Friday, October 1, 2010

Stuxnet: Military-grade SCADA weapon

Stuxnet was uncovered over the summer and as details have been forthcoming it is a compelling piece of work. Stuxnet is a self-propagating worm designed to target a particular SCADA facility utilizing Siemens WinCC/Step7 software and targets associated PLC with a particular as-yet-unknown payload. The majority of the compromises were in Iran but other countries, such as Germany, Russia and the US have been infected as well. Some of the quotes from those conducting analysis: "Hack of the century", "nation-state weapons-grade attack software", "will be the most analyzed piece of malware ever", are not unique quotes. From an article titled "Is Stuxnet the 'best' malware ever?":
"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team.
"I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. By comparison, other notable attacks, like the one dubbed "Aurora" that hacked Google's network, and those of dozens of other major companies, was child's play.
To summarize some of the reasons that it has engendered such praise:
Any one of those capabilities with sufficient penetration would be enough to garner interest. But combining all of them is a generation or two ahead of anything ever seen in the wild before.  The code is of interest from a purely technical achievement perspective, but has significant implications for nations and other stakeholders in potential cyberwarfare.

Recently, multiple different parties conducting analysis (or reviewing the public analysis) have concluded that the attack was likely against an Iranian nuclear facility, either the Bushehr nuclear power plant or the Uranium enrichment facilities in Natanz and likely originated in Israel. I'll attempt to summarize the arguments below:
  • Almost 60% of the infections are in Iran according to Symantec (who took over the C2 server)
  • The SCADA/PLC payload doesn't get activated unless the particular network fingerprint is found. None of the systems infected with Stuxnet have been reporting (of course, they might hide/cover it up if they were targeted) that this fingerprint matched. Given the investment it appears likely that a particular high value network was targeted.
  • Guesswork from multiple parties wondering what high value systems might be targeted in Iran quickly jumped to nuclear facilities. Arguments for Bushehr (here, here, and a screenshot of their HMI showing their Siemens WinCC license here) and Natanz are available and have been picked up across technical web sites, the blogosphere and increasingly even the mainstream media. Of course, depending on how unique the target fingerprinting is (and the fact there are confirmed to be at least four variants) it's possible the answer is both of them.
  • Israel was connected due to their obvious interest in delaying/destroying/disrupting the Iranian nuclear program, their cyberwarfare capabilities (also articles here and here) and cyber security expertise and a clue in the code. Specifically, the word "myrtus" (meaning "myrtle") is the name of the root directory for the exploit code. That was picked up by Kaspersky but they didn't grasp the meaning. However, the guys at DigitalBond noticed that in Hebrew this was the original name of the Biblical character Esther, who saved the Jewish race from extinction from a hostile (Persian) nation. NYT picked up on this recently as well. Could always be a false lead as well, but a rather advanced one if so. Update: At the VB2010 Liam Murchu presented a more detailed analysis which included the "already infected" registry key that Stuxnet uses to prevent multiple infections. The marker was 19790509. Wikipedia points out that that was the date that Habib (Habibollah) Elghanian, an Israeli businessman,  was killed by the new Islamic Iranian regime for "corruption", "contacts with Israel and Zionism", "friendship with the enemies of God", "warring with God and his emissaries", and "economic imperialism". He was the first jew and one of the first civilians killed by the new government.
It appears that the world is seeing the a major salvo in real nation-nation cyber warfare activity. (As opposed to all of the intelligence/espionage activities that have gone in the past, which are not acts of war). Numerous, subtle signs point towards an Israeli originated attack against Iranian nuclear facilities. But it is certainly possible these indications could be placed there on purpose, hoping people would discover them and point towards Israel. Either way, it is highly unlikely that if anyone does know what the target was, AND validate where the attack originated, that it will ever be published for various geopolitical reasons. In the mean time, it provides plenty of fodder for armchair analysts and conspiracy theorists to speculate regarding the true intent and origin of Stuxnet.

One final note: Stuxnet is probably NOT the first acknowledged/published nation-nation cyber attack. Rumors have been around for quite a while regarding the US providing a "trojan horse" to the Russians, resulting in a Siberian pipeline explosion, but it sounds like it's moved into the acknowledged realm now.

December 7th, 2010 Update: At this point the rest of the post has been essentially validated by public research and acknowledgments. There is no speculation that Stuxnet was designed to affect a particular high frequency drive designed in Iran, deployed in Iran for their nuclear program. And that it had at least moderate success. And it appears clear that well organized individuals remain motivated to attack the Iranian nuclear program, via more traditional means. I'll probably update this one last time in 3-4 months with any of the more interesting fallout implications. The specific new evidence/events:
  • Symantec, with some help from a Dutch company completed the analysis of the PLC payload and published the results on November 12th. It found that it was targeted at very specific high frequency drive controllers manufactured in Finland and Iran. These devices have limited applications, (with centrifuges being one of them), causing them to be on the list of export controlled devices as a result. The Finnish company denies exporting them. The payload is, as was assumed, designed to render the targeted devices unreliable and cause them to malfunction in a way that would degrade/destroy the targeted drive and manufacturing process. 
  • Iran's leader Mahmoud Ahmadinejad confirmed on November 29th that its centrifuges were indeed hit and negatively impacted by Stuxnet. IAEA confirmed that enrichment activities were shut down (at least temporarily).
  • On the same day, the top Iranian expert for Stuxnet (and one of their most senior nuclear researchers) was assassinated November 29th. A second researcher was targeted that same day but the attack did not kill him or his wife and only caused injuries. Iran has developed a special security service to attempt to mitigate these physical attacks in the future.