding a direct military attack—and firms interested in sabotaging their rivals.

Cyberwar is not declared

But the worm also highlights the limitations of cyber-attacks. Iran admits that some computers at its Bushehr nuclear plant were infected, but says no damage was done. The target may have been the centrifuges at its nuclear refinery at Natanz. Last year the number of working centrifuges at Natanz dropped, though it is unclear whether this was the result of Stuxnet. Even if it was, the attack will only have delayed Iran’s nuclear programme: it will not have shut it down altogether. Whoever is behind Stuxnet may feel that a delay is better than nothing. But a cyber-attack is no substitute for a physical attack. The former would take weeks to recover from; the latter, years.

Stuxnet may have failed to do the damage its designers intended, but it has succeeded in undermining the widespread assumption that the West would be the victim rather than the progenitor of a cyber-attack. It has also illustrated the murkiness of this sort of warfare. It is rarely clear who is attacking whom. It is hard to tell whether a strike has been successful, or indeed has happened at all. This, it seems, is what cyberwar looks like. Get used to it.

The Stuxnet outbreak: A worm in the centrifuge | The Economist.

An unusually sophisticated cyber-weapon is mysterious but important

Sep 30th 2010

IT SOUNDS like the plot of an airport thriller or a James Bond film. A crack team of experts, assembled by a shadowy government agency, develops a cyber-weapon designed to shut down a rogue country’s nuclear programme. The software uses previously unknown tricks to worm its way into industrial control systems undetected, searching for a particular configuration that matches its target—at which point it wreaks havoc by reprogramming the system, closing valves and shutting down pipelines.

This is not fiction, but fact. A new software “worm” called Stuxnet (its name is derived from keywords buried in the code) seems to have been developed to attack a specific nuclear facility in Iran. Its sophistication suggests that it is the work of a well-financed team working for a government, rather than a group of rogue hackers trying to steal secrets or cause trouble. America and Israel are the obvious suspects. But Stuxnet’s origins and effects are unknown.

Stuxnet first came to light in June, when it was identified by VirusBlokAda, a security firm in Belarus. The next month Siemens, a German industrial giant, warned customers that their “supervisory control and data acquisition” (SCADA) management systems, which control valves, pipelines and industrial equipment, were vulnerable to the worm. It targets a piece of Siemens software, called WinCC, which runs on Microsoft Windows.

For security reasons SCADA systems are not usually connected to the internet. But Stuxnet can spread via infected memory sticks plugged into a computer’s USB port. Stuxnet checks to see if WinCC is running. If it is, it tries to log in, to install a clandestine “back door” to the internet, and then to contact a server in Denmark or Malaysia for instructions. (Analysis of traffic to these servers is continuing, and may offer the best chance of casting light on Stuxnet’s purpose and origins.) If it cannot find WinCC, it tries to copy itself on to other USB devices. It can also spread across local networks via shared folders and print spoolers.

Initially, Stuxnet seemed to be designed for industrial espionage or to allow hackers to blackmail companies by threatening to shut down vital systems. But its unusual characteristics suggest another explanation. WinCC is a rather obscure SCADA system. Hackers hoping to target as many companies as possible would have focused on more popular systems. And Stuxnet searches for a particular configuration of industrial equipment as it spreads. It launches an attack only when it finds a match. “The bad news is that the virus is targeting a specific process or plant,” says Wieland Simon of Siemens. “The good news is that most industrial processes are not the target of the virus.” (Siemens says it knows of 15 plants around the world that were infected by Stuxnet, but their operations were unaffected as they were not the intended target.)

Another odd feature is that Stuxnet uses two compromised security certificates (stolen from firms in Taiwan) and a previously unknown security hole in Windows to launch itself automatically from a memory stick. The use of such “zero-day vulnerabilities” by viruses is not unusual. But Stuxnet can exploit four entirely different ones in order to worm its way into a system. These holes are so valuable that hackers would not normally use four of them in a single attack. Whoever created Stuxnet did just that to boost its chances. They also had detailed knowledge of Siemens’s industrial-production processes and control systems, and access to the target plant’s blueprints. In short, Stuxnet was the work neither of amateur hackers nor of cybercriminals, but of a well- financed team. “Behind this virus there are experts,” says Mr Simon. “They need money and know-how.”

So what was the target? Microsoft said in August that Stuxnet had infected more than 45,000 computers. Symantec, a computer-security firm, found that 60% of the infected machines were in Iran, 18% in Indonesia and 8% in India. That could be a coincidence. But if Stuxnet was aimed at Iran, one possible target is the Bushehr nuclear reactor. This week Iranian officials confirmed that Stuxnet had infected computers at Bushehr, but said that no damage to major systems had been done. Bushehr has been dogged by problems for years and its opening was recently delayed once again. Given that history, the latest hitch may not have been Stuxnet’s work.

A more plausible target is Iran’s uranium-enrichment plant at Natanz. Inspections by the International Atomic Energy Agency, the UN’s watchdog, have found that about half Iran’s centrifuges are idle and those that work are yielding little. Some say a fall in the number of working centrifuges at Natanz in early 2009 is evidence of a successful Stuxnet attack.

