NYTimes Reveals Details Of How US Created Stuxnet... And How A Programming Error Led To Its Escape
from the when's-the-movie-coming-out dept
With a lot of new attention being paid to the Flame malware that was datamining computers around the Middle East, there have been plenty of comparisons to Stuxnet, the famous bit of malware that was targeted at mucking up Iran's nuclear power program. So it's very interesting timing to see the NY Times reveal many of the details behind Stuxnet, including confirming that it was a program driven by the US, with a lot of help from the Israelis. Many, many, many people suspected that already, but it certainly appears that the NYTimes has numerous detailed sources that support this claim.Perhaps even more interesting, however, is the fact that Stuxnet (which apparently originally infected Iranian nuclear plants via workers using USB keys when they shouldn't) was never supposed to get out into the wild. It was supposed to just sit in the computers at the power plant, confusing the hell out of the Iranians. But, obviously, that didn't happen. Having that info get out into the wild probably killed off the effort much earlier than expected, since it basically explained to the Iranians what was happening.
It's also noteworthy that a source in the article claims that Stuxnet was the first example of using a computer attack to destroy physical items (it made centrifuges work irregularly in ways that could cause them to break). Some have therefore used Stuxnet as "proof" of the cybersecurity threats out there and the misnamed "cyberwar." I'm not sure that's true. Stuxnet still appears to be a rather unique case in terms of a very, very specific target that had some significant vulnerabilities. We hear lots of worries about cybersecurity impacting physical infrastructure -- and I'm sure that those who wish to do harm would love to bring down power grids and airplanes through some form of a cyber attack. But I'm not convinced that the success of Stuxnet is so easily replicable in other such areas. And I don't see how that automatically justifies effectively tossing out all privacy protections.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, cyberwar, iran, israel, middle east, stuxnet
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Act of War
http://www.zerohedge.com/news/obama-ordered-code-stux
This is "the first presidentially-mandated and condoned act of cyberwarfare, one circumventing the War Powers Act of course."
"It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country's infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives"
"No country's infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran."
[ link to this | view in chronology ]
Re:
This is really absurd, if any other country did this they would be labeled state sponsor of terrorism - why not the US? The citizens of the US have to get serious and get rid of the oligarchy that captured their government before this ends very badly for them and the world as a whole ...
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I remember an analogy an apt friend once made. 2 brothers are given a bar of chocolate. The big brother ate his share of the chocolate whole, while the little one ate his a bit of a time, for whatever reason. Now the big brother, eager for more chocolate, preaches to the little one that eating chocolate is very bad for your health while coercing him to give up his share for "safe keeping".
This blog preaches innovation as a way to handle disruption in the digital age, but only in the narrow sense of the internet. Why can't it also apply in international relations? IMHO it's time for the old "gatekeepers" to go in that area as well.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
You repeated the below claim 3 times.
Iran was really, really close to producing enough Enriched Uranium 235
Are you just hoping that if you repeat a claim without attribution it will become truth?
[ link to this | view in chronology ]
Re: Re:You are forgetting some things
[ link to this | view in chronology ]
Re: Re:Something to remember
[ link to this | view in chronology ]
Re: Re: Re:Something to remember
Acting out of fear is never the correct course of action. It is the US government's continual and deliberate interference in the affairs of other nations that is a substantial reason for the world's dislike of this country. Had we adopted and practiced an earthly version of the Prime Directive, this would not be the case. And without built-up resentment, other nations would have had less cause to want to do the US harm.
Acts of sabotage are never right, no matter the supposed reason. They are, by their very nature, acts born of fear rather than logic. Rather than attempt to push its agenda upon all other nations as it currently is, the US ought to instead adopt the Prime Directive, recall all military personnel from abroad, and work in peace to ensure a better world for its people.
Dictators rise and fall, it is the way of human nature, and many who are there now are only in the position due to US influence and serve as puppet rulers. If our government truly believes in self-determination, then it needs to withdraw all forces from abroad and let other nations govern themselves without any US influence whatsoever.
It is an unfortunate reality that the worst villains often see themselves as heroes, and that the US in large part suffers from such a mistaken view of things. And it is this government's myopia and hypocrisy which condemns this country in the sight of other nations. Violence and the threat of it should be the last resort, not the first. And tactics such as sabotage should be avoided entirely, unless you wish the US to become a nation of Romulans. Personally, I would prefer the Federation instead.
