UMBC ebiquity
cyberdefense

Is Stuxnet a cyber weapon aimed at an Iranian nuclear site?

September 23rd, 2010, by Tim Finin, posted in cybersecurity, Security

There have been reports over the past weeks about Stuxnet, a new malware system that experts say is designed to seek out and damage certain kinds kind of industrial sites. Some argue that it has already hit and damaged its target.

The Christian Science Monitor published a good overview earlier this week.

“Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran’s Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.”

The computer security company Symantec has been tracking it for a while and reported back in August that Stuxnet differs from typical Windows oriented in that it is designed to infect the Programmable Logic Controllers used in industrial control systems.

“As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”

Symantec’s analysis of where Stuxnet has been found supports the theory that it was intended for targets in Iran, as the following map illustrates.

Security expert Frank Rieger writes that Stuxnet is exceptionally well designed and written and starts out on infected USB sticks.

“stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossil Windows 2000 to the most modern and supposedly secure Windows 7.”

Rieger further argues that evidence suggests that Stuxnet is targeted not at Iran’s Bushehr reactor but at the uranium enrichment plant in Natanz and has already achieved success. To support the last conclusion, he sites a note on Wikileaks about a “a serious, recent, nuclear accident at Natanz” in July 2010.

Are Russian users particiating in cyberattacks on Georgia?

August 13th, 2008, by Tim Finin, posted in GENERAL, Social media

Updated below.

In a post about the recent cyberattack of Georgian computers from Russian sites, the shadowserver site asks, “Is it possible the same thing that happened to Estonia is happening to Georgia? To put it quite simply, the answer is yes.” They offer the following as evidence.

“Lots of ICMP traffic and Russian hosts sounds a lot more like users firing off the ‘ping’ command and a lot less like some evil government controlled botnet. It did not take us long to find out what is going on. Much like in the attacks against Estonia, several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. Basically people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the ‘ping’ command to several Georgian websites, of which the vast majority are government.

The following text is a redacted version of the script being posted:

We have removed the actual commands and parameters of the script to avoid being a distribution point for it. However, you can see the raw list of targets that are being spread across the websites. This script has been posted on several websites and is even being hosted as “war.rar” which contains “war.bat” within it on one site. It would appear that these cyber attacks have certainly moved into the hands of the average computer using citizen.”

Their conclusion is that ordinary users are now participating in the continuing attacks on Georgian websites.

Update I (8/13): Ars Technica has a post, , that quotes experts who questions the idea that the Russian government was ever involved with the DDOS attacks.

“According to Gadi Evron, former Chief information security officer (CISO) for the Israeli government’s ISP, there’s compelling historical evidence to suggest that the Russian military is not involved. He confirms that Georgian websites are under botnet attack, and that yes, these attacks are affecting that country’s infrastructure, but then notes that every politically tense moment over the past ten years has been followed by a spate of online attacks. It was only after Estonia made its well-publicized (and ultimately inaccurate) accusations against Russia that such attacks began to be referred to as cyberwarfare instead of politically motivated hackers.”

Update II (8/14): A Google Blog Search query returns two results for the comment in the script posted by shadowserver. A search against Google’s main index turns up a few more that look like they are intended to share it with people who will use it. And, finally, a search over Google Groups returns no results. It looks like there are only about ten instances on open sites indexed by Google. I was not able to find anything using Technorati. it may be that there are online sites that Google is not indexing that are being used. If the script was widely distributed, it may have been done using mailing lists that are not indexed by google, either because they are marked as private or run by another company, like Yahoo.

Cyberwar between Russia and Georgia preceeded shooting

August 12th, 2008, by Tim Finin, posted in GENERAL

In an article in Wednesday’s New York Times, Before the Gunfire, Cyberattacks, John Markoff describes how the Russia-Georgia conflict broke out on the Internet weeks before the troops engaged.

“Weeks before bombs started falling on Georgia, a security researcher in suburban Massachusetts was watching an attack against the country in cyberspace. Jose Nazario of Arbor Networks in Lexington noticed a stream of data directed at Georgian government sites containing the message: “win+love+in+Rusia.”

Other Internet experts in the United States said the attacks against Georgia’s Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests — known as distributed denial of service, or D.D.O.S., attacks — that overloaded and effectively shut down Georgian servers.

Researchers at Shadowserver, a volunteer group that tracks malicious network activity, reported that the Web site of the Georgian president, Mikheil Saakashvili, had been rendered inoperable for 24 hours by multiple D.D.O.S. attacks. They said the command and control server that directed the attack was based in the United States and had come online several weeks before it began the assault.

As it turns out, the July attack may have been a dress rehearsal for an all-out cyberwar once the shooting started between Georgia and Russia. According to Internet technical experts, it was the first time a known cyberattack had coincided with a shooting war.

But it will likely not be the last, said Bill Woodcock, the research director of the Packet Clearing House, a nonprofit organization that tracks Internet traffic. He said cyberattacks are so inexpensive and easy to mount, with few fingerprints, they will almost certainly remain a feature of modern warfare. “It costs about 4 cents per machine,” Mr. Woodcock said. “You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to.”

There’s lots more of interest to read in the article.