Motley Moose – Archive

Since 2008 – Progress Through Politics

The Fifth Domain of Warfare

If you haven’t heard about the Stuxnet worm by now you probably soon will.  The analysis of this recently identified ‘weaponised’ worm is the opening chapter of a fascinating John le Carré novel for the 21st century with political, diplomatic and practical implications for all concerned.



A little background:


One of the most sophisticated pieces of malware ever detected was probably targeting “high value” infrastructure in Iran, experts have told the BBC.

Stuxnet’s complexity suggests it could only have been written by a “nation state”, some researchers have claimed.  It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

It was first detected in June and has been intensely studied ever since.

Jonathan Fildes – Stuxnet worm ‘targeted high-value Iranian assets’ BBC 23 Sep 10

Unfortunately there is no specific forensic evidence that Iran was the target, although it seems the epicentre of infection.  And clearly this is not the work of some hacker ‘sitting in the basement of his parents house:’


Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

Bruce Schneier – The Stuxnet Worm Schneier on Security 22 Sep 10

Holy Thumbdrive, Caped Crusader!

It’s tempting to go into details, the four, count ’em four, zero-day vulnerabilities which were discovered in every Windows operating system released since 2000 and exploited, the two digital certificates heisted from reputable hardware and software manufacturers and used to conceal the worm.  Impressive stuff.  One zero-day vulnerability would insure a hacker’s reputation for life.  However the more interesting aspects of this ‘military grade’ malware concern its actual source and target:


The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.

“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s security response team.

“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google’s network and those of dozens of other major companies, were child’s play.

Gregg Keizer – Is Stuxnet the ‘best’ malware ever? Computerworld 16 Sep 10

OK, a state actor, but whom?  And given the distribution of this infection, who was the likely target?  Perhaps that provides a clue, the only problem being there are fourteen-thousand to choose from:



We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.

Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.

Within the past 72 hours we’ve seen close to 14,000 unique IP addresses infected with W32.Stuxnet attempt to contact the C&C server. Here is a breakdown per country of the approximately 14,000 IP addresses obtained during the past 72 hours.

Vikram Thakur – W32.Stuxnet – Network Information Symantec 22 Jul 10

Oops.  Pretty broad brush for a ‘precision, military-grade cyber missile’ but never mind, it really doesn’t do anything specifically nasty until it finds the right host.  Whatever the target, however, if it was a competent cyberwarfare source one can only assume that it was applied long before it lit up the Web.  Conventional wisdom tends to think its intended target was the Bushehr reactor in Iran, on some pretty thin causality:


It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange — they are presently having some technical difficulties down there in Bushehr.

Ralph Langer – Stuxnet is a directed attack — ‘hack of the century’ Langer2Business 13 Sep 10

Hmmm…  That was enough to set off the BBC on the subject.  But timing is everything.  And the Russians seem capable of keeping Bushehr off the grid with good ol’ fashioned ‘five-year plan’ mismanagement as long as they want.  And yet, the possibilities are tantalising:

…there is another theory that fits the available date much better: Stuxnet may have been targeted at the centrifuges at the uranium enrichment plant in Natanz. The chain of published indications supporting the theory starts with Stuxnet itself. According to people working on the Stuxnet analysis, it was meant to stop spreading in January 2009. Given the multi-stage nature of Stuxnet, the attacker must have assumed that it has reached its target by then, ready to strike.

On July 17, 2009 WikiLeaks posted a cryptic notice:


Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.

A cross-check with the official Iran Students News Agency archives confirmed the resignation of the head of Iran’s Atomic Energy Organization.

According to official IAEA data, the number of actually operating centrifuges in Natanz shrank around the time of the accident Wikileaks wrote about was reduced substantially .

Von Frank Rieger – Stuxnet: Targeting the Iranian enrichment centrifuges in Natanz? 23 Sep 10

Wow.  Big line-up of potential suspects for that target but the US and Israel would have to be favourites.  One assumes Siemens isn’t too impressed in any case, nor India or the Indonesians either.  But it makes a certain amount of sense.  Symantec reckons the ‘military grade’ version of Stuxnet didn’t appear until January of this year but they are just looking at the timestamps of digital certificates which may have come from other sources.  Hard to say, but make no mistake, we have entered unbidden into the Fifth Domain of Warfare.


103 comments

  1. Rashaverak

    Cyberwar Chief Calls for Secure Computer Network

    By THOM SHANKER

    Published: September 23, 2010

    FORT MEADE, Md. – The new commander of the military’s cyberwarfare operations is advocating the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet.

    The officer, Gen. Keith B. Alexander, suggested that such a heavily restricted network would allow the government to impose greater protections for the nation’s vital, official on-line operations. General Alexander labeled the new network “a secure zone, a protected zone.” Others have nicknamed it “dot-secure.”  [….]

    http://www.nytimes.com/2010/09

  2. Didn’t know any of this, and as a thriller writer, it’s made to measure for storylines. Cheers. Weapons Grade Worm is such a cool premise.

    I hope Blasky responds to this, and gives us his Infosec insight. If he does, I want to ask him about TEMPEST monitoring. I’m using it as a plot device in a thriller about a bank takeover and a dodgy High Frequency Trading Hedge Fund.

    I love it when people talk tech…

  3. jsfox

    most of this went way over my ludite head. Then again when I saw this –

    . . . the four, count ’em four, zero-day vulnerabilities which were discovered in every Windows operating system released since 2000

    I kissed my MAC! 😉

  4. Rashaverak

    http://www.washingtonpost.com/

    Iran’s nuclear agency trying to stop computer worm

    The Associated Press

    Saturday, September 25, 2010; 4:46 AM

    TEHRAN, Iran — Iranian media reports say the country’s nuclear agency is trying to combat a complex computer worm that has affected industrial sites in Iran and is capable of taking over power plants. [….]

