Stuxnet – very interesting read / insight

Viewing 16 reply threads
  • Author
    Posts
    • #5838
      hayabusa
      Participant

      Thought this was an interesting read, this morning:

      http://www.foxnews.com/scitech/2010/11/26/secret-agent-crippled-irans-nuclear-ambitions/

      Interesting that it targeted Iran’s nuclear program, the way it did.

    • #36660
      SephStorm
      Participant

      I read that article as well. I find it interesting, if this is a cyber weapon, it seems its deployment was not well planned, the widespread infections were bound to get noticed, and now the analysis of it points back to us. At a time when we are trying to make the rules of cyber warefare, it seems that we seem to be making our own rules. However, based on recently available information, it would appear the world would support us in such an endeavor… which helps me sleep at night.

    • #36661
      sil
      Participant

      I was on a team of 26 professionals from Academia, Government, Private Industry etc., who performed an analysis on Stuxnet (http://www.alienvault.com/docs/CSFI_Stuxnet_Report_V1.pdf also see http://www.isssource.com/stuxnet-mitigation-defense-in-depth-needed/ for suggestions) and we concluded slightly different from the “spin” brought forth by the “big boys” (Symantec, Faux News, etc).

      Personally, because I’ve seen, studied, analyzed the source code, I’m still of the opinion that it IS NOT what the happy go lucky media is portraying it out to be. In fact, I want to state that I believe it is something cobbled together for potential blackmailing.

      The theory/notion that a nation state would “shut down” nuclear reactors in the methods described by the boogeyman-like hollywood version put out by Symantec (http://www.symantec.com/connect/blogs/stuxnet-breakthrough) is not only insane, but stupidly far-fetched. Symantec states: “Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz” yet no other researcher on the planet can corroborate these findings. If you take a moment to look at their Hollywood production, one of a few things are going to occur 1) You’re a CxO and you’re immediately going to contact them for protection. “OMG Only Symantec can stop this!” Or… You will take a logical approach to the ludicracy involved with this event…

      1) Government colludes to create a “cyberweapon” to “burst” a nuclear plant (a)
      2) ZOMFG 5 0days!
      3) Someone deploys it on a USB
      4) Someone infiltrates a secure location IN IRAN (nuclear facility)
      5) After infiltrating said area, they SPECIFICALLY load up malware on their systems (b)
      6) Game over – they’re discovered (c)

      a) Causing a nuclear accident is insane because of the fallout. It would hit everyone eventually for hundreds of thousands of years.

      b) What are the odds

      c) Wasted money in the sense they could have had a better foot in the door bribing their way in or blackmailing someone at the opportune time

      I got tired of Stuxnet about 1 1/2 months ago. Ever since people started skewing facts and fiction.

    • #36662
      hayabusa
      Participant

      Yeah, the more you think about it all, it’s kind of odd that it was spun to be such a specifically targeted attack.  Without having seen facts to the contrary, it would be easy for CxO’s, as sil put it, to fall in line, and go in wholeheartedly with Symantec, etc.

      One thing about the article that I found interesting, was that in a sense, it falls in line, at least a bit, with your take, sil – in that causing a nuclear accident would definitely be a bad thing, all around.  However, they speculate / state that it was designed to hinder the production processes and ruin the uranium.  IF that was truly the case, though, the planning and organization that would’ve had to go into the whole thing, IMHO (and I think we agree,) would’ve obscured things to the point that this current line of observation and analysis wouldn’t be happening.  It only stands to reason that someone put it there to intentionally draw attention, perhaps, as sil noted, for blackmail purposes, or other, later.  Even if the plant of Stuxnet came well after the fact, and the Iranians were wanting to point fingers to justify their delays, etc.

      If someone truly wanted to hit those systems, there are many more ways it could’ve been done than simply strategically planting Stuxnet, and hoping it’d find its way in.  The time, alone, to infection could’ve been long enough, that by the time it made its way in, it’d be too late to have the desired effect.  I also find it interesting that they’re talking of said systems to be Windows 7.  To me, it’s very hard to believe that a government funded, nuclear facility, in Iran, would be running Windows 7 on a critical system, due to too many reasons to list, here…  Also, with the amount of secrecy surrounding the program, I’d have to seriously question the whole piece of a USB key bringing the code in.

      All just seems too good to be true, all parts considered.

    • #36663
      alucian
      Participant

      Nice story. It would have been a nice hacker movie 🙂

      My opinion is that if someone would have been smart enough to produce a virus to act like this, it wouldn’t been caught. Also, the fact that the worm replied back from under the ground is a childish affirmation at least.