Last year Scott Borg of the United States Cyber-Consequences Unit, a think-tank, said that Israel might prefer to mount a cyber-attack rather than a military strike on Iran’s nuclear facilities. That could involve disrupting sensitive equipment such as centrifuges, he said, using malware introduced via infected memory sticks.

His observation now looks astonishingly prescient. “Since the autumn of 2002, I have regularly predicted that this sort of cyber-attack tool would eventually be developed,” he says. Israel certainly has the ability to create Stuxnet, he adds, and there is little downside to such an attack, because it would be virtually impossible to prove who did it. So a tool like Stuxnet is “Israel’s obvious weapon of choice”. Some have even noted keywords in Stuxnet’s code drawn from the Bible’s Book of Esther—in which the Jews fight back to foil a plot to exterminate them.

Did Stuxnet Worm Its Way Into Iran’s Nuke Computers? | TakePart – Inspiration to Action.

Someone in this building has learned the hard way not to surf porn sites at work. (Photo: Raheb Homavandi/Reuters)

If widespread speculation is true, a single computer virus may have accomplished what a bevy of international sanctions have failed to do.

Thwart Iran’s nuclear ambitions.

The worm, called Stuxnet, is a sophisticated malware program that attacks the central nervous system of computers at high-value industrial sites like Iran’s Bushehr nuclear power plant, where initial operations have mysteriously been pushed back two to three months.

The sophisticated virus is so large, so encrypted, and so complex, that dumbfounded experts assume it could only have been developed by an extremely wealthy private group or a well-resourced nation state—a fact that’s led some to believe the bug was created specifically to take out Iran’s nuclear program.

Whichever cloak-and-dagger party is responsible, it’s clear they tossed a massive amount of time, money, and know-how at designing the virus.

By reverse-engineering the worm’s colossal code, experts realized that the guided cyber missile is designed to attack a single, specific target.

“Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world,” Dr. Ralph Langner told The Christian Science Monitor. “This is not about espionage, as some have said. This is a 100 percent sabotage attack.”

Although no one can say for sure how or when Bushehr got bugged, the act itself is technically brainless; releasing the crafty worm is as simple as inserting a Stuxnet-infected flash drive into a PC connected to the plant’s computer network, a task that could be carried out by a single covert operative, or an unsuspecting computer contractor.

After that, without mouse clicks, keyboard strokes, or any human interaction, Stuxnet is free to infiltrate the site’s cyber mind and control its industrial processes.

“What we’re seeing with Stuxnet is the first view of something new that doesn’t need outside guidance by a human—but can still take control of your infrastructure,” says Michael Assante, former chief of industrial control systems cyber security research at the U.S. Department of Energy’s Idaho National Laboratory.

“This is the first direct example of weaponized software, highly customized and designed to find a particular target.”

The worm’s malware DNA was designed specifically to attack systems programmed by German-owned Siemens, Europe’s largest engineering conglomerate.

So who done it?

Connecting fuzzy dots may be more sport than science, but the two primary suspects behind Stuxnet—the U.S. and Israel—both have outward axes to grind with Iran, and both share cozy intel relationships with Germany, the historical home of Siemens.

In May, Germany voted alongside the five permanent members of the United Nations Security Council to level severe sanctions against Iran and its nuclear program.

Although Iranian officials deny that Stuxnet is behind Bushehr’s cold, the virus has reportedly been found on the plant’s computers.

If Bushehr’s systems do turn out to be fully infected by the spyware on steroids, the prognosis may be terminal.

“After the original code is no longer executed, we can expect that something will blow up soon,” Langner wrote in his analysis. “Something big.”

In a Computer Worm, a Possible Biblical Clue – NYTimes.com.

By JOHN MARKOFF and DAVID E. SANGER

Published: September 29, 2010

Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.

Not surprisingly, the Israelis are not saying whether Stuxnet has any connection to the secretive cyberwar unit it has built inside Israel’s intelligence service. Nor is the Obama administration, which while talking about cyberdefenses has also rapidly ramped up a broad covert program, inherited from the Bush administration, to undermine Iran’s nuclear program. In interviews in several countries, experts in both cyberwar and nuclear enrichment technology say the Stuxnet mystery may never be solved.

There are many competing explanations for myrtus, which could simply signify myrtle, a plant important to many cultures in the region. But some security experts see the reference as a signature allusion to Esther, a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project. Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel.

“The Iranians are already paranoid about the fact that some of their scientists have defected and several of their secret nuclear sites have been revealed,” one former intelligence official who still works on Iran issues said recently. “Whatever the origin and purpose of Stuxnet, it ramps up the psychological pressure.”

So a calling card in the code could be part of a mind game, or sloppiness or whimsy from the coders.

The malicious code has appeared in many countries, notably China, India, Indonesia and Iran. But there are tantalizing hints that Iran’s nuclear program was the primary target. Officials in both the United States and Israel have made no secret of the fact that undermining the computer systems that control Iran’s huge enrichment plant at Natanz is a high priority. (The Iranians know it, too: They have never let international inspectors into the control room of the plant, the inspectors report, presumably to keep secret what kind of equipment they are using.)

