Stuxnet Increasingly Sounding Like A Movie Plot

from the made-for-hollywood dept

Like many people, I’ve been following the story of the Stuxnet worm with great interest. As you probably know, this worm was apparently designed to infect Iranian nuclear operations to create problems — and supposedly setting back their nuclear operations quite a bit. The NY Times came out with a fascinating investigative report about the background of Stuxnet over the weekend, and it’s worth a read. What I found most entertaining was the rather Hollywood-trickery angle by which Stuxnet did its dirty work:

The worm itself now appears to have included two major components. One was designed to send Iran?s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

That latter part is, indeed, right out of a movie. I guess sometimes truth does mimic fiction. That said, I’m still trying to figure out how or why Iran allowed any sort of outside code or computers into their nuclear operations.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Stuxnet Increasingly Sounding Like A Movie Plot”

Subscribe: RSS Leave a comment
44 Comments
Anonymous Coward says:

How Outside Code Gets In

Allow me to hazard an answer to that question:

Software (and configuration) updates are usually delivered to the system (which IS isolated from the Internet) via USB key. But, the systems used to prepare those updates ARE connected to the internet, if only so they can receive emails from the vendor or from the programmers working 10 miles down the road from the plant.

The NSA may be able to go so far as to have a complete air-gap between ‘net connected systems and isolated systems, with absolutely nothing even like a USB key ever crossing between them. But most systems aren’t like that, even if nuclear.

Darryl says:

Re: How Outside Code Gets In

But most systems aren’t like that, even if nuclear.

Most systems ARE just like that, do you think the financial transaction computers at a bank are in any way connected to the internet, or connected to say the home mortgage network ?

they are not, do you think you local electricity company has it accounting system tied to its SCADA control systems ? No ofcourse not, nor are they connected to the internet.

and updates are not done as you explain, with a USB stick with something you use on the internet.

Our local water company uses PC’s and servers for it’s accounting and billing etc, it is not connected to the internet.

And they have a totally seperate, and not connected to their accounting system, VMS mainframes for their SCADA system, that is ALSO NOT connected to the internet.

Generally any ‘updates’ you do are updates on software that you yourself have written, that you can assure contains no viruses.

Anonymous Coward says:

Re: Re: How Outside Code Gets In

> do you think the financial transaction computers at a bank are in any way connected to the internet

Yes, they are. Ever heard of online banking? The financial transaction computers at the bank have to be connected to the online banking computers, which in turn have to be connected to the Internet. It would not work otherwise.

I am sure this is true for my bank, and for every other big bank in this country.

Eugene (profile) says:

Re: Of Course, The Old ?Play Back Recorded Footage To Fool The Security Monitors? Trick

I feel like there may have been an even older heist movie that used this technique. Although I guess there’d be a hard line delineating when the first instance could have occurred, since it wouldn’t have happened before the invention of video security.

Chronno S. Trigger (profile) says:

Re: Re: Of Course, The Old ?Play Back Recorded Footage To Fool The Security Monitors? Trick

I seem to remember a story from medieval days about a city that was going to be invaded. They evacuated the city, but left dummies there to make it look like everything was normal. This set a trap for the invading army.

Not so hard of a line.

aldestrawk says:

missing questions

Iran was using equipment from Siemens to control their centrifuges. The Siemens PLC’s (Programmable Logic Controllers) are, obviously, programmable devices. I can’t see Iran duplicating the software needed to do the programming. It is really quite a lot of code. That, in itself, would have slowed down their effort to process uranium by perhaps years. So they have Windows computers that contain this Siemens PLC programming software (Step 7). Once the Stuxnet malware was introduced to some Windows computer in their plant it looked to infect a particular server and then to infect a computer that had this Step 7 software.
What I found strangely missing from the New York Times article was that one aspect of the poisoned PLC code was to intermittently changed the speed of the centrifuges in a way that wouldn’t destroy it but kept the uranium from being successfully enriched. Such a problem would be hard to be aware of much less debug.
Another aspect of the story that I haven’t seen explained is how the writers of Stuxnet got a hold of the code signing keys for Windows drivers from two separate companies; Realtek Semiconductor and JMicron Technology. The private keys for certificates is not something that should be accessible on the companies’ website. In my mind, it doesn’t even have to be on a computer connected to the internet. Was there collusion from these companies with the US?
A really good summary of Stuxnet can be found here (warning, it is technical)
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Darryl says:

Re: missing questions

Seimens PLC’s are also ‘programmed’ by replacement of an EPROM that has to be specifically burnt first, specific to your application.