      The press keeps this story to produce fear, and companies like Symantec in order to sell their s.itty products.

    • #36664
      SephStorm
      Participant

      I wouldnt be so sure.

      Sil, I haven’t heard from the other side, can you give us the down and dirty on the real Stuxnet?

      I still think it is defiantly possible this was designed as a weapon, based on the info I have (from the media).

      There appears to be no risk of nuc. fallout, as we know Iran does not have a nuke currently, so if I wanted to disrupt the process, it would work (It supposedly has).

      There is evidence that various countries were nervous about Iran’s programs, now they can relax for a moment.

      Here is what I find interesting, despite the so called “cyberweapon”, noone is off to war, no one is REALLY pointing fingers. In addition, despite the so called danger, I am not aware of any changes in any government INFOCON levels during this time…

      As for blackmailing, this is a strange theory. I have never heard of a country being blackmailed. And according to the CSFI opinion, the point of the worm was destabilization. This makes since when you consider that when the first variant was found, the creators changed the worm, rather than simply activating its malicious processes, almost as if they needed more time to achieve an objective.

    • #36665
      sil
      Participant

      Stuxnet is what it is. Its an exploit aimed at Windows based systems which automatically runs when inserted into a machine. Nothing more than a “USB Switchblade.” It made everyone go “gaga” because of the use of “0days” and many didn’t and STILL don’t understand that this isn’t very uncommon.

      Scenario:

      1) I create an application capable of autorunning and bypassing Antivirus, IPS, etc.
      (Social Engineering Toolkit can provide me with this capability)
      2) a few weeks go on and I upload and add what I want to make my application more covert, more effective
      3) Few more weeks pass and I add and modify more capabilities undetected
      4) OMG my application is discovered

      Because of 1 – 3, there isi no way for someone to make conclusively make a statement that I created Application X with N amount of 0days. The fact is, I could have loaded up a browser cocktail, infected a network, came back as time progressed and uploaded whatever I want. Because researchers came in at number 4, they concluded: “OMG so many 0days” when the reality is:

      a) Its command and control – no one is sure how it was initially developed. It could have started out as a client side that was modified later on.
      b) the so called “0-days” weren’t even 0days. They were talked about on “many-a-full-disclosure” list for some time.

      There is a difference between a “never seen before” attack vector and a security release that states “no known exploits.” Sure there are no KNOWN exploits, but there is a visible problem that the security community knows about. For example, my moronic mushroomcloud attack. Completely toasts VMWare thanks to Trend Micro. The code has not been made public – this does not mean it isn’t exploitable.

      When you state “there appears to be no risk of a nuclear fallout” it all depends on whom you ask. Were you to believe Symantec’s rendition of Stuxnet, a nuclear facility will keep running and running regardless of the safety mechanisms. This could and most likely WOULD lead to catastrophe. If you think spilled Uranium – whether enriched or not – is not serious, I suggest you read more about it (Uranium). Just because they don’t have “weapons grade” Uranium doesn’t minimize the threat from a fallout.

      Now, when you read what was delivered via the CSFI report, you read what has been sanitized, scrubbed and made into a structured report. There was and is a lot I can’t talk about and there is a vast “raise of the eyebrows” a-la “wait a minute” that went/and is going on. Destabilization is one way to put it althought ATTRIBUTION is key here… :

      The alleged ransom note posted on the PMP site claimed that the hacker had backed up and encrypted more than 8 million patient records and 35 million prescriptions and then deleted the original data.” (http://www.computerworld.com/s/article/9132625/_Hacker_threatens_to_expose_health_data_demands_10M)

      Would you say this incident “destabilized” this company? Who can we attribute it to? In the case of Stuxnet we have to look at what is involved in something of a “nation-state” program like this. Millions of dollars on what? A silver bullet that won’t fire? It would be a tremendous loss of money period.

      Research into something like this from “the pros” would have NOT used some of the payloads used in Stuxnet. For example, the attackers targeted the MS08-067 vulnerability yet many “hackers” know that this is an unstable target. Its likely to blue-screen. Would YOU as a director of some nation state program say: “Alright, so we’ve invested N amount of money to infiltrate this network covertly, what do you say we use this exploit that is known to bluescreen systems eh?”