[ link to this | view in chronology ]
Re: Re: Re:Something to remember
okay, i have as much proof of that as "wally" does of his assertions... *but*, my speculation fits the facts, while "wally's" does not...
usa = sponsor/originator of state terrorism
therefore, we should drone ourselves out of existence ? ? ?
seems to follow...
art guerrilla
aka ann archy
eof
[ link to this | view in chronology ]
Generalizing cyberattacks
[ link to this | view in chronology ]
Physical Security == Ownership
[ link to this | view in chronology ]
Well, there goes the article's credibility
What about the Siberian pipeline explosion almost three decades ago that's been attributed to a trojan?
[ link to this | view in chronology ]
Cyber Terrorism
Now here we are again with our pants around our ankles, and the entire world knows now that the United States IS the cyber terrorist. Our government AGAIN goes and attacks another sovereign country, unprovoked.
The rest of the world is right - we're a big playground bully, and nothing more. Our education rots, our healthcare lay in ruins... and we have nothing better to do than code computer viruses and unleash them on people who have nor want anything to do with us, like a pimply-faced kid in his mom's basement.
Well, it's back to telling people I'm Canadian whenever I travel.
Ironically, the phrase "cyber terrorism" is on that government watch list now, isn't it? Great, now I'm a "person of interest" for talking about it. FML. >_
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
In other words, I'm sure AB does realize that.
[ link to this | view in chronology ]
Re: Re:
Even if it was originally only copied onto just that one single flash drive, who in their right mind would actually believe that flash drive would only ever be plugged into the one computer that was supposed to be infected? Of course it would be plugged into other systems, it's a PORTABLE DRIVE! It's DESIGNED to be used FOR TRANSFERRING FILES!
Anyone who has ever worked around viruses even a little bit knows just how unpredictable they are. There is no such thing as a secure virus. I would expect that anyone capable of grasping the concept of a virus would realize that.
Then again what they claim in a press report isn't necessarily the same as the truth...
[ link to this | view in chronology ]
One line in that article is SCARY
The implication that almost nothing is safe that has USB ports has not escaped my notice.
[ link to this | view in chronology ]
Sounds like the FBI applauding that they stop terrorism to the plots they set up in the first place.
Everyone must be taking advice from the same tinfoil-hat loon in the bowels of the Government.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Disclaimer: well designed does not mean it should have been done.
[ link to this | view in chronology ]
While it wasn't an attack per se (it was a bug) the destruction done by the Therac 25 is particularly notable because (a) it resulted in the loss of human life and (b) it's become a classic case study -- so much so that I think anyone trying to understand the possibilities of physical attacks initiated by software should make sure the reports/articles about it are part of their background reading.
[ link to this | view in chronology ]
I'm not disappointed in Israel
I would hate to have to vote for Ron Paul to achieve saner U.S. foreign policy, but I cannot think of one major candidate in the last twenty years who hasn't crapped on the U.S. Constitution in their haste to embrace Israel's thuggish world view.
Yes, many Jews died in WWII death camps, but how many Muslims have to die from IDF attacks before Israel calls it even?
[ link to this | view in chronology ]
Re: I'm not disappointed in Israel
I'm not playing religion card here, and I view them as fellow human. It's in my observation from what little I know about history, Israeli's intent are not malevolent, but only to ensure their own safety. However nearly thousand years of abuse around the world (WW2 is just an example of a systematic effort) have pushed them over the edge about what is required to ensure safety.
I really hope for peaceful resolution of the problem.
[ link to this | view in chronology ]
nice job
[ link to this | view in chronology ]
Re: nice job
[ link to this | view in chronology ]
Federal fucktards:
"We need vast security, to protect us from strategic level cyberweapons aimed at destroying infrastructure"
joe public: why do you need such a thing?
FF: "well, because we went ahead and released a strategic level cyber weapon against irans infrastructure, which according to OUR OWN definitions (which we didn't release until a year later) is a full out act of war."
" So you see, we know for a fact that there are factions out there looking to do serious damage to america in cyberspace, because they want revenge for what we did to them."
Joe public: wait....so your saying you already unilaterally declared (covert) cyber war on Iran, released a theater level strategic cyberweapon against their infrastructure, and got caught at it. All without congressional approval, knowledge or oversite one assumes.
Now America desperately needs cyber defense capabilities, to defend against weapons that america so far is the only one using?
1 question, wy isn't everyone involved up on charges?
>
[ link to this | view in chronology ]
outrage
[ link to this | view in chronology ]
Re: outrage
/sarc
[ link to this | view in chronology ]
The article specifically states "None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day. "
While there is no doubt in my mind that a government is capable of programming a virus to do something - that's not being debated here - it does seem strange to me that someone can just pop up a "the US did it!" piece with no real references or citation trail and... yeah, I still would like to see more proof than this.