So the only way to introdue a ‘virus’ on them is if you have physical access to the equipment, and you have a EPROM burner, and the correct software.

Darryl says:

Re: Re: Re: missing questions

how do you know they use Siemens PLC’s,

Maybey it is why the middle east use an Australian company for its SCADA systems, RTU and PLC’s etc.

Look up SERCK.

They have their head office in Newcastle Australia, but they do a HUGE amount of work in the Middle East.

Do you honestly think they would be stupid enough to buy PLC’s and RTU’s, and employ US engineers to work for them ?

No way, very very few people these days, TRUST US engineering, if there is an alternative, they will take it.

http://www.serck-controls.com/global.html#

velox says:

Fascinating story, but ...

What makes me skeptical about this story is — If it really worked as advertised, why would you allow anyone to know what was done? Software glitches can be very difficult to trace. Wouldn’t you want to keep it that way?
There is no reason to think that pulling this off one time has permanently shut down the Iranian’s program. If the perpetrators just kept their mouths shut then perhaps some variation on this could have been used again after Iran got back up and running. Now Iran is forewarned.
So… did it really happen as we have been told, or is this just well-designed rumor intended to help sell the idea that there is an ongoing cyberwar?

Anonymous Coward says:

Re: Fascinating story, but ...

Everyone did keep their mouth shut and the program seems to have worked for just over a year. The Iranians knew something was wrong, they just didn’t know what. A third party contractor assisting them with the centrifuges found the problem and eventually discovered it was caused by a virus.

Also, the damage isn’t over yet. Current estimates are that it will take over a year to completely remove the program from the facility. In addition to that, two professors working at the facility were recently killed in car bombings and there is speculation that they were the two people leading the effort to remove the worm, although there has been no confirmation of this.

It is possible that Stuxnet was really designed only to buy time, either for political action or to give developers time to develop a more sophisticated and more damaging virus. Some have speculated that Stuxnet was probably a test of the nuclear plants defenses and data gathered by the worm will be used in some other operation.

Larry says:

What's really interesting is...

that there is a fairly well documented case of “cyber warfare” that is in all likelihood a case of nations causing damage to another nations infrastructure and no tie in article.

If the Iranians (or anyone else) were ever to damage another nations infrastructure…

To be continued I hope.

aldestrawk says:

ha ha ha

It is felt that the real target site was the Natanz fuel enrichment facility rather than the Bushehr nuclear power plant where the Iranian Homer works. Getting malware onto the target PLC’s was a multi-step effort which required multiple vulnerabilities. One of them happened to be use of a default password, actually recommended by Siemens to stay its’ default value because it was thought that not being connected directly to the internet meant it was safe to do. This should be easily fixed. What is not easy and is still something of a mystery to me is the availability of code signing keys to enable a root kit to be loaded onto a Windows machine. There is also speculation that there may have been a contractor, maybe from Siemens, who helped with the initial infection. Ultimately, it did not require bumbling by doughnut eating buffoons sleeping at every desk. Remember, that even Google was victimized by a hacking attack

Darryl says:

Good point !!

To reprogram one of these devices (the PLC’s) that control the equipment, you require PHYSICAL access to the equipment, as the software is in fact FIRMWARE.

You have to reprogram a EEPROM and physically plug it into the machine.

You cannot remotely program these devices, nor can you override the safeties.

Therefore, if the equipment was functioning out of spec, it would override with a safe shutdown.

The safeties are not a part of the control system, but are a seperate hard wired fail safe system.

For example and overtemperature or overspeed shutoff on a motor.

