.gif)
Ralph Langner has posted even more technical data on Stuxnet, breaking down the technical info so it can be more easily understood. For example, “if the return from FC1874 is ‘DEADF007″, original code is skipped”. He also theorizes the target is the Iranian Bushehr nuclear plant.
It is difficult or impossible to know the exact target process of Stuxnet without having access to the attacked process. Here are some fact and conjecture that support the theory the target was the Iranian Bushehr Nuclear Plant
Consider the following:
- the largest number of infected systems, almost 60%, were in Iran, data from Symantec What control system in Iran are many organizations with sophisticated cyber warfare capabilities interested in stopping from going into production? The Bushehr Nuclear Plant.
- The Bushehr plant has been delayed from its scheduled August commissioning due to “severe hot weather”. Temperatures have been at their historical averages.
- the Bushehr plant was originally being built by a division of Siemens. Siemens withdrew from the project in 1979. I do not know if Siemens PLC’s are used in the plant – - if they are not using the S7 or similar technology it would negate the whole theory. Confirmation anyone?
- so how or why did Stuxnet spread beyond the target. One way would be for the attack being initiated from the vendor finishing the plant, the Russian firm Atomstroyexport. If you have seen a plant or any other control system being commissioned you know that making it work is priority 1, 2, 3, … not cyber security and scanning USB sticks.
Atomstroyexport also happens to have a current project in India where 8% of the infections occurred. Their site does not show a project in Indonesia where 18% of the infections took place. - Israel is one of the countries with an interest in stopping Bushehr, and known for their cyber security skills – - including offensive skills. Here is one of many articles talking about this and coincidently even discusses an attack on the Iranian nuclear systems via a USB key. Scott Borg may have been prescient.
- I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, … Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.
- the Microsoft 0days, stolen certificates, knowledge of Siemens S7 and the process being attacked indicates a highly motivated and highly skilled attacker. The attacker also did not want to affect other processes, as if they expected this could or would spread beyond their target. They only wanted to affect one facility, perhaps one power plant not multiple nuclear plants or anyone with a S7 PLC.
As a side note – this was probably not an insider attack at the process site. There would have been no reason to develop this elaborate delivery mechanism if inside access was available.
As I mentioned in the beginning, this is just a theory. Definitely check out the additional technical details provided by Langner Communication.
Hans, this is going to buy you a beer in DC next week, should you be there.
What a truly interesting case this malware is. In my opinion Stuxnet is a progenitor for other malware, which no longer targets the computer to harrass users, steal something off the hard drive or DDoS the living daylights out of a website to blackmail the owner. No, next in line as precious targets is hardware /connected/ to the infected machine.
While reading up on the injected Step7 code on Langner’s site it it occurred to me that if this thing targets the right kind of factory, then huge batches of production could be affected invisibly for days or weeks or even months until somebody notices. One could envision huge financial damages or bankruptcy, affecting the stock price of this company if it is publicly traded.
Case in point and to expand on http://www.symantec.com/connect/blogs/hackers-behind-stuxnet, shorting one or more company stocks when news about faulty product batches is about to break can incur millions and millions of dollars in profits in just a few days easily.
Looking forward to more news in the Stuxnet thriller. ;)
[...] auf die unterschiedlichen Länder ist hoch interessant und lässt Raum für Spekulationen.[5][6] Der bisher beobachtete Payload ist besorgniserregend, der infizierte Rechner wird nach [...]
The plant is (or at least it was in 2009) running WinCC.
http://www.upi.com/News_Photos/Features/Nuclear_Power_Plant_in_Iran/1581/2/
[...] Peterson believes that Bushehr was possibly the target. "If I had to guess what it was, yes that’s a logical target," he said. "But that’s just speculation." [...]
hello everybody,
i dont think that 024=Bushehr mean the the power plant. If you look the other projekt-keys, all are companies which work with cement (holcim, dyckerhoff, heidelberger zement, vigier, caima). In Bushehr is also a Sarooj Bushehr Cement. It would merge better to the other.
http://www.google.com/search?q=Sarooj+Bushehr+Cement&ie=utf-8&oe=utf-8
best regards
The German journalist (and well known member of the CCC) Frank Rieger has published an interesting and very well investigated article in the German newspaper Frankfurter Allgemeine Zeitung(FAZ). His theory is that the stuxnet target are not the control systems at Busher power plant but the enrichment centrifuges at Natanz, Iran.
He has some interesting facts that support the theory, e.g. that the payload seems to target many identical PLCs in parallel, an environment which you wouldn’t expect at a power plant, but which might be found at a centrifuge farm.
Here is an English summray on his blog:
http://frank.geekheim.de/?p=1189
The orignal articvle in the FAZ can be found here (German only):
http://www.faz.net/s/RubCEB3712D41B64C3094E31BDC1446D18E/Doc~E8A0D43832567452FBDEE07AF579E893C~ATpl~Ecommon~Scontent.html
Another data point,
JMicron and Realtek (the owners of the stolen certificates) are both based in Hsinchu, Taiwan.
Interestingly the Taiwanese and Israeli governments have a joint technology research grant program. It is run out of an office in Hsinchu, Taiwan.
The link to their call for funding requests is here (unfortunately it is in a Word Document)
http://www.matimop.org.il/images/Files/229/Taiwan%20Israel%20CFP%20-%20Cloud%20computing%20and%20Green%20energy-r%20revised%20dates.doc
The whole idea of stuxnet is a message to Iran: Please stop your nuclear operation or you may blow yourself.
Busher plan itself doesn’t present threat to Israel. It cannot produce weapon grade U or Pu in reasonable quantities. Most likely it was used just as staging area to infect Natanz and/or other unknown locations. Another point that there is little chance that Busher was delayed for decades would use the same automation as relatively new Nataz.
This attack is ultimate failure since neither project was significantly affected, while valuable cibertechnology was given away.