Case Study: How To Have Fun Connecting With Fans Like A Superstar DJ

Stuxnet Increasingly Sounding Like A Movie Plot

from the made-for-hollywood dept

Tue, Jan 18th 2011 4:01pm — Mike Masnick

Like many people, I've been following the story of the Stuxnet worm with great interest. As you probably know, this worm was apparently designed to infect Iranian nuclear operations to create problems -- and supposedly setting back their nuclear operations quite a bit. The NY Times came out with a fascinating investigative report about the background of Stuxnet over the weekend, and it's worth a read. What I found most entertaining was the rather Hollywood-trickery angle by which Stuxnet did its dirty work:

The worm itself now appears to have included two major components. One was designed to send Iran�s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

That latter part is, indeed, right out of a movie. I guess sometimes truth does mimic fiction. That said, I'm still trying to figure out how or why Iran allowed any sort of outside code or computers into their nuclear operations.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: iran, stuxnet

44 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 18 Jan 2011 @ 4:22pm

Studios should sue the responsible governments and individuals for copyright infringement for creating a derivative work.
[ link to this | view in thread ]
Anonymous Coward, 18 Jan 2011 @ 4:30pm

How Outside Code Gets In
Allow me to hazard an answer to that question:

Software (and configuration) updates are usually delivered to the system (which IS isolated from the Internet) via USB key. But, the systems used to prepare those updates ARE connected to the internet, if only so they can receive emails from the vendor or from the programmers working 10 miles down the road from the plant.

The NSA may be able to go so far as to have a complete air-gap between 'net connected systems and isolated systems, with absolutely nothing even like a USB key ever crossing between them. But most systems aren't like that, even if nuclear.
[ link to this | view in thread ]
Lawrence D'Oliveiro, 18 Jan 2011 @ 4:56pm

Of Course, The Old �Play Back Recorded Footage To Fool The Security Monitors� Trick
This was used, probably more than once, in the old �Mission Impossible� TV series. Can anyone find any earlier instances?
[ link to this | view in thread ]
aldestrawk (profile), 18 Jan 2011 @ 4:57pm

missing questions
Iran was using equipment from Siemens to control their centrifuges. The Siemens PLC's (Programmable Logic Controllers) are, obviously, programmable devices. I can't see Iran duplicating the software needed to do the programming. It is really quite a lot of code. That, in itself, would have slowed down their effort to process uranium by perhaps years. So they have Windows computers that contain this Siemens PLC programming software (Step 7). Once the Stuxnet malware was introduced to some Windows computer in their plant it looked to infect a particular server and then to infect a computer that had this Step 7 software.
What I found strangely missing from the New York Times article was that one aspect of the poisoned PLC code was to intermittently changed the speed of the centrifuges in a way that wouldn't destroy it but kept the uranium from being successfully enriched. Such a problem would be hard to be aware of much less debug.
Another aspect of the story that I haven't seen explained is how the writers of Stuxnet got a hold of the code signing keys for Windows drivers from two separate companies; Realtek Semiconductor and JMicron Technology. The private keys for certificates is not something that should be accessible on the companies' website. In my mind, it doesn't even have to be on a computer connected to the internet. Was there collusion from these companies with the US?
A really good summary of Stuxnet can be found here (warning, it is technical)
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32 _stuxnet_dossier.pdf
[ link to this | view in thread ]
Anonymous Coward, 18 Jan 2011 @ 5:15pm

Mossad's training lets them throw USB sticks with unerring accuracy.

