When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team helped crack the code that revealed this digital warhead’s final target. In a fascinating look inside cyber-forensics, he explains how — and makes a bold (and, it turns out, correct) guess at its shocking origins.
Ralph Langner’s Stuxnet Deep Dive is the definitive technical presentation on the PLC attack portion of Stuxnet. He did a good job of showing very technical details in a readable and logical presentation that you can follow in the video if you know something about programming and PLC’s.
The main purpose of Ralph’s talk was to convince the audience with “100% certainty” that Stuxnet was designed specifically to attack the Natanz facility. He does this at least four different ways, and I have to agree there is no doubt.
Ralph Langner is a German control system security consultant. He has received worldwide recognition for his analysis of the Stuxnet malware.
- Stuxnet worm hits Iranian centrifuges – from mid-2009 to late 2010
- Iran complains facilities hit by Stars malware – April 2011
- Duqu trojan hits Iran’s computer systems – November 2011
- Flame virus targets computers in PCs across the Middle East, including Iran and Israel – June 2012
- Iran says Stuxnet worm returns – December 2012
25 December 2012 15:19 GMT
A power plant and other industries in southern Iran have been targeted by the Stuxnet computer worm, an Iranian civil defence official says.
But the cyber attack has been successfully rebuffed and prevented from spreading, Iranian media report.
Iran’s nuclear enrichment efforts were hit hard in 2010 by the Stuxnet worm, which was also blamed for problems at industrial plants and factories.
Tehran accused Israel and the US of planting the malware.
Provincial civil defence chief Ali Akbar Akhavan said Iranian industry was constantly being targeted by “enemy cyber attacks” and companies in Hormozgan province had recently been infiltrated, the semi-official Isna news agency reported.
“The Bandar Abbas electricity supply company has come under cyber attack,” he told a news conference. “But we were able to prevent its expansion owing to our timely measures and the co-operation of skilled hackers.”
The Bandar Abbas plant, on Iran’s southern coast in the Strait of Hormuz, is said to supply power to neighbouring provinces as well as Hormozgan.
Iran has regularly claimed success in defeating computer viruses, such as Stuxnet and Flame, which have affected its industries.
In April, a malware attack on Iran’s oil ministry and national oil company forced the government to disconnect key oil facilities, including the Kharg Island oil terminal that handles most of Tehran’s exports.
Late last year, Iran said some of its computer systems were infected by the Duqu spyware which was believed to have been designed to steal data to help launch further cyber attacks.
The attacks have affected its energy exports as well as its controversial uranium enrichment programme, which Western countries suspect is aimed at constructing nuclear weapons. Tehran insists it is solely for peaceful purposes.
the U.S. government have continued covert cyberwar against Iran with a new computer virus called “Flame” which is designed to sabotage that nation’s computers.
According to an announcement by anti-virus company Symantec Corp, and reported in the Washington Post, a component of “Flame” allows operators to delete files from computers and that Israel and the U.S. government have co-operated in creating the virus.
The Flame computer virus is not only capable of espionage but it can also sabotage computer systems and likely was used to attack Iran in April, according to Symantec Corp.
Iran had previously blamed Flame for causing data loss on computers in the country’s main oil export terminal and Oil Ministry. But prior to Symantec’s discovery, cyber experts had only unearthed evidence that proved the mysterious virus was capable of espionage.
Symantec researcher Vikram Thakur said that the company has now identified a component of Flame that allows operators to delete files from computers.
”These guys have the capability to delete everything on the computer,” Thakur said. ”This is not something that is theoretical. It is absolutely there.”
Iran complained about the threat of cyber attacks again on Thursday, saying it had detected plans by the United States, Israel and Britain to launch a ”massive” strike after the breakdown of talks over Tehran’s nuclear activities.
Thakur’s comments came after, on Thursday, Iran’s intelligence minister accused the United States, Israel, and Britain of planning to launch a cyber attack against Iran following the latest round of nuclear talks in Moscow.
Speaking to the Iranian state run television network Press TV, Iranian Intelligence Minister Heidar Moslehi said: “Based on obtained information, the U.S. and the Zionist regime along with the MI6 planned an operation to launch a massive cyber attack against Iran’s facilities following the meeting between Iran and the P5+1 in Moscow.”