      Aside from that, there is other information that actually points to a few individuals capable of carrying something like this out. None have ties to “Israel” or some other government, yet they do/did have ties to RBN companies – and that’s all I will/can say. This is fact – although because of NDA I cannot repost nor comment more on that statement. So we have a few distinct views alongside backchannel talks about “whodunnit.” At the end of the day… Unless someone is arrested and comes clean, it’s all speculatory

    • #36666
      n1p
      Participant

      @sil wrote:

      I was on a team of 26 professionals from Academia, Government, Private Industry etc., who performed an analysis on Stuxnet (http://www.alienvault.com/docs/CSFI_Stuxnet_Report_V1.pdf also see http://www.isssource.com/stuxnet-mitigation-defense-in-depth-needed/ for suggestions)

      Where is the in-depth analysis in these reports or is it provided?

    • #36667
      hayabusa
      Participant

      I think sil’s last post pretty much sums it up.  Those who DO know, specifically, what’s in the code (post analysis) are under NDA, so in the end, sil and the others on that team aren’t going to disclose any more than they have (nor should they.)  Thanks, sil, for giving a bit more on the subject to the thread.  I posted the original MOSTLY to get the community take, on EH, on the story.  I pretty much agree with you, at least, as to the finger pointing and over-blowing of the whole thing.  Not having seen code, myself, I won’t speculate or go beyond that, except to say that, as always, I love your breakdown on things…

      “Scenario:

      1) I create an application capable of autorunning and bypassing Antivirus, IPS, etc.
      (Social Engineering Toolkit can provide me with this capability)
      2) a few weeks go on and I upload and add what I want to make my application more covert, more effective
      3) Few more weeks pass and I add and modify more capabilities undetected
      4) OMG my application is discovered”

      LOL!  ;D  You’ve pretty much summed it up there, and this is exactly why, if someone was truly using this to target Iran’s program, specifically, we’d both agree that it wouldn’t even be THAT obvious!

      For the others on the thread, read sil’s comments closely, and you’ll realize his points are very valid.

    • #36668
      sil
      Participant

      @hayabusa – there is a lot involved but what I see coming from mainstream is hollywood and hype alongside polit[s:2dv3kw7m]r[/s:2dv3kw7m]ic[s:2dv3kw7m]k[/s:2dv3kw7m]s. Unless someone came forward and accepted responsibility, it is all speculation. We can track back who “might” have done it based on a lot of parameters. So much so that there would be enough circumstantial evidence to warrant arrest, but that in itself could be reckless. Far too many false flags can be thrown into the equation:

      http://infiltrated.net/framingryan.html 10 years old
      http://infiltrated.net/framingpackets.html 10 years old
      http://infiltrated.net/framingpgp.html 10 years old

    • #36669
      hayabusa
      Participant

      @sil wrote:

      Far too many false flags can be thrown into the equation:

      http://infiltrated.net/framingryan.html 10 years old
      http://infiltrated.net/framingpackets.html 10 years old
      http://infiltrated.net/framingpgp.html 10 years old

      I’d read those long ago, but it’s amazing how, as time passes, you pretty much forget about things.  Again, based on your synopsis, as someone at least more than ‘basically’ in the know, I’m more than confident that folks are glorifying this whole scenario.  And once you get some of the info from folks who truly ARE in the know, and not media, things sure become much clearer, when there are facts and at least a little explanation behind them.

      Edit – and I hadn’t realized those were yours!!!

    • #36670
      sil
      Participant

      @hayabusa wrote:

      Edit – and I hadn’t realized those were yours!!!

      Didn’t my horrible grammar give it away

    • #36671
      hayabusa
      Participant

      @sil wrote:

      @hayabusa wrote:

      Edit – and I hadn’t realized those were yours!!!

      Didn’t my horrible grammar give it away

      Nah, but then again…

    • #36672
      BillV
      Participant

      In addition to the report that was put out, we have a 15-minute video of Stuxnet on the CSFI website. You can get to it from the main page.

      http://www.csfi.us

    • #36673
      caissyd
      Participant

      Hummm, this is more and more interesting.

      Like alucian mentioned higher, this could be a good movie!

      Sil, you are truly above everyone else on this site and it is very interesting reading your posts. Like hayabusa often say, you always bring very good arguments to back your points.

      And for me, if I were to invade my enemy’s nuclear facilities, I would stay hidden as long as possible, just gathering information! Remember, during WW2, when the British cracked enigma, they let some of their troops being attack without warning so the enemy would know they broke their code!! So “IF” Israel were to get into Iran’s facilities, they would much rather know how much enriched uranium they have, where it is located, etc…

      Any, these were my thoughts on that.

