Saturday, September 25, 2010

Israel has Attacked Iran?

There is a lot of bad blood between Israel and Iran. Iran's President has publicly stated on many occasions that he sees Israel as a Zionist state with no right to exist. With Iran busy building nuclear bombs and upgrading its existing missiles to deliver the bombs to Israel, it looks like Israel has taken the first discreet step in a war against Iran:

There is a bit more information about the Stuxnet worm on the Wikipedia site.

Update 2010sep26: Here is a bit from a NY Times article:
Given the sophistication of the worm and its aim at specific industrial systems, many experts believe it is most probably the work of a state, rather than independent hackers. The worm is able to attack computers that are disconnected from the Internet, usually to protect them; in those cases an infected USB drive is plugged into a computer. The worm can then spread itself within a computer network, and possibly to other networks.

The semiofficial Mehr news agency in Iran on Saturday quoted Reza Taghipour, a top official of the Ministry of Communications and Information Technology, as saying that “the effect and damage of this spy worm in government systems is not serious” and that it had been “more or less” halted.

But another Iranian official, Mahmud Liai of the Ministry of Industry and Mines, was quoted as saying that 30,000 computers had been affected, and that the worm was “part of the electronic warfare against Iran.”


But the Iranians have reason to suspect they are high on the target list: in the past, they have found evidence of sabotage of imported equipment, notably power supplies to run the centrifuges that are used to enrich uranium at Natanz. The New York Times reported in 2009 that President George W. Bush had authorized new efforts, including some that were experimental, to undermine electrical systems, computer systems and other networks that serve Iran’s nuclear program, according to current and former American officials.

The program is among the most secret in the United States government, and it has been accelerated since President Obama took office, according to some American officials. Iran’s enrichment program has run into considerable technical difficulties in the past year, but it is not clear whether that is because of the effects of sanctions against the country, poor design for its centrifuges, which it obtained from Pakistan, or sabotage.

“It is easy to look at what we know about Stuxnet and jump to the conclusion that it is of American origin and Iran is the target, but there is no proof of that,” said James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington and one of the country’s leading experts on cyberwar intelligence. “We may not know the real answer for some time.”

Based on what he knows of Stuxnet, Mr. Lewis said, the United States is “one of four or five places that could have done it — the Israelis, the British and the Americans are the prime suspects, then the French and Germans, and you can’t rule out the Russians and the Chinese.”
Here is one tech specialist's opinion about this computer worm:
Many aspects of Stuxnet are so completely different from malware as we know it that it's only natural that so many hard-working experts at some point in the analysis ended in frustration. The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.

Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates

Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers

Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence

What this shows is that the 0day exploits were only of temporary use during the infiltration stage. Quite a luxury for such sophisticated exploits! After the weapon was in place, the main attack is executed on the controllers. At that point, where the rogue ladder logic is executed, it's all solid, reliable engineering -- attack engineering.
Update 2010dec25: Here is some interesting info about this attack from Tom Ricks' The Best Defense blog:
By Jay Holcomb
Best Defense infowar columnist

I believe this event should be looked at from a much wider view … the Stuxnet worm (threat vector) certainly should be considered a "game changer" … the folks who are conducting the forensics analysis have been somewhat successful in gaining high level public/government attention to this issue.

While most folks seem to unofficially agree this worm likely targeted Iranian facilities -- if we look wider -- this "attack" … or perhaps a better classification "sabotage" … contains so many complex cyber elements combined into one package that it is absolutely fascinating. I do not believe it is hyperbole to say the Stuxnet worm is "revolutionary" in terms of what we should be expecting to see in future high quality cyber threat vectors.

For example, a few of the well publicized items used by the Stuxnet worm include:

At least four zero-day vulnerabilities were used. Remember, these were classified as "zero-days" once we found out about them back in June/July -- which means the folks that discovered the vulnerabilities could have been using them/testing them for 12-24 months(?) before we even knew they existed. Discovering a single previously unknown vulnerability and using it successfully against a target is impressive!

