Ralph Langner’s Stuxnet Deep Dive is the definitive technical presentation on the PLC attack portion of Stuxnet. He did a good job of showing very technical details in a readable and logical presentation that you can follow in the video if you know something about programming and PLC’s.
The main purpose of Ralph’s talk was to convince the audience with “100% certainty” that Stuxnet was designed specifically to attack the Natanz facility. He does this at least four different ways, and I have to agree there is no doubt.
This video represents exactly what we are trying to accomplish at S4. Ralph is speaking in front of a very experienced and knowledgeable ICS security audience, and he doesn’t waste any time on what Stuxnet 101. Instead, he dives right into the S7 code and walks the audience through, line by line, some of the most interesting FC’s. This level of detail has never been seen before. It likely would bore or be lost on most audiences, but the S4 crowd was spellbound.
[vimeo 35806770]
It’s high quality video so expand to full screen to see the code.
The video shows the level of effort Langner’s team put into analyzing Stuxnet as there comments are throughout the S7 Stuxnet code. Many in the audience remarked that it was probably much better documented than the Stuxnet author’s