And just good engineering, will stop that.

But to introduce a virus into a SCADA PLC you need physical access to that PLC.

Anonymous Coward says:

Re: Good point !!

LEARN TO READ!

You have posted like 5 times in this thread and none of it is correct. You don’t need “physical access” to a PLC to reprogram it.

EEPROM: Electrically Erasable Programmable Read-Only Memory

See, it says right in the GOD DAMN name that you can erase it ELECTRICALLY!!!

Darryl says:

Re: Re: Good point !!

MORON, go buy yourself a clue.

Or prove you do not need physical access to the PLC to reprogramm the EPROM.

The plc’s do not have ‘eprom burners’ inside them, you have to unplug the eprom from the circuit board, plug it into a programmer and you then have to burn the new data onto it.

Its very clear you do not have a clue,

If I DO real the name of EPROM, its and “erasable, programmable, READ ONLY MEMORY.

yes, it is erasable and programmable, but NOT INSITU.

and any idiot who know’s anything about electronics, and PLC’s and SCADA systems, will be totally aware of how stupid you are sounding..

Perhaps, you need to

LEARN TO LEARN!

Anonymous Coward says:

CIA Involvment

I listened to a NPR radio story about how the CIA knew that the Pakistani scientists were developing technology and trying to sell it to Iran and Libya. Instead of arresting the scientist, they decided to make it easier for him to get some materials like centrifuges and vacuums but first went to the manufacturers to sabotage the devices so that they would not work properly. Then they sold the items on the black market and it got into the hands of the Iranians. When the Iranians tried the devices, they didn’t work properly and caused some damage, but the Iranians were able to figure out the flaws and fixed them. So they had fully functional nuclear equipment that they would not have had if it were not for the CIA. Then, Stuxnet came and it was designed to destroy those centrifuges and vacuums. Link to the book on NPR

http://www.npr.org/2011/01/04/132629443/the-fallout-of-the-cias-race-to-get-khan

aldestrawk says:

Re: stolen keys

I was aware of that and I must say that fact seems more than just a coincidence. Still, if you’re a thief how do you break into a business and find what machine some private digital keys are stored and gain access to that machine without being an insider? How do you do this for two separate companies? Do they share any personnel (i.e. security guards)?

aldestrawk says:

Re: stolen keys

I just realized you said Japan. Actually they are both in Hsinchu Scince Park in Hsinchu, Taiwan. Same difference really. Your note got me thinking more about this and I realize there is another connection. Verisign issued both certificates, and revoked them when this was discovered. I also wonder if Microsoft has access to those private keys being that they were used to sign drivers running under Microsoft Windows. Microsoft doesn’t have to know them for the PKI to work

Anonymous Coward says:

missing questions

First, you retard, Siemens isn’t “US engineering”, the PLCs come from their German headquarters. (amazingly their headquarters is located in Germany because they are a German company, http://en.wikipedia.org/wiki/Siemens)

Second, the Iranian’s have published reports that they are using Siemens PLCs.

Third, your insanely stupid rants are getting tiring. I’m not sure if English is your 4th language or if you are really just ignorant (of, like, everything) but you ought to spend maybe 5 minutes reading about things before spouting your OPINION about how those things are.

Anonymous Coward says:

Good point !!

any idiot who know’s anything about electronics, and PLC’s and SCADA systems

Well clearly that idiot isn’t you. I work with PLCs you dumb ass.

OK, I’m done pointing out how stupid you are, the entire world has published new stories about this issue and not one of them agrees with your insane rambling.

Also, kindly die in a fire.

Androgynous Cowherd says:

Link in article does not work.

The link to the “fascinating investigative report” in the blog post does not work. The address is wrong. Rather than the address of anything reasonably describable as a “fascinating investigative report” it seems to be the address of a login form.

This is incorrect.

Please post a link that actually goes directly to the “fascinating investigative report” ASAP. (When clicked, in any browser on any Internet-connected computer, it should display the actual, complete text of the “fascinating investigative report” without any additional steps being required beyond the one link click.)

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...