    • #36674
      sil
      Participant

      Nah I’m not above anyone in fact, I learn just as much as everyone else does. I’ve been into intelligence as a hobby for about 15 years beginning with cypherpunks, cryptome, politechbot, globalsecurity, Orlin Grabbe (RIP) etc. and I ran my own “cryptome” like site for a while (*edited and fixed this link http://web.archive.org/web/*/http://politrix.org). Prior to that, I had a crypto only site for a whole (http://web.archive.org/web/*/http://venona.antioffline.com) so I read a lot into military/government strategies. I guess I have a little more experience with a lot more things than other people, but doesn’t mean I’m smarter… Just more experienced.

      There is a heavy shift into politics where this is concerned (Stuxnet) which is like a wetdream to many computer security companies and one has to remember, security is a multibillion dollar industry. The cost associated in marketing to “shut someone up” is akin to paying Forrester or Gartner to do research.

      Let’s take a quick look at the cost benefit of something like this….

      Company X is a billion dollar security company. They develop products to “protect” the infrastructure. They have the capability to spend at MINIMUM 500,000.00 in marketing, write-ups, analysis’, etc. which is peanuts. Creative accounting will allow them to write this off.

      In their “preps” and “analysis'” of Stuxnet and similar threats (which they will googly-eyed now defend against for the right price), they market/saturate the public with “the world is coming to an end” writings. Total cost, let’s be obnoxious and say they spend $5,000,000.00 in marketing, analysis, personnel, etc. What do you think the return would be if ONE large company forked out cash for their products?

      Certain industries (AV, SSL Cert Cartels, etc.) have the FUD game down to a science. It doesn’t make sense to post real world information because 1) no one wants to hear it. Besides it sounds more “Jason Bourne” and thrilling to spew fiction 2) Sex sells, well so does “rogue governments” … How many contracts do you think sprouted up after Titan Rain and Advanced Persistent Threat?

      What’s amusing is that for all the “security” these products tout, they’re extremely horrible at getting it down to a science so they tend to shift things. Where Intrusion Detection became Intrusion Prevention to now Intrusion TOLERANCE (sorry I don’t want to tolerate intrusions). If one takes a moment away from the “hype” and looks at things on a most basic level, seriously ask yourself, if you were that rogue agency in government, would you waste your black budget dollars on a big “what if..” kind of exploit Stuxnet IS (not was).

      Sure Stux was targeted and focused, but it wasn’t anything uber-grandiose that made me want to “stop the press.” I have friends on AIM which at the flick of an IM could whip up better more covert things before going to bed.

      (FYI I edited my comment to add the politrix link if anyone is wondering)

    • #36675
      Joshsevo
      Participant

      From what I have read about it said that it would make the centrifuges spin “out of control”.  Now I may not have any experience in hacking or CEH for that.  But what I do have is experience with Nuc reactors and generally how they work.  Not only that but seeing as my wife was only a few hundred miles away from the Chernobyl accident in 1987 I have first hand witness to what it was like after a fallout.

      I am pretty sure that “fallout” may be the wrong terminology here.  Maybe a spill but not fallout.  Fallout refers to nuc waste, leftovers, clouds/dust and particles such after a explosion of either a nuc bomb or an accident where radioactive material gets dispersed into the air. 

      But a centrifuge just spins the material to a higher degree of purity.  I think it’s like 99% pure to make a nuc bomb where as a reactor does not need as pure. 

      On top of this if a meltdown did happen due to Stuxnet depending on how large the facility is would depend on how far it would go.  Referring back to my wife and her homeland being Poland and her being about 900 miles away from their fumbling Russian neighbors to the east of them it only got about that far.  Maybe a little further but most of that was media hype or “Hollywood media as you guys call it.  She remembers them canceling school, church, business were closed because of fear of the fallout, as well as they should have been.  but it reaching us is more than likely not going to happen.

      Another thing to consider is if a melt down did start to happen that it would take more than a virus to make this happen.  There are too many protocols, too many people involved, too many safety nets.  I asked this question while on board my Nuclear powered air craft carrier while also standing next to one of two reactors on the ship.  The guy replied that if someone tried to sabotage the reactor that he couldn’t do it.  There are at least 25 people from different depts that are watching the reactors at all times 24/7/365. It would be a concerted effort of those 25 to do it and not all of them would have the same ideology to commit and an act like this an kill 6000+ of us on the ship.

      So you need to consider that yes there are some scientists in Iran that don’t believe in their own country producing reactors and material for energy and then they also know what the intent of the countries actions really are, (as do we all).

      But then there are some people that are so disillusioned with their countries leaders that they would do anything they said and believe anything they were told.  Strange, I swear I read this about another countries citizens believing their beloved leader …..oh ya Germany…..Hitler.

Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?