They don't need to get inside a building to load software onto a computer.
[ link to this | view in thread ]
cc (profile), 18 Jan 2011 @ 5:34pm

Had this been a movie, they would have been using Macs. Can't have a movie without the obligatory Apple product placement!
[ link to this | view in thread ]
velox (profile), 18 Jan 2011 @ 5:35pm

Fascinating story, but ...
What makes me skeptical about this story is -- If it really worked as advertised, why would you allow anyone to know what was done? Software glitches can be very difficult to trace. Wouldn't you want to keep it that way?
There is no reason to think that pulling this off one time has permanently shut down the Iranian's program. If the perpetrators just kept their mouths shut then perhaps some variation on this could have been used again after Iran got back up and running. Now Iran is forewarned.
So... did it really happen as we have been told, or is this just well-designed rumor intended to help sell the idea that there is an ongoing cyberwar?
[ link to this | view in thread ]
Trails (profile), 18 Jan 2011 @ 5:40pm

Not the virus technique, just the explanation
The idea of a virus covering up it's damage is not new. It's also not especially hollywood though it's seen in a fair few movies yes. The only thing distinctly hollywood is the explanation from the press.
[ link to this | view in thread ]
ChurchHatesTucker (profile), 18 Jan 2011 @ 5:45pm

Re:
They would have been using Macs to infect the centrifuge computers. You don't spend money to be shown as the bad guys.
[ link to this | view in thread ]
Deimos280 (profile), 18 Jan 2011 @ 5:50pm

haha
"I'm still trying to figure out how or why Iran allowed any sort of outside code or computers into their nuclear operations." -does anyone else get the mental image of an iranian Homer Simpson asleep at the controls? :'D
[ link to this | view in thread ]
mrtraver (profile), 18 Jan 2011 @ 6:16pm

Maybe...
They were using Macs and thought they didn't need antivirus software.
[ link to this | view in thread ]
Eugene (profile), 18 Jan 2011 @ 6:21pm

Re: Of Course, The Old �Play Back Recorded Footage To Fool The Security Monitors� Trick
I feel like there may have been an even older heist movie that used this technique. Although I guess there'd be a hard line delineating when the first instance could have occurred, since it wouldn't have happened before the invention of video security.
[ link to this | view in thread ]
Eugene (profile), 18 Jan 2011 @ 6:23pm

Re: missing questions
Was there collusion from these companies with the US?
In fact, I believe there was an earlier story that suggested there was.
[ link to this | view in thread ]
Larry, 18 Jan 2011 @ 7:41pm

What's really interesting is...
that there is a fairly well documented case of "cyber warfare" that is in all likelihood a case of nations causing damage to another nations infrastructure and no tie in article.

If the Iranians (or anyone else) were ever to damage another nations infrastructure...

To be continued I hope.
[ link to this | view in thread ]
Anonymous Coward, 18 Jan 2011 @ 8:26pm

Things spinning out of control and "operators" fed information according to which everything is normal. That must be the most common worm in human history.
[ link to this | view in thread ]
aldestrawk (profile), 18 Jan 2011 @ 8:49pm

ha ha ha
It is felt that the real target site was the Natanz fuel enrichment facility rather than the Bushehr nuclear power plant where the Iranian Homer works. Getting malware onto the target PLC's was a multi-step effort which required multiple vulnerabilities. One of them happened to be use of a default password, actually recommended by Siemens to stay its' default value because it was thought that not being connected directly to the internet meant it was safe to do. This should be easily fixed. What is not easy and is still something of a mystery to me is the availability of code signing keys to enable a root kit to be loaded onto a Windows machine. There is also speculation that there may have been a contractor, maybe from Siemens, who helped with the initial infection. Ultimately, it did not require bumbling by doughnut eating buffoons sleeping at every desk. Remember, that even Google was victimized by a hacking attack
[ link to this | view in thread ]
Christopher (profile), 19 Jan 2011 @ 2:46am

This does seem weird.... any nuclear facility in the United States, as far as I know, is OFF the internet grid or behind TONS of firewalls.
[ link to this | view in thread ]
Darryl, 19 Jan 2011 @ 4:46am

Sure, what is the IP of Iran's nuclear facility again ?
send Iran�s nuclear centrifuges spinning wildly out of control

Sure you can LOL, you just have to find an Iranian centrifuge on the intnet, with its very own IP address.

good luck with that !
[ link to this | view in thread ]
Darryl, 19 Jan 2011 @ 4:55am

Re: How Outside Code Gets In
But most systems aren't like that, even if nuclear.

