Friday, September 24, 2010

Stuxnet, the software worm that attacks installations, made in Israel to target Iran?

Several media reported lately about a new kind of software malware,  which is able to spy on and reprogram industrial systems. According to some it may have specifically been devised to target nuclear installations in Iran. It was written to attack SCADA systems which are used to control and monitor industrial processes. The worm, called Stuxnet, seems to be extremely complex and sophisticated, which suggests that it could only have been written by a 'nation state', according to some experts.

Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009. Unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons. Instead it infects Windows machines via USB keys - commonly used to move files around - infected with malware.It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.
Once it has infected a machine on a firm's internal network, it seeks out a specific configuration of industrial control software made by Siemens. Once hijacked, the code can reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions. "[PLCs] turn on and off motors, monitor temperature, turn on coolers if a gauge goes over a certain temperature," said Liam O'Murchu of security firm Symantec. who has been tracking the worm for som time.
'Those have never been attacked before that we have seen.'
An industrial control security researcher in Germany who has analyzed the Stuxnet computer worm is speculating that it may have been created to sabotage nuclear installations in Iran, since many of the reported attacks took place in this country.

The high number of infections in Iran and the fact that the opening of the Bushehr nuclear plant there has been delayed led Ralph Langner to theorize that the plant was a target. Langner gave a talk on the subject at the Applied Control Solutions' Industrial Control Cyber Security conference today and published details of his code analysis on his Web site last week.

"With the forensics we now have, it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," he wrote. "The attack combines an awful lot of skills--just think about the multiple zero-day vulnerabilities, the stolen certificates, etc. This was assembled by a highly qualified team of experts, involving some with specific control system expertise. This is not some hacker sitting in the basement of his parents' house. To me, it seems that the resources needed to stage this attack point to a nation state."
Langner does not say he has evidence to support his speculation as to the target, nor does he say exactly what the code is designed to do on the target's system.
The presentation shocked attendees of the cybersecurity conference, Joe Weiss, the organizer of the event, told CNET. As a result, "there are a whole slew of recommendations coming out of this to address control system cybersecurity that had not been addressed before," he said.
"The implications of Stuxnet are very large, a lot larger than some thought at first," Michael Assante, former security chief for the North American Electric Reliability Corp., told The Christian Science Monitor. (IDG News Service also covered the news.) "Stuxnet is a directed attack. It's the type of threat we've been worried about for a long time. It means we have to move more quickly with our defenses--much more quickly."
Richard Silverstein speculates that the worm may have originated in the laboratories of  a special Israeli unit:

''By all accounts. the worm is so advanced, performs so many functions, and operates in such a complex fashion that it can only have been produced by the intelligence agency of a sovereign nation.  We can imagine which nations would have the capacity to mount such an operation and the motivation to sabotage Iran’s nuclear program.  The CIA and Mossad (or IDF military intelligence) spring to mind.  My money is either on Israel and a shared operation mounted in some way by both countries.
IDF military intelligence has such a capability, Unit 8200, which analyzes intercepted communications and performs all manner of cyber-warfare tasks.  A recent profile of the group described its operations in some detail though didn’t deal with the question of whether 8200 may’ve been involved in this attack.  Forbes published this warm and fuzzy profile as well making 8200 out to be a real cool version of Silicon Valley. Silverstein's line of thought is easy to follow. Which country is more than any other interested in incapacitating Iran's nuclear capability?
 Photo's: on top the Iranian nuclear plant in Bushehr, down the uranium erichment facility in Natanz.

No comments: