Stuxnet Increasingly Sounding Like A Movie Plot

from the made-for-hollywood dept

Like many people, I've been following the story of the Stuxnet worm with great interest. As you probably know, this worm was apparently designed to infect Iranian nuclear operations to create problems -- and supposedly setting back their nuclear operations quite a bit. The NY Times came out with a fascinating investigative report about the background of Stuxnet over the weekend, and it's worth a read. What I found most entertaining was the rather Hollywood-trickery angle by which Stuxnet did its dirty work:
The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.
That latter part is, indeed, right out of a movie. I guess sometimes truth does mimic fiction. That said, I'm still trying to figure out how or why Iran allowed any sort of outside code or computers into their nuclear operations.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Jan 18th, 2011 @ 4:22pm

    Studios should sue the responsible governments and individuals for copyright infringement for creating a derivative work.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jan 18th, 2011 @ 4:30pm

    How Outside Code Gets In

    Allow me to hazard an answer to that question:

    Software (and configuration) updates are usually delivered to the system (which IS isolated from the Internet) via USB key. But, the systems used to prepare those updates ARE connected to the internet, if only so they can receive emails from the vendor or from the programmers working 10 miles down the road from the plant.

    The NSA may be able to go so far as to have a complete air-gap between 'net connected systems and isolated systems, with absolutely nothing even like a USB key ever crossing between them. But most systems aren't like that, even if nuclear.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Lawrence D'Oliveiro, Jan 18th, 2011 @ 4:56pm

    Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick

    This was used, probably more than once, in the old “Mission Impossible” TV series. Can anyone find any earlier instances?

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    aldestrawk (profile), Jan 18th, 2011 @ 4:57pm

    missing questions

    Iran was using equipment from Siemens to control their centrifuges. The Siemens PLC's (Programmable Logic Controllers) are, obviously, programmable devices. I can't see Iran duplicating the software needed to do the programming. It is really quite a lot of code. That, in itself, would have slowed down their effort to process uranium by perhaps years. So they have Windows computers that contain this Siemens PLC programming software (Step 7). Once the Stuxnet malware was introduced to some Windows computer in their plant it looked to infect a particular server and then to infect a computer that had this Step 7 software.
    What I found strangely missing from the New York Times article was that one aspect of the poisoned PLC code was to intermittently changed the speed of the centrifuges in a way that wouldn't destroy it but kept the uranium from being successfully enriched. Such a problem would be hard to be aware of much less debug.
    Another aspect of the story that I haven't seen explained is how the writers of Stuxnet got a hold of the code signing keys for Windows drivers from two separate companies; Realtek Semiconductor and JMicron Technology. The private keys for certificates is not something that should be accessible on the companies' website. In my mind, it doesn't even have to be on a computer connected to the internet. Was there collusion from these companies with the US?
    A really good summary of Stuxnet can be found here (warning, it is technical)
    http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32 _stuxnet_dossier.pdf

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jan 18th, 2011 @ 5:15pm

    Mossad's training lets them throw USB sticks with unerring accuracy.

    They don't need to get inside a building to load software onto a computer.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    cc (profile), Jan 18th, 2011 @ 5:34pm

    Had this been a movie, they would have been using Macs. Can't have a movie without the obligatory Apple product placement!

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    velox (profile), Jan 18th, 2011 @ 5:35pm

    Fascinating story, but ...

    What makes me skeptical about this story is -- If it really worked as advertised, why would you allow anyone to know what was done? Software glitches can be very difficult to trace. Wouldn't you want to keep it that way?
    There is no reason to think that pulling this off one time has permanently shut down the Iranian's program. If the perpetrators just kept their mouths shut then perhaps some variation on this could have been used again after Iran got back up and running. Now Iran is forewarned.
    So... did it really happen as we have been told, or is this just well-designed rumor intended to help sell the idea that there is an ongoing cyberwar?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Trails (profile), Jan 18th, 2011 @ 5:40pm

    Not the virus technique, just the explanation

    The idea of a virus covering up it's damage is not new. It's also not especially hollywood though it's seen in a fair few movies yes. The only thing distinctly hollywood is the explanation from the press.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    ChurchHatesTucker (profile), Jan 18th, 2011 @ 5:45pm

    Re:

    They would have been using Macs to infect the centrifuge computers. You don't spend money to be shown as the bad guys.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Deimos280 (profile), Jan 18th, 2011 @ 5:50pm

    haha

    "I'm still trying to figure out how or why Iran allowed any sort of outside code or computers into their nuclear operations." -does anyone else get the mental image of an iranian Homer Simpson asleep at the controls? :'D

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    mrtraver (profile), Jan 18th, 2011 @ 6:16pm

    Maybe...