Most systems ARE just like that, do you think the financial transaction computers at a bank are in any way connected to the internet, or connected to say the home mortgage network ?

they are not, do you think you local electricity company has it accounting system tied to its SCADA control systems ? No ofcourse not, nor are they connected to the internet.

and updates are not done as you explain, with a USB stick with something you use on the internet.

Our local water company uses PC's and servers for it's accounting and billing etc, it is not connected to the internet.

And they have a totally seperate, and not connected to their accounting system, VMS mainframes for their SCADA system, that is ALSO NOT connected to the internet.

Generally any 'updates' you do are updates on software that you yourself have written, that you can assure contains no viruses.
[ link to this | view in thread ]
Darryl, 19 Jan 2011 @ 4:58am

Re: missing questions
Seimens PLC's are also 'programmed' by replacement of an EPROM that has to be specifically burnt first, specific to your application.

So the only way to introdue a 'virus' on them is if you have physical access to the equipment, and you have a EPROM burner, and the correct software.
[ link to this | view in thread ]
Darryl, 19 Jan 2011 @ 5:02am

Good point !!
To reprogram one of these devices (the PLC's) that control the equipment, you require PHYSICAL access to the equipment, as the software is in fact FIRMWARE.

You have to reprogram a EEPROM and physically plug it into the machine.

You cannot remotely program these devices, nor can you override the safeties.

Therefore, if the equipment was functioning out of spec, it would override with a safe shutdown.

The safeties are not a part of the control system, but are a seperate hard wired fail safe system.

For example and overtemperature or overspeed shutoff on a motor.

And just good engineering, will stop that.

But to introduce a virus into a SCADA PLC you need physical access to that PLC.
[ link to this | view in thread ]
Michael, 19 Jan 2011 @ 5:09am

Re: Re: How Outside Code Gets In
"do you think the financial transaction computers at a bank are in any way connected to the internet"

Yes. I have worked on two financial systems for MAJOR US banks and I can tell you both had internet-connected components that they viewed as potential threats but necessary for communications.
[ link to this | view in thread ]
Anonymous Coward, 19 Jan 2011 @ 5:26am

Re: Re: How Outside Code Gets In
Classic Darryl: a rambling rant on a something he clearly knows nothing about.
[ link to this | view in thread ]
Anonymous Coward, 19 Jan 2011 @ 5:28am

Re: Re: missing questions
wrong again, from the report

Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.

Hides modified code on PLCs, essentially a rootkit for PLCs.
[ link to this | view in thread ]
Anonymous Coward, 19 Jan 2011 @ 5:40am

Re: Fascinating story, but ...
Everyone did keep their mouth shut and the program seems to have worked for just over a year. The Iranians knew something was wrong, they just didn't know what. A third party contractor assisting them with the centrifuges found the problem and eventually discovered it was caused by a virus.

Also, the damage isn't over yet. Current estimates are that it will take over a year to completely remove the program from the facility. In addition to that, two professors working at the facility were recently killed in car bombings and there is speculation that they were the two people leading the effort to remove the worm, although there has been no confirmation of this.

It is possible that Stuxnet was really designed only to buy time, either for political action or to give developers time to develop a more sophisticated and more damaging virus. Some have speculated that Stuxnet was probably a test of the nuclear plants defenses and data gathered by the worm will be used in some other operation.
[ link to this | view in thread ]
Anonymous Coward, 19 Jan 2011 @ 5:46am

Re: Good point !!
LEARN TO READ!

You have posted like 5 times in this thread and none of it is correct. You don't need "physical access" to a PLC to reprogram it.