While it's not exactly news that the Anti-America crowd will just put their blinders on and use this unreferenced, uncited NYT article as an excuse to exclaim "AWWW, you see? I knew it was them all along!", all he really did here was point out functionality of Stuxnet that was already publicly available knowledge. In a truly logical sense the only thing that I see this article really revealing is a boost in sales with his end-of-article book plug.
There's certainly a possibility that the US is responsible, but given the "credible" sources that the NYT writer cited(i.e. none), it's also equally as likely that they're not. While I agree that they are certainly the most likely suspects, I would still severely caution a bit of pragmatism until solid proof arises that isn't just a glorified book plug, despite Ars' writers almost literally parading around exclaiming "CONFIRM! THE US R TERORIST!"
[ link to this | view in chronology ]
Re:
I don't have a LOT of trust in journalism these days, but protecting anonymous sources is part of the job.
They couldn't use the names in print, but it's highly likely that *someone* at the NYT did their homework on whether the unnamed sources are credible.
If they don't do their homework, the paper is liable for libel. Historically, if a trusted newspaper puts something in print, they DO have the evidence to back it up.
See: Woodword & Bernstein, Washington Post
[ link to this | view in chronology ]
Re: Re:
It doesn't mean they automatically are, either. And that's my point.
I don't have a LOT of trust in journalism these days, but protecting anonymous sources is part of the job.
I'm not debating that. However, when your entire article is nothing but anonymous sources and a post-article book plug from the author, it warrants a little bit of caution before(to use one example just from the Techdirt comments) going directly into WWII death camp and IDF comparisons.
They couldn't use the names in print, but it's highly likely that *someone* at the NYT did their homework on whether the unnamed sources are credible.
If they don't do their homework, the paper is liable for libel. Historically, if a trusted newspaper puts something in print, they DO have the evidence to back it up.
Yes, however potential penalties are not specifically a guarantee to be a deterrent(e.g. what RIAA/MPAA-related concept does this blog cover primarily?). It didn't stop the Killian documents debacle from happening, for example.
More NYT-specifically, didn't they also falsely report that Gabrielle Giffords had died, at one point? (the melodrama about how it is oh-so-tough to be a timely reporter in that linked piece aside). That being just one example about how the media can get away with posting false news as long as they backpedal before anyone calls/sues them on it.
All I'm saying is, for something that could potentially be big(albeit wholly unsurprising) news, a modicum of composure is not entirely uncalled for.
[ link to this | view in chronology ]
Re: Re: Re:
Link that should have been posted in regard to the Giffords paragraph.
http://www.nytimes.com/2011/01/16/opinion/16pubed.html
[ link to this | view in chronology ]
Libel
[ link to this | view in chronology ]
Re:
And... "Anti-US" or "Anti-Us current regime"? Not D/R power, but all current power brokers, who, obvious to many, are doing a terrible job for the citizens of this country and the world.
Most probably find the idea of America great, just not the reality that is America today. Empire! And if you don't like the direct critisism, what the fuck do you like about the country?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Physical Damages
Second, they have nothing to do with the computer you are currently using to read this comment.
PLCs (Programmable Logic Controllers) are incredibly low-level computers, which are programmed to follow logical circuitry directly. They literally tell a motor to turn on at speed X for Y time.
Because they are used to directly control physical systems, programmers have to be careful if they are to not cause damage. A single logical error can cause the machine to be in a state it is not supposed to enter, and these states are avoided precisely because they are the states wherein a device is damaged.
PLCs have programs loaded onto them from another device. They are not what most think of as a computer. They do not have USB ports. They are not capable of being directly hooked up to the internet. Stuxnet was never on any of the PLCs, they can't support something that complex. It infected the device used to program them and made it serve up a defective program.
I have programmed a PLC before. They are used in almost all assembly lines. They don't have to damage the machines. They could be programmed to make defective products.
There is very little risk of this happening.
Why you shouldn't worry:
Stuxnet being made by the US is about the only reasonable explanation. They have access to a whole bunch of behind the scenes stuff of the people who make PLCs and the security used to protect the programming of them.
If Iran had used their own tech, there would have been now way to hit them.