    They were using Macs and thought they didn't need antivirus software.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Eugene (profile), Jan 18th, 2011 @ 6:21pm

    Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick

    I feel like there may have been an even older heist movie that used this technique. Although I guess there'd be a hard line delineating when the first instance could have occurred, since it wouldn't have happened before the invention of video security.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Eugene (profile), Jan 18th, 2011 @ 6:23pm

    Re: missing questions

    Was there collusion from these companies with the US?
    In fact, I believe there was an earlier story that suggested there was.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Larry, Jan 18th, 2011 @ 7:41pm

    What's really interesting is...

    that there is a fairly well documented case of "cyber warfare" that is in all likelihood a case of nations causing damage to another nations infrastructure and no tie in article.

    If the Iranians (or anyone else) were ever to damage another nations infrastructure...

    To be continued I hope.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jan 18th, 2011 @ 8:26pm

    Things spinning out of control and "operators" fed information according to which everything is normal. That must be the most common worm in human history.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    aldestrawk (profile), Jan 18th, 2011 @ 8:49pm

    ha ha ha

    It is felt that the real target site was the Natanz fuel enrichment facility rather than the Bushehr nuclear power plant where the Iranian Homer works. Getting malware onto the target PLC's was a multi-step effort which required multiple vulnerabilities. One of them happened to be use of a default password, actually recommended by Siemens to stay its' default value because it was thought that not being connected directly to the internet meant it was safe to do. This should be easily fixed. What is not easy and is still something of a mystery to me is the availability of code signing keys to enable a root kit to be loaded onto a Windows machine. There is also speculation that there may have been a contractor, maybe from Siemens, who helped with the initial infection. Ultimately, it did not require bumbling by doughnut eating buffoons sleeping at every desk. Remember, that even Google was victimized by a hacking attack

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Christopher (profile), Jan 19th, 2011 @ 2:46am

    This does seem weird.... any nuclear facility in the United States, as far as I know, is OFF the internet grid or behind TONS of firewalls.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Darryl, Jan 19th, 2011 @ 4:46am

    Sure, what is the IP of Iran's nuclear facility again ?

    send Iran’s nuclear centrifuges spinning wildly out of control

    Sure you can LOL, you just have to find an Iranian centrifuge on the intnet, with its very own IP address.

    good luck with that !

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Darryl, Jan 19th, 2011 @ 4:55am

    Re: How Outside Code Gets In

    But most systems aren't like that, even if nuclear.

    Most systems ARE just like that, do you think the financial transaction computers at a bank are in any way connected to the internet, or connected to say the home mortgage network ?

    they are not, do you think you local electricity company has it accounting system tied to its SCADA control systems ? No ofcourse not, nor are they connected to the internet.

    and updates are not done as you explain, with a USB stick with something you use on the internet.

    Our local water company uses PC's and servers for it's accounting and billing etc, it is not connected to the internet.

    And they have a totally seperate, and not connected to their accounting system, VMS mainframes for their SCADA system, that is ALSO NOT connected to the internet.

    Generally any 'updates' you do are updates on software that you yourself have written, that you can assure contains no viruses.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Darryl, Jan 19th, 2011 @ 4:58am

    Re: missing questions

    Seimens PLC's are also 'programmed' by replacement of an EPROM that has to be specifically burnt first, specific to your application.

    So the only way to introdue a 'virus' on them is if you have physical access to the equipment, and you have a EPROM burner, and the correct software.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Darryl, Jan 19th, 2011 @ 5:02am

    Good point !!

    To reprogram one of these devices (the PLC's) that control the equipment, you require PHYSICAL access to the equipment, as the software is in fact FIRMWARE.

    You have to reprogram a EEPROM and physically plug it into the machine.

    You cannot remotely program these devices, nor can you override the safeties.

    Therefore, if the equipment was functioning out of spec, it would override with a safe shutdown.

    The safeties are not a part of the control system, but are a seperate hard wired fail safe system.

    For example and overtemperature or overspeed shutoff on a motor.

    And just good engineering, will stop that.