EEPROM: Electrically Erasable Programmable Read-Only Memory

See, it says right in the GOD DAMN name that you can erase it ELECTRICALLY!!!
[ link to this | view in thread ]
Chronno S. Trigger (profile), 19 Jan 2011 @ 6:06am

Re: Re: Of Course, The Old �Play Back Recorded Footage To Fool The Security Monitors� Trick
I seem to remember a story from medieval days about a city that was going to be invaded. They evacuated the city, but left dummies there to make it look like everything was normal. This set a trap for the invading army.

Not so hard of a line.
[ link to this | view in thread ]
Anonymous Coward, 19 Jan 2011 @ 7:45am

Re: Re: How Outside Code Gets In
> do you think the financial transaction computers at a bank are in any way connected to the internet

Yes, they are. Ever heard of online banking? The financial transaction computers at the bank have to be connected to the online banking computers, which in turn have to be connected to the Internet. It would not work otherwise.

I am sure this is true for my bank, and for every other big bank in this country.
[ link to this | view in thread ]
Anonymous Coward, 19 Jan 2011 @ 9:31am

CIA Involvment
I listened to a NPR radio story about how the CIA knew that the Pakistani scientists were developing technology and trying to sell it to Iran and Libya. Instead of arresting the scientist, they decided to make it easier for him to get some materials like centrifuges and vacuums but first went to the manufacturers to sabotage the devices so that they would not work properly. Then they sold the items on the black market and it got into the hands of the Iranians. When the Iranians tried the devices, they didn't work properly and caused some damage, but the Iranians were able to figure out the flaws and fixed them. So they had fully functional nuclear equipment that they would not have had if it were not for the CIA. Then, Stuxnet came and it was designed to destroy those centrifuges and vacuums. Link to the book on NPR

http://www.npr.org/2011/01/04/132629443/the-fallout-of-the-cias-race-to-get-khan
[ link to this | view in thread ]
Beowulf888, 19 Jan 2011 @ 10:25am

Slightly more subtle
The program probably wasn't causing the centrifuges to spin "out of control" as in *faster* but rather out of control in at they would spin too *slowly* for periods of time to properly separate the Uranium isotopes. Over many months they were unable to get properly purified isotopes from their centrifuges. Brilliant!
[ link to this | view in thread ]
Anonymous Coward, 19 Jan 2011 @ 11:38am

Re: What's really interesting is...
You mean the CIA's software sabotage of the Siberian Gas Pipeline?

http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage
[ link to this | view in thread ]
None, 19 Jan 2011 @ 12:23pm

@aldestrawk

JMicron and Realtek have buildings in the same office park in Japan -- the keys might have been acquired via physical access

http://www.computersecurityarticles.info/antivirus/another-signed-stuxnet-binary/
[ link to this | view in thread ]
aldestrawk (profile), 19 Jan 2011 @ 2:39pm

Re: stolen keys
I was aware of that and I must say that fact seems more than just a coincidence. Still, if you're a thief how do you break into a business and find what machine some private digital keys are stored and gain access to that machine without being an insider? How do you do this for two separate companies? Do they share any personnel (i.e. security guards)?
[ link to this | view in thread ]
aldestrawk (profile), 19 Jan 2011 @ 2:56pm

Re: stolen keys
I just realized you said Japan. Actually they are both in Hsinchu Scince Park in Hsinchu, Taiwan. Same difference really. Your note got me thinking more about this and I realize there is another connection. Verisign issued both certificates, and revoked them when this was discovered. I also wonder if Microsoft has access to those private keys being that they were used to sign drivers running under Microsoft Windows. Microsoft doesn't have to know them for the PKI to work
[ link to this | view in thread ]
Darryl, 19 Jan 2011 @ 5:41pm

Re: Re: Good point !!
MORON, go buy yourself a clue.

Or prove you do not need physical access to the PLC to reprogramm the EPROM.

The plc's do not have 'eprom burners' inside them, you have to unplug the eprom from the circuit board, plug it into a programmer and you then have to burn the new data onto it.

