Originally Posted by contracycle
|
|
All I'm pointing out is that this kind of thing has ramifications that go well beyond the purely military, state-vs-state, framework.
|
Indeed. Given our reliance on programmed systems, the idea of someone messing up with infrastructure ought to be very very scary indeed.
Here's a bit more info on this stuff:
The Dawn of the Super Cyber Weapon
(Chris Wood filling in for David Galland)
Dear Reader,
About a month ago, in this missive we talked about a new war that is being waged across the globe – a war that’s not fought with guns on the ground but with computer code in cyberspace. Well, thanks to a newly discovered, hyper-sophisticated piece of malware known as the Stuxnet worm, this war just got a whole lot more intense and a whole lot more scary. Although the study of Stuxnet is ongoing, more and more cyber-security experts throughout the world are coming to the conclusion that the worm represents something entirely new: “a cyber weapon created to cross from the digital realm to the physical world – to destroy something.”
When Stuxnet was discovered in June, cyber-security experts could tell immediately that the worm must have been created by an extremely well-funded and probably government-backed group due to its sophistication and complexity. It was also immediately apparent that this was the first malware known to seek out and infiltrate industrial control systems of real-world targets like factories and power plants. What wasn’t known at the time was who created it and what the motive was behind it. Was Stuxnet intended to steal proprietary industrial data, or something more sinister?
By August the answer became apparent. Not only could Stuxnet infiltrate industrial control systems and steal data, it was able to take control of the systems it had infected and reprogram them to sabotage operations without being detected by the monitoring systems.
Here’s a slightly technical explanation of what Stuxnet does from Symantec (published on August 6, 2010):
As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.
Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
… By writing code to the PLC, Stuxnet can potentially control or alter how the system operates.
As September rolled around, what was known about the Stuxnet worm can be summed up by the following quote:
“It is not speculation that this is the first directed cyber-weapon,” or one aimed at a specific real-world process, said Joe Weiss, a U.S. expert who has testified to Congress on technological security threats to the electric grid and other physical operations. “The only speculation is what it is being used against, and by whom.”
But now, after months of study, the purpose of the Stuxnet worm may be coming to light.
German security researcher Ralph Langner has developed a well-supported and rather shocking theory – the Stuxnet worm is targeted at a single location, which it seeks to sabotage or destroy. At a closed-door conference last week in Maryland, Langner said Stuxnet might be targeting not a sector but perhaps only one plant, and he speculated that it could be a controversial nuclear facility in Iran.
Langner stumbled onto the idea that the Stuxnet worm could be a weapon targeted at a single facility by noticing that the worm lies dormant in most of the systems it infects. After more research, he concluded that the worm is basically “fingerprinting” the systems it infiltrates and looking for very specific traits, remaining dormant if it doesn’t find them. All of this suggests Stuxnet is indeed a specifically targeted weapon.
Furthermore, based on the forensic analysis being conducted, Langner assumed that this targeted attack had already taken place and was successful; i.e., that the Stuxnet worm had already fulfilled its singular purpose. So, he said, “let’s check where something blew up recently.”
Here’s Langner’s theory in his own words:
It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange -- they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year (
http://www.upi.com/News_Photos/Featu...n-Iran/1581/2/), I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half years before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells.
Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Then, on the other hand, probably not. Check who commissions the Bushehr plant. It's a Russian integrator that also has business in some of the countries where we see high infection rates. What we also see is that this company, too, doesn't seem to be overly concerned about IT security. As I am writing this, they're having a compromised web site (
http://www.atomstroyexport.com/index-e.htm) that tries to download stuff from a malware site that had been shut down more than two years ago (
www.bubamubaches.info). So we're talking about a company in nukes that seems to be running a compromised web presence for over two years? Strange.
I could give some other hints that have a smell for me, but I think other researchers may be able to do a much better job on checking the validity of all this completely non-technical stuff. The one last bit of information that makes some sense for me is the clue that the attackers left in the code, as the fellows from Symantec pointed out -- use your own imagination because you will think I'm completely nuts when I tell you my idea.
Welcome to cyberwar.
So while Langner is admittedly reticent about his theory, it is a possibility. And if that’s the case, security experts speculate that the worm originated in the U.S. or Israel. But we might not know for some time.
Regardless of specific theories, Stuxnet represents a new breed of threat to all nations’ industrial infrastructure – a guided cyber-missile capable of the same level of destruction as a conventional physical warhead.
Linear Mode