    But to introduce a virus into a SCADA PLC you need physical access to that PLC.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Michael, Jan 19th, 2011 @ 5:09am

    Re: Re: How Outside Code Gets In

    "do you think the financial transaction computers at a bank are in any way connected to the internet"

    Yes. I have worked on two financial systems for MAJOR US banks and I can tell you both had internet-connected components that they viewed as potential threats but necessary for communications.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Jan 19th, 2011 @ 5:26am

    Re: Re: How Outside Code Gets In

    Classic Darryl: a rambling rant on a something he clearly knows nothing about.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jan 19th, 2011 @ 5:28am

    Re: Re: missing questions

    wrong again, from the report

    Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.

    Hides modified code on PLCs, essentially a rootkit for PLCs.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jan 19th, 2011 @ 5:40am

    Re: Fascinating story, but ...

    Everyone did keep their mouth shut and the program seems to have worked for just over a year. The Iranians knew something was wrong, they just didn't know what. A third party contractor assisting them with the centrifuges found the problem and eventually discovered it was caused by a virus.

    Also, the damage isn't over yet. Current estimates are that it will take over a year to completely remove the program from the facility. In addition to that, two professors working at the facility were recently killed in car bombings and there is speculation that they were the two people leading the effort to remove the worm, although there has been no confirmation of this.

    It is possible that Stuxnet was really designed only to buy time, either for political action or to give developers time to develop a more sophisticated and more damaging virus. Some have speculated that Stuxnet was probably a test of the nuclear plants defenses and data gathered by the worm will be used in some other operation.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Jan 19th, 2011 @ 5:46am

    Re: Good point !!

    LEARN TO READ!

    You have posted like 5 times in this thread and none of it is correct. You don't need "physical access" to a PLC to reprogram it.

    EEPROM: Electrically Erasable Programmable Read-Only Memory

    See, it says right in the GOD DAMN name that you can erase it ELECTRICALLY!!!

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Chronno S. Trigger (profile), Jan 19th, 2011 @ 6:06am

    Re: Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick

    I seem to remember a story from medieval days about a city that was going to be invaded. They evacuated the city, but left dummies there to make it look like everything was normal. This set a trap for the invading army.

    Not so hard of a line.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jan 19th, 2011 @ 7:45am

    Re: Re: How Outside Code Gets In

    > do you think the financial transaction computers at a bank are in any way connected to the internet

    Yes, they are. Ever heard of online banking? The financial transaction computers at the bank have to be connected to the online banking computers, which in turn have to be connected to the Internet. It would not work otherwise.

    I am sure this is true for my bank, and for every other big bank in this country.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jan 19th, 2011 @ 9:31am

    CIA Involvment

    I listened to a NPR radio story about how the CIA knew that the Pakistani scientists were developing technology and trying to sell it to Iran and Libya. Instead of arresting the scientist, they decided to make it easier for him to get some materials like centrifuges and vacuums but first went to the manufacturers to sabotage the devices so that they would not work properly. Then they sold the items on the black market and it got into the hands of the Iranians. When the Iranians tried the devices, they didn't work properly and caused some damage, but the Iranians were able to figure out the flaws and fixed them. So they had fully functional nuclear equipment that they would not have had if it were not for the CIA. Then, Stuxnet came and it was designed to destroy those centrifuges and vacuums. Link to the book on NPR

    http://www.npr.org/2011/01/04/132629443/the-fallout-of-the-cias-race-to-get-khan

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Beowulf888, Jan 19th, 2011 @ 10:25am

    Slightly more subtle

    The program probably wasn't causing the centrifuges to spin "out of control" as in *faster* but rather out of control in at they would spin too *slowly* for periods of time to properly separate the Uranium isotopes. Over many months they were unable to get properly purified isotopes from their centrifuges. Brilliant!

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Jan 19th, 2011 @ 11:38am

    Re: What's really interesting is...

    You mean the CIA's software sabotage of the Siberian Gas Pipeline?

    http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    None, Jan 19th, 2011 @ 12:23pm

    @aldestrawk

    JMicron and Realtek have buildings in the same office park in Japan -- the keys might have been acquired via physical access

    http://www.computersecurityarticles.info/antivirus/another-signed-stuxnet-binary/

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    aldestrawk (profile), Jan 19th, 2011 @ 2:39pm

    Re: stolen keys

    I was aware of that and I must say that fact seems more than just a coincidence. Still, if you're a thief how do you break into a business and find what machine some private digital keys are stored and gain access to that machine without being an insider? How do you do this for two separate companies? Do they share any personnel (i.e. security guards)?