Which brings me too the true purpose of CISPA:
CISPA is not about your data. CISPA is not about defense. CISPA is about making it easier to make more of the these weapons.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
WEAPONS GRADE ENRICHED URANIUM
Before anyone points out "Oh, well they were using Uranium for power plants", try to think of how a Uranium based Nuclear Power Plant operates. They need to be near a source of FRESH water to work otherwise the Sodium typically found in ocean salt water would absorb the vast amount of radiation being pumped into the water and cause a melt down in the cooling units. Furthermore, the Nuclear Power Plants that were built in Iran were nowhere near a viable source source of water......they were producing ENRICHED URANIUM AND IF THEY HAD GOTTEN TO A CERTAIN AMOUNT....they would have used it.
"Stuxnet being made by the US is about the only reasonable explanation. They have access to a whole bunch of behind the scenes stuff of the people who make PLCs and the security used to protect the programming of them."
In other words, infect the logic boards (and disrupt them safely) that the PLC's use to follow precision calculations to make Enriched Uranium. That is quite understandable.
"CISPA is not about your data. CISPA is not about defense. CISPA is about making it easier to make more of the these weapons."
CISPA may be designed to make this easier to do what the the US has done, but its wording was so ambiguous and broad, that it left the door open for people to actually violate our civil liberties here in the US.
[ link to this | view in chronology ]
Re: WEAPONS GRADE ENRICHED URANIUM
Hard to forget what may very well be what is in someone's overactive imagination.
And, does anyone have 'maps' of Stuxnet infections? I keep seeing a claim that Stuxnet was 'in Japan' and even as far as claiming it had infected the Fukushima plant - but all I get is claims like the one above...unattributed claims.
[ link to this | view in chronology ]
Re: WEAPONS GRADE ENRICHED URANIUM
[ link to this | view in chronology ]
Re: Re: WEAPONS GRADE ENRICHED URANIUM
[ link to this | view in chronology ]
Re: Re: Re: WEAPONS GRADE ENRICHED URANIUM
[ link to this | view in chronology ]
Re: WEAPONS GRADE ENRICHED URANIUM
[ link to this | view in chronology ]
Please grow up soon.
[ link to this | view in chronology ]
Re: Iran
Iran is an immature theocracy now, just like Israel. Iran, however, has centuries of history in their corner that indicates they will not attack their neighbors (Iraq attacked Iran with Reagan's blessings, remember?)
Iran needs to be watched, but the Iranian people will slowly bring sanity back to that nation despite it having some crackpot leaders.
I'm much more concerned about Israel, a nation that keeps moving right, and whose political parties are becoming increasingly hostile to African workers, gays and pretty much everyone who isn't Jewish.
You can call it a tie, but Iran doesn't influence the USA. Israel does.
I'm keeping my eye on Israel if you don't mind.
[ link to this | view in chronology ]
Re:
Where's the sympathy for Iran? They're not following international law either.
But the ends here do not justify the means. The US has created Stuxnet using quite a few electronic assets at it's disposal that it only had thanks to the Governments efforts to get its hooks into every modern company and industry that operates in the US. Stuxnet took advantage of several zero-days and a signed certificate from a trusted certificate source that it may not have had otherwise.
You can talk all you want from one side of your mouth about how Iran deserved it and this is to protect freedom. But you can't talk from the other side about how America needs the trust of these technology companies and requires special backdoors and privileges regarding the information these companies protect while it is pulling stuff like this.
You need to stop being ignorant, read a book, do something to stop being so naive.
[ link to this | view in chronology ]
The systems and companies that Stuxnet targeted, particularly Microsoft Windows and Siemens computer infrastructure may not have had the same vulnerabilities that it had if the CIA/FBI wasn't pushing for their own private backdoors into the majority of closed-sourced industry applications.
It goes back to being a problem of government agencies putting their nose places where they shouldn't. Which is a good way to summarize the Stuxnet ordeal as a whole.
[ link to this | view in chronology ]
I can see the headlines now: "YES SO WE HACKED THE COMPUTERS OF A SOVEREIGN NATION BUT WE NEED TO BE ON TOP OF THE CYBER GAME SO WE CAN STAY AHEAD OF ANONYMOUS, WHO BTW WROTE STUXNET ORIGINALLY"
[ link to this | view in chronology ]
Stuxnet in us!?!
This is not a conspiracy theory stuff. This info just came out after the Boston bomber's wife refused to tell everything to the US authorities.
[ link to this | view in chronology ]
Microsoft responsibility
I searched a lot to find the video I had watched several years ago which contained much more knowledge about the role of Microsoft Research in responsibility of postponing patch the Stuxnet vulnerabilities but I couldn't find it. If someone has any idea please contact me in http://remotegun.com
[ link to this | view in chronology ]