Ralph Langner has posted even more technical data on Stuxnet, breaking down the technical info so it can be more easily understood. For example, “if the return from FC1874 is ‘DEADF007″, original code is skipped”. He also theorizes the target is the Iranian Bushehr nuclear plant.
It is difficult or impossible to know the exact target process of Stuxnet without having access to the attacked process. Here are some fact and conjecture that support the theory the target was the Iranian Bushehr Nuclear Plant
Consider the following:
- the largest number of infected systems, almost 60%, were in Iran, data from Symantec What control system in Iran are many organizations with sophisticated cyber warfare capabilities interested in stopping from going into production? The Bushehr Nuclear Plant.
- The Bushehr plant has been delayed from its scheduled August commissioning due to “severe hot weather”. Temperatures have been at their historical averages.
- the Bushehr plant was originally being built by a division of Siemens. Siemens withdrew from the project in 1979. I do not know if Siemens PLC’s are used in the plant – - if they are not using the S7 or similar technology it would negate the whole theory. Confirmation anyone?
- so how or why did Stuxnet spread beyond the target. One way would be for the attack being initiated from the vendor finishing the plant, the Russian firm Atomstroyexport. If you have seen a plant or any other control system being commissioned you know that making it work is priority 1, 2, 3, … not cyber security and scanning USB sticks.
Atomstroyexport also happens to have a current project in India where 8% of the infections occurred. Their site does not show a project in Indonesia where 18% of the infections took place.
- Israel is one of the countries with an interest in stopping Bushehr, and known for their cyber security skills – - including offensive skills. Here is one of many articles talking about this and coincidently even discusses an attack on the Iranian nuclear systems via a USB key. Scott Borg may have been prescient.
- I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, … Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.
- the Microsoft 0days, stolen certificates, knowledge of Siemens S7 and the process being attacked indicates a highly motivated and highly skilled attacker. The attacker also did not want to affect other processes, as if they expected this could or would spread beyond their target. They only wanted to affect one facility, perhaps one power plant not multiple nuclear plants or anyone with a S7 PLC.
As a side note – this was probably not an insider attack at the process site. There would have been no reason to develop this elaborate delivery mechanism if inside access was available.
As I mentioned in the beginning, this is just a theory. Definitely check out the additional technical details provided by Langner Communication.