Its very clear you do not have a clue,

If I DO real the name of EPROM, its and "erasable, programmable, READ ONLY MEMORY.

yes, it is erasable and programmable, but NOT INSITU.

and any idiot who know's anything about electronics, and PLC's and SCADA systems, will be totally aware of how stupid you are sounding..

Perhaps, you need to

LEARN TO LEARN!
[ link to this | view in thread ]
Darryl, 19 Jan 2011 @ 6:04pm

Re: Re: Re: missing questions
how do you know they use Siemens PLC's,

Maybey it is why the middle east use an Australian company for its SCADA systems, RTU and PLC's etc.

Look up SERCK.

They have their head office in Newcastle Australia, but they do a HUGE amount of work in the Middle East.

Do you honestly think they would be stupid enough to buy PLC's and RTU's, and employ US engineers to work for them ?

No way, very very few people these days, TRUST US engineering, if there is an alternative, they will take it.

http://www.serck-controls.com/global.html#
[ link to this | view in thread ]
KD, 19 Jan 2011 @ 7:48pm

Re: Re: Re: Re: missing questions
How do we know they use Siemens controllers?

Maybe because all of the articles about this say they use Siemens controllers. You are the only one I have seen claiming otherwise. Of course, that doesn't *prove* you are wrong, but I know which side of that bet I'd take.
[ link to this | view in thread ]
nasch (profile), 19 Jan 2011 @ 8:18pm

Re: Re: stolen keys
Perhaps something similar to the way Stuxnet itself worked. A worm on a USB key, delivered to the premises in any number of ways. Once inside, it could silently spread, seek the keys, send them out, and cover its tracks.
[ link to this | view in thread ]
LeBazz (profile), 20 Jan 2011 @ 7:50am

Re: Re: Re: Of Course, The Old �Play Back Recorded Footage To Fool The Security Monitors� Trick
I remember it too.. It was in Russia... Anyone else can chime in ??
[ link to this | view in thread ]
Anonymous Coward, 21 Jan 2011 @ 5:58am

Re: Re: Re: Re: missing questions
First, you retard, Siemens isn't "US engineering", the PLCs come from their German headquarters. (amazingly their headquarters is located in Germany because they are a German company, http://en.wikipedia.org/wiki/Siemens)

Second, the Iranian's have published reports that they are using Siemens PLCs.

Third, your insanely stupid rants are getting tiring. I'm not sure if English is your 4th language or if you are really just ignorant (of, like, everything) but you ought to spend maybe 5 minutes reading about things before spouting your OPINION about how those things are.
[ link to this | view in thread ]
Anonymous Coward, 21 Jan 2011 @ 6:01am

Re: Re: Re: Good point !!
any idiot who know's anything about electronics, and PLC's and SCADA systems

Well clearly that idiot isn't you. I work with PLCs you dumb ass.

OK, I'm done pointing out how stupid you are, the entire world has published new stories about this issue and not one of them agrees with your insane rambling.

Also, kindly die in a fire.
[ link to this | view in thread ]
Androgynous Cowherd, 23 Jan 2011 @ 9:41am

Link in article does not work.
The link to the "fascinating investigative report" in the blog post does not work. The address is wrong. Rather than the address of anything reasonably describable as a "fascinating investigative report" it seems to be the address of a login form.

This is incorrect.

Please post a link that actually goes directly to the "fascinating investigative report" ASAP. (When clicked, in any browser on any Internet-connected computer, it should display the actual, complete text of the "fascinating investigative report" without any additional steps being required beyond the one link click.)
[ link to this | view in thread ]
nasch (profile), 23 Jan 2011 @ 3:04pm

Re: Link in article does not work.
There is no such link, because the article is behind a paywall.
[ link to this | view in thread ]
Eugene (profile), 25 Jan 2011 @ 1:58pm

Re: Re: Re: Of Course, The Old �Play Back Recorded Footage To Fool The Security Monitors� Trick
I was thinking specifically of tricks to fool enemy cameras, but it's true that historically we've come up with all sorts of clever ways to fool the enemy's eye.
[ link to this | view in thread ]