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    aldestrawk (profile), Jan 19th, 2011 @ 2:56pm

    Re: stolen keys

    I just realized you said Japan. Actually they are both in Hsinchu Scince Park in Hsinchu, Taiwan. Same difference really. Your note got me thinking more about this and I realize there is another connection. Verisign issued both certificates, and revoked them when this was discovered. I also wonder if Microsoft has access to those private keys being that they were used to sign drivers running under Microsoft Windows. Microsoft doesn't have to know them for the PKI to work

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Darryl, Jan 19th, 2011 @ 5:41pm

    Re: Re: Good point !!

    MORON, go buy yourself a clue.

    Or prove you do not need physical access to the PLC to reprogramm the EPROM.

    The plc's do not have 'eprom burners' inside them, you have to unplug the eprom from the circuit board, plug it into a programmer and you then have to burn the new data onto it.

    Its very clear you do not have a clue,

    If I DO real the name of EPROM, its and "erasable, programmable, READ ONLY MEMORY.

    yes, it is erasable and programmable, but NOT INSITU.

    and any idiot who know's anything about electronics, and PLC's and SCADA systems, will be totally aware of how stupid you are sounding..

    Perhaps, you need to

    LEARN TO LEARN!

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Darryl, Jan 19th, 2011 @ 6:04pm

    Re: Re: Re: missing questions

    how do you know they use Siemens PLC's,

    Maybey it is why the middle east use an Australian company for its SCADA systems, RTU and PLC's etc.

    Look up SERCK.

    They have their head office in Newcastle Australia, but they do a HUGE amount of work in the Middle East.

    Do you honestly think they would be stupid enough to buy PLC's and RTU's, and employ US engineers to work for them ?

    No way, very very few people these days, TRUST US engineering, if there is an alternative, they will take it.


    http://www.serck-controls.com/global.html#

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    KD, Jan 19th, 2011 @ 7:48pm

    Re: Re: Re: Re: missing questions

    How do we know they use Siemens controllers?

    Maybe because all of the articles about this say they use Siemens controllers. You are the only one I have seen claiming otherwise. Of course, that doesn't *prove* you are wrong, but I know which side of that bet I'd take.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    nasch (profile), Jan 19th, 2011 @ 8:18pm

    Re: Re: stolen keys

    Perhaps something similar to the way Stuxnet itself worked. A worm on a USB key, delivered to the premises in any number of ways. Once inside, it could silently spread, seek the keys, send them out, and cover its tracks.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    LeBazz (profile), Jan 20th, 2011 @ 7:50am

    Re: Re: Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick

    I remember it too.. It was in Russia... Anyone else can chime in ??

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Jan 21st, 2011 @ 5:58am

    Re: Re: Re: Re: missing questions

    First, you retard, Siemens isn't "US engineering", the PLCs come from their German headquarters. (amazingly their headquarters is located in Germany because they are a German company, http://en.wikipedia.org/wiki/Siemens)

    Second, the Iranian's have published reports that they are using Siemens PLCs.

    Third, your insanely stupid rants are getting tiring. I'm not sure if English is your 4th language or if you are really just ignorant (of, like, everything) but you ought to spend maybe 5 minutes reading about things before spouting your OPINION about how those things are.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, Jan 21st, 2011 @ 6:01am

    Re: Re: Re: Good point !!

    any idiot who know's anything about electronics, and PLC's and SCADA systems

    Well clearly that idiot isn't you. I work with PLCs you dumb ass.

    OK, I'm done pointing out how stupid you are, the entire world has published new stories about this issue and not one of them agrees with your insane rambling.

    Also, kindly die in a fire.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Androgynous Cowherd, Jan 23rd, 2011 @ 9:41am

    Link in article does not work.

    The link to the "fascinating investigative report" in the blog post does not work. The address is wrong. Rather than the address of anything reasonably describable as a "fascinating investigative report" it seems to be the address of a login form.

    This is incorrect.

    Please post a link that actually goes directly to the "fascinating investigative report" ASAP. (When clicked, in any browser on any Internet-connected computer, it should display the actual, complete text of the "fascinating investigative report" without any additional steps being required beyond the one link click.)

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    nasch (profile), Jan 23rd, 2011 @ 3:04pm

    Re: Link in article does not work.

    There is no such link, because the article is behind a paywall.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    Eugene (profile), Jan 25th, 2011 @ 1:58pm

    Re: Re: Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick

    I was thinking specifically of tricks to fool enemy cameras, but it's true that historically we've come up with all sorts of clever ways to fool the enemy's eye.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This