  5. Shaun Appleby

    Here’s a former counter-terrorism official in the Bush administration pointing a finger at Israel and reminding us how ‘high the bar’ is for the US to provoke an offensive cyberwarfare attack.  Towards the end of the clip there is some interesting if subtle body language when the interviewer recaps by saying ‘You say that Israel did it…’  Maybe I’m reading too much into this but he went wide-eyed for a moment as she said that then smiled knowingly before gently walking back his remark.  Whatever…  It is interesting stuff.

  6. Shaun Appleby

    On the Israel angle:


    The perception that it has both developed capabilities and shown its willingness to engage in cyberwarfare, will serve Israel as a strategic asset even if it never admits to having launched Stuxnet.

    Paul Woodward – Stuxnet: The Trinity Test Of Cyberwarfare Eurasia Review 26 Sep 10

    Consensus of speculation is starting to crystalise around Israel as the source of Stuxnet.  We’ll see.

  7. Shaun Appleby

    A preliminary report that Stuxnet has been identified at the Bushehr nuclear reactor facility which has not yet been commissioned:


    TEHRAN, Iran – A complex computer worm capable of seizing control of industrial plants has affected the personal computers of staff working at Iran’s first nuclear power station weeks before the facility is to go online, the official news agency reported Sunday.

    The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it “has not caused any damage to major systems of the plant,” the IRNA news agency reported.

    It was the first sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has also affected equipment linked to the country’s nuclear program, which is at the core of the dispute between Tehran and Western powers like the United States.

    Nassar Kirimi – Worm hits computers of staff at Iran nuclear plant AP 26 Sep 10

    It’s interesting that Iran has now gone public with details regarding the Bushehr site.  By all accounts Bushehr was already well behind it’s projected start-up milestones.

  8. Shaun Appleby

    A search for industrial accidents in Iran produces a couple of interesting results in the recent past, not to mention the spectacular explosion and fire at the South Pars facility in August 2009:


    Four people have reportedly been killed following an explosion at a petrochemical factory on Iran’s southern Kharg Island.

    High pressure in the central boiler of the factory is believed to have triggered the blast on Iran’s largest oil terminal, IRNA reported on Sunday, citing administrative officials at the adjacent coastal Bushehr province.

    Four killed in Iran plant blast Press TV 25 July 10

    That certainly seems a process control related incident consistent with the apparent modus operandi of the Stuxnet worm.


    A massive explosion killed five workers Wednesday at a giant energy complex in Southern Iran, the second such incident in less than two weeks.

    The Iranian oil ministry’s website Shana said the workers had been killed after an accident during a maintenance operation, and that the fire was now under control. The semi-official Mehr news agency said the explosion was due to a ruptured gas pipe.

    The explosion took place in the southern port city of Assaluyeh, at the Pardis Petrochemical Co. of which President Mahmoud Ahmadinejad inaugurated the second phase last month. Shana said production at the second phase was continuing.

    Benoit Faucon – Explosion Kills 5 At Iranian Petrochemical Plant Energy Tribune 4 Aug 2010

    And this in the context of other accidents in Iranian energy infrastructure:


    In the past few weeks Iran’s gas infrastructure, which is central to the country’s energy requirements, has been hit by a series of unexplained explosions.

    The series of mysterious explosions began at the end of July when the state-owned Tehran Times reported that a pipeline carrying gas from Iran to Turkey had exploded near the eastern Turkish town of Dogubayazit. Iranian officials blamed the blast on Kurdish rebels.

    This was followed earlier this month by reports in the Iranian press of an explosion in a gas pipeline on the outskirts of Tabriz. A few days later there was a more serious incident on August 4 when five people were killed when another gas pipeline exploded on the outskirts of  the Pardis petrochemical plant. The explosion took place just a week after Iranian President Mahmoud Ahmadinejad had made an official visit to the complex.  Finally, on August 10, a pipeline exploded in the city of Masjed Sleiman.

    Con Coughlin – Who’s blowing up Iran’s gas pipelines? Telegraph 18 Aug 10

    It’s certainly plausible that these are accidents in the context of rapid expansion, limited resources and poor maintenance but still it seems worth noting the sudden spike in these incidents and the timing given that ‘Stuxnet was discovered in July 2010, when a Belarus-based security company discovered the worm on computers belonging to an Iranian client,’ presumably at the client’s request.  Just sayin’.  In all the speculation about the intended target or targets of this infection, even the assumption that it is indeed in Iran, it’s probably worth noting things which have actually gone bang.

  9. fogiv

    The next day, a trio of security researchers offered another clue at a conference in Vancouver, describing how Stuxnet includes references to the 1979 execution of the leader of Iran’s Jewish community at the time. Specifically, the researchers from Symantec — Nicolas Falliere, Liam O Murchu and Eric Chen — showed that the code includes a marker with the numbers “19790509” which, if prompted, stops the code from infecting a targeted computer.

    According to their report:

    The value appears to be a date of May 9, 1979. While on May 9, 1979 a variety of historical events occured, according to Wikipedia “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.”

    Elghanian, a prominent businessman, was the first Jew to be targeted in a purge after the country’s Islamic revolution, reported Time magazine at the time. He was sentenced to death after being charged with “corruption”, “contacts with Israel and Zionism”, “friendship with the enemies of God”, “warring with God and his emissaries”, and “economic imperialism.”

    The researchers warned not to draw too many conclusions — noting that “Attackers would have the natural desire to implicate another party.”

    http://www.huffingtonpost.com/

Comments are closed.