According to Moslehi, the alleged attempt to strike Iran’s nuclear facilities failed over Iranian measures, adding: “They still seek to carry out the plan, but we have taken necessary measures.”
The top Iranian official’s comments came after, earlier this week, Moscow hosted the latest round of P5+1 nuclear talks, which ended in the apparent breakdown of talks.
According to the Washington Post, the virus was developed in a joint effort involving the National Security Agency, the CIA and Israel’s military.
The emerging details about Flame provide new clues to what is thought to be the first sustained campaign of cyber-sabotage against an adversary of the United States.
Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its American partners off guard, according to several U.S. and Western officials who spoke on the condition of anonymity.
There has been speculation that Washington had a role in developing Flame, but the collaboration on the virus between the United States and Israel has not been previously confirmed.
Commercial security researchers reported last week that Flame contained some of the same code as Stuxnet. Experts described the overlap as DNA-like evidence that the two sets of malware were parallel projects run by the same entity.
The virus is among the most sophisticated and subversive pieces of malware to be exposed to date. Experts said the program was designed to replicate across even highly secure networks, then control everyday computer functions to send secrets back to its creators. The code could activate computer microphones and cameras, log keyboard strokes, take screen shots, extract geolocation data from images, and send and receive commands and data through Bluetooth wireless technology.
Flame was designed to do all this while masquerading as a routine Microsoft software update; it evaded detection for several years by using a sophisticated program to crack an encryption algorithm.
“This is not something that most security researchers have the skills or resources to do,” said Tom Parker, chief technology officer for FusionX, a security firm that specializes in simulating state-sponsored cyberattacks. “You’d expect that of only the most advanced cryptomathematicians, such as those working at NSA.”
Flame was developed at least five years ago as part of a classified effort code-named Olympic Games, according to officials familiar with U.S. cyber-operations and experts who have scrutinized its code. The U.S.-Israeli collaboration was intended to slow Iran’s nuclear program, reduce the pressure for a conventional military attack and extend the timetable for diplomacy and sanctions.
The cyber attacks augmented conventional sabotage efforts by both countries, including inserting flawed centrifuge parts and other components into Iran’s nuclear supply chain.
The best-known cyberweapon let loose on Iran was Stuxnet, a name coined by researchers in the antivirus industry who discovered it two years ago.
It infected a specific type of industrial controller at Iran’s uranium-enrichment plant in Natanz, causing almost 1,000 centrifuges to spin out of control. The damage occurred gradually, over months, and Iranian officials initially thought it was the result of incompetence.
The scale of the espionage and sabotage effort “is proportionate to the problem that’s trying to be resolved,” the former intelligence official said, referring to the Iranian nuclear program. Although Stuxnet and Flame infections can be countered, “it doesn’t mean that other tools aren’t in play or performing effectively,” he said.
To develop these tools, the United States relies on two of its elite spy agencies. The NSA, known mainly for its electronic eavesdropping and code-breaking capabilities, has extensive expertise in developing malicious code that can be aimed at U.S. adversaries, including Iran. The CIA lacks the NSA’s sophistication in building malware but is deeply involved in the cyber-campaign.
Despite their collaboration on developing the malicious code, the United States and Israel have not always coordinated their attacks. Israel’s April assaults on Iran’s Oil Ministry and oil-export facilities caused only minor disruptions. The episode led Iran to investigate and ultimately discover Flame.
Some U.S. intelligence officials were dismayed that Israel’s unilateral incursion led to the discovery of the virus, prompting countermeasures.
The disruptions led Iran to ask a Russian security firm and a Hungarian cyber-lab for help, according to U.S. and international officials familiar with the incident.
Last week, researchers with Kaspersky Lab, the Russian security firm, reported their conclusion that Flame — a name they came up with — was created by the same group or groups that built Stuxnet.
“We are now 100 percent sure that the Stuxnet and Flame groups worked together,” said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Lab.
The firm also determined that the Flame malware predates Stuxnet. “It looks like the Flame platform was used as a kickstarter of sorts to get the Stuxnet project going,” Schouwenberg said.