Tuesday, September 28, 2010

The Worm that Ate Bushehr

If the experts are right, Israel has already fired the first shot in a conflict with Iran.

The opening salvo came in the form of a cyber attack against Iranian industrial and nuclear sites, using the Stuxnet worm, described as "the most sophisticated malware ever." As Gregg Keizer of Computerworld reports:

Iranian officials that Stuxnet had infected at least 30,000 of the country's Windows PCs, including some of the machines at the Bushehr nuclear reactor in southwestern Iran.

The worm, which has been dubbed the world's most sophisticated malware ever , targets Windows PCs that oversee industrial-control systems, called "SCADA" systems, that in turn manage and monitor machinery in power plants, factories, pipelines and military installations.

Previously, researchers had spotted several propagation methods in Stuxnet that ranged from spreading via infected USB flash drives to migrating between machines using multiple unpatched Windows bugs.

Liam O Murchu, manager of operations on Symantec's security response team and one of a handful of researchers who have been analyzing Stuxnet since its public appearance in July, said today he'd found another way that the worm spreads. According to O Murchu, Stuxnet also injects a malicious DLL into every Step 7 project on a compromised PC, ensuring that the worm spreads to other, unaffected PCs whenever an infected Step 7 file is opened.

Step 7 is the Siemens software used to program and configure the German company's industrial control system hardware. When Stuxnet detects Step 7 software, it tries to hijack the program and pass control to outsiders.

While the origin of the worm has not been confirmed, Israel has been pegged as a likely suspect. Israeli defense forces and intelligence services have robust cyber-warfare capabilities, and Stuxnet could prove an excellent tool for crippling key Iranian facilities, including the nuclear power plant at Bushehr, which was recently fueled with Russian assistance.

And, it wouldn't be the first time Israel has used a computer network attack against one of its foes. Just after midnight local time on 6 September 2007, IAF jets destroyed a suspected nuclear facility deep inside Syria. Air defense assets never responded to the Israeli raid, raising suspicions that Syrian radar and missile sites were disabled prior to the air strike with a cyber attack.

While that scenario seems likely, details of the attack still remain sketchy. European sources reported last year that Israeli operatives inserted "kill software" into the Syrian system, and activated it prior to the air raid. Other experts believe the IAF used something similar the Suter network attack program, originally developed for the U.S. Air Force. Latest versions of Suter allows hackers to "see" the same picture as enemy radar operators, take control of those networks and even invade links serving time-critical targets such as SAM batterys and ballistic missile sites.

On a personal note, I had a chance to see early versions of Suter before my retirement. The technology was impressive (even back then), and it has advanced steadily over the past decade. Open-source information indicates that Suter is now used with various electronic combat platforms, including the RC-135, EC-130H (Compass Call) and the F-16CJ. In a 2007 article on the Israeli air strike against Syria, Aviation Week's David Fulgham described how the program works:

The technology allows users to invade communications networks, see what enemy sensors see and even take over as systems administrator so sensors can be manipulated into positions so that approaching aircraft can’t be seen, they say. The process involves locating enemy emitters with great precision and then directing data streams into them that can include false targets and misleading messages algorithms that allow a number of activities including control.

Stuxnet represents another element of the cyber-battle, leveraging existing industrial computer networks to wreak havoc at key facilities. Ironically enough, the Iranians didn't exactly their cause, if some media outlets are correct. Some accounts suggest that Tehran was using unlicensed copies of Windows 7 to run computers at Bushehr and other complexes, allowing the hackers to take advantage of security flaws in the software.

The worm that invaded Bushehr (and other sites with SCADA software) is but one of thousands of cyber attacks that occur every day. But Stuxnet takes the game to another level, judging by the sophistication of the malware. Symatec, the computer security giant, says the worm may have been created by a private group, rather than a government entity. But the firm stopped short of saying which group may be responsible for Stuxnet.

It's also worth remembering that defense contractors are responsible for development of cyber attack and defensive systems used by the west. Suter, for example, is a creation of BAE Systems, under the aegis of Big Safari, the Air Force's "rapid procurement" organization that handles upgrades to the RC-135 and EC-130 programs, and a variety of cyber initiatives. Given the resources of Big Safari (and similar programs in other countries), it isn't hard to create state-of-the-art malware, and unleash it on unprepared foes.

But it's not quite time for the architects of Stuxnet to take a victory lap. In the cyber world, what goes around comes around. Versions of this program will be making the rounds for years. It's a guarantee that Iran is probably working on its own version of the bug, and will attempt to use it to target western systems. The west should (seemingly) have an advantage in this particular battle, but a major infection is always as close as an unauthorized flash drive, or a network lacking the latest security patches.
ADDENDUM: We should also note that 2010 marks the 20th anniversary of one of the first military cyber-attacks. The target was Iraq, and the strike came from the U.S. Prior to the start of Operation Desert Storm, American computer specialists, working with special operations forces, inserted a virus into Saddam's air defense network, by tapping into a fiber optic line.

The virus was the creation of a combined team representing the National Security Agency and the Air Intelligence Agency. A former colleague of mine supervised one of bug's primary creators, an airman who joined the service after his computer firm went belly up. My colleague recalled that the airman had a uniform "that looked like he slept in it," and he had as much military bearing as a ball of twine.

But the two-striper was a self-taught computer genius, particularly adept at invading networks. In fact, his "hobby" was penetrating NSA, then calling his counterparts at the agency to tell them how he did it. When his superiors outlined the Iraqi project, his first response was "How bad do you want me to f--- it up? I can take it down forever, if you want."

In case you're wondering, the airman finished his enlistment and went to work at Fort Meade. At the agency, no one was really worried about what he wore to work, or the shine on his shoes.


fboness said...

I wonder how that "war without boundaries" thing looks to Iran now.

Ed Rasimus said...

The Syrian blackout still remains largely undiscussed in the mainstream. The targeting of this malware certainly indicates some creative thinking by somebody! Sand in the bearings of industry taken to a new level of sophistication.

Destroying Angel said...

One of Clarke's assertions is that we need to stop playing defense and go on the offense. One of my own flights of fancy (okay, I'm a novelist with the beginnings of an idea) is that pursuant to US Constitution Article 1 Section 8 the Congress authorize bonded cyber privateers and make security really profitable (see www.TheMorganDoctrine.com). The idea is still rough, so don't throw out the baby with the bath water, but privateers substantially financed and won the Revolutionary War.