The fact that Stuxnet appears designed to attack a certain type of Siemens industrial control computer, used widely to manage oil pipelines, electrical power grids and many kinds of nuclear plants, may be telling. Just last year officials in Dubai seized a large shipment of those controllers — known as the Simatic S-7 — after Western intelligence agencies warned that the shipment was bound for Iran and would likely be used in its nuclear program.

“What we were told by many sources,” said Olli Heinonen, who retired last month as the head of inspections at the International Atomic Energy Agency in Vienna, “was that the Iranian nuclear program was acquiring this kind of equipment.”

Also, starting in the summer of 2009, the Iranians began having tremendous difficulty running their centrifuges, the tall, silvery machines that spin at supersonic speed to enrich uranium — and which can explode spectacularly if they become unstable. In New York last week, Iran’s president, Mahmoud Ahmadinejad, shrugged off suggestions that the country was having trouble keeping its enrichment plants going.

Yet something — perhaps the worm or some other form of sabotage, bad parts or a dearth of skilled technicians — is indeed slowing Iran’s advance.

The reports on Iran show a fairly steady drop in the number of centrifuges used to enrich uranium at the main Natanz plant. After reaching a peak of 4,920 machines in May 2009, the numbers declined to 3,772 centrifuges this past August, the most recent reporting period. That is a decline of 23 percent. (At the same time, production of low-enriched uranium has remained fairly constant, indicating the Iranians have learned how to make better use of fewer working machines.)

Computer experts say the first versions of the worm appeared as early as 2009 and that the sophisticated version contained an internal time stamp from January of this year.

These events add up to a mass of suspicions, not proof. Moreover, the difficulty experts have had in figuring out the origin of Stuxnet points to both the appeal and the danger of computer attacks in a new age of cyberwar.

For intelligence agencies they are an almost irresistible weapon, free of fingerprints. Israel has poured huge resources into Unit 8200, its secretive cyberwar operation, and the United States has built its capacity inside the National Security Agency and inside the military, which just opened a Cyber Command.

But the near impossibility of figuring out where they came from makes deterrence a huge problem — and explains why many have warned against the use of cyberweapons. No country, President Obama was warned even before he took office, is more vulnerable to cyberattack than the United States.

For now, it is hard to determine if the worm has infected centrifuge controllers at Natanz. While the S-7 industrial controller is used widely in Iran, and many other countries, even Siemens says it does not know where it is being used. Alexander Machowetz, a spokesman in Germany for Siemens, said the company did no business with Iran’s nuclear program. “It could be that there is equipment,” he said in a telephone interview. “But we never delivered it to Natanz.”

But Siemens industrial controllers are unregulated commodities that are sold and resold all over the world — the controllers intercepted in Dubai traveled through China, according to officials familiar with the seizure.

Ralph Langner, a German computer security consultant who was the first independent expert to assert that the malware had been “weaponized” and designed to attack the Iranian centrifuge array, argues that the Stuxnet worm could have been brought into the Iranian nuclear complex by Russian contractors.

“It would be an absolute no-brainer to leave an infected USB stick near one of these guys,” he said, “and there would be more than a 50 percent chance of having him pick it up and infect his computer.”

There are many reasons to suspect Israel’s involvement in Stuxnet. Intelligence is the single largest section of its military and the unit devoted to signal, electronic and computer network intelligence, known as Unit 8200, is the largest group within intelligence.

Yossi Melman, who covers intelligence for the newspaper Haaretz and is at work on a book about Israeli intelligence over the past decade, said in a telephone interview that he suspected that Israel was involved.

He noted that Meir Dagan, head of Mossad, had his term extended last year partly because he was said to be involved in important projects. He added that in the past year Israeli estimates of when Iran will have a nuclear weapon had been extended to 2014.

“They seem to know something, that they have more time than originally thought,” he said.

Then there is the allusion to myrtus — which may be telling, or may be a red herring.

Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus. The guava fruit is part of the Myrtus family, and one of the code modules is identified as Guava.

It was Mr. Langner who first noted that Myrtus is an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively.

“If you read the Bible you can make a guess,” said Mr. Langner, in a telephone interview from Germany on Wednesday.

Carol Newsom, an Old Testament scholar at Emory University, confirmed the linguistic connection between the plant family and the Old Testament figure, noting that Queen Esther’s original name in Hebrew was Hadassah, which is similar to the Hebrew word for myrtle. Perhaps, she said, “someone was making a learned cross-linguistic wordplay.”

But other Israeli experts said they doubted Israel’s involvement. Shai Blitzblau, the technical director and head of the computer warfare laboratory at Maglan, an Israeli company specializing in information security, said he was “convinced that Israel had nothing to do with Stuxnet.”

“We did a complete simulation of it and we sliced the code to its deepest level,” he said. “We have studied its protocols and functionality. Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment.”

Mr. Blitzblau noted that the worm hit India, Indonesia and Russia before it hit Iran, though the worm has been found disproportionately in Iranian computers. He also noted that the Stuxnet worm has no code that reports back the results of the infection it creates. Presumably, a good intelligence agency would like to trace its work.