Used "legitimate certificates stolen from two certificate authorities" to digitally sign Stuxnet code to be installed on target machines -- this was needed to prevent Microsoft Windows from alerting the computer user that a suspicious file is trying to install on the computer. This is huge! Imagine if someone was able to steal a genuine SSL/TLS certificate for YOUR online bank from VeriSign or Entrust and set-up a web site that was an exact clone of YOUR online bank. If you accessed the cloned web site -- your web browser would NOT alert you to any problems with the fake web site because the site uses a valid certificate -- the entire Internet online commerce model is based on this "trust" of Certificate Authorities.
Sound unrealistic … how about this … anyone else remember 10 years ago when VeriSign issued two Microsoft certificates to someone posing as a Microsoft employee? Imagine what they could have done with those certificates … perhaps create their own "special" Microsoft Windows patch … how many folks would download and install? We often trust major companies and our systems will trust the process if the source file is using a "trusted" Certificate Authority (VeriSign for example) security certificate to sign the files! To further highlight this issue … to this day the only two "Untrusted Publishers" certificates installed in our Internet Explorer browsers are for Microsoft from VeriSign!
Numerous propagation methods -- USB drives, network shares, other peer-to-peer methods, etc. Interesting to see the Conficker vulnerability (MS08-067) was one of the Stuxnet propagation options. Depending on what type/version/patch level of Windows the worm is residing determines which propagation method it will use. (Amazing)
Command and Control options -- via Internet or peer-to-peer if Internet access is no longer available.
Very specific configuration of the target environment is needed to activate the Stuxnet payload (manufacturer, specific product type, and unique product configuration are examples) … the intelligence and reconnaissance needed of the target must have been incredible.
The goal does not seem to have been destruction -- rather interruption/delay. The payload modified the speed of very specific high speed motors and at seemingly random intervals. How many people knew weapons-grade uranium enrichment requires long periods of constant high speed motor action?
These examples do not include the many other specific SCADA asset features the worm is targeting to validate prior to payload release/action -- amazing!

With the complexity of this cyber "event" it should change how we view future potential threat vectors -- from both the government (at varying levels and organizations) and civilian perspective. The possibility of this type of complex/specifically targeted cyber threat has now been proven in the wild. It is only a matter of time before we identify a similar event has occurred or is occurring right now.

The potential targets are only limited by our imaginations. I would expect both Nation States and common Cyber Criminals have been analyzing the same materials we are and developing new ingenious complex threat vectors into critical infrastructure, defense assets (government and civilian), financial environments, technology resources, and numerous other industries depending on the target niche market.

The goal would not have to be "global domination" or "nation destruction" -- in fact, I would propose the most dangerous outcome of this event will be the smaller -- highly sophisticated/complex -- threats that are successful but stay under the radar. They launch, are successful, and either destroy themselves or are jettisoned as expendable. (From both Nation States and common Cyber Criminals)

One interesting "pie in the sky" future item -- will Cyber Criminals be able to pull together a team of experts similar to the Stuxnet team (Cyber Mercenaries … a field that we can assume is growing quickly!) to create the civilian Stuxnet equivalent -- perhaps for historic financial gain or nearly any other historic event. Sounds like a Hollywood movie doesn't it … I assume everyone has seen "Live Free of Die Hard"…

Finally, here are some additional background resources and great reading if interested:

Jay Holcomb is an assistant professor in the cyber/information assurance depart of the National Defense University.


thomas said...

It sounds like an amazing program that took a lot of work and money. Iran should have used another OS (Mac?), and they would not have this problem. I am amazed at the idea that nations can be attacked and even crippled by a computer program or virus.

RYviewpoint said...

Thomas: The only really secure systems are ones disconnected from the Internet and run by non-commercial operating systems. The US military tries to run all its computers on a completely separate "proprietary" network. It runs its nuclear system on an even more constricted and secure system. But ultimately, everything can be attacked. In this case they slipped the worm via Siemens hardware delivered to Iran.

Even if Iran disconnected from the Internet (which I would bet its military and nuclear computers are), you can slip this stuff in if, like Iran, you take shipments from abroad. And even if you don't take shipments from abroad, every country is constantly probing. Israel probably has several nuclear scientists in Iran already signed up to slip destructive software inside the system.

The place where I worked at, the stuff done for the US military was done "inside the vault", i.e. you were not allowed to bring anything inside and you couldn't take anything outside and the door was specially monitored & secure. But ultimately people can't check everything, so you can slip a memory card in or out if you are willing to run the risk (death in the case of Iran, for you and your extended family). But there are many scientists in Iran, especially ones with backgrounds where relatives were in Tudeh party and were liquidated by Khomeini's fanatics. Or the scientists have relatives that belong to minority religions like the Bahai or the Zorastrians which have been suppressed and persecuted by the dominant Shias. The Mossad can recruit among these groups to find somebody willing to take the risk of slipping something in to destroy Iran's most precious military industrial centres. Israel is fairly well placed to do this because up until 1948 there was a large Jewish community in Iran and a significant remnant remained even up to the Islamic revolution.

It is an ugly world out there. Lots of vicious people. Even Canada has some morally corrupt and vicious people deep inside the government/military that I wouldn't trust farther than I can spit. These are people who would kill their own mother if they thought it would bring them money or advance their fanatical ideas.

You may not be aware that the Citizen Lab at the University of Toronto broke the story about China's military attacking computers around the world. Read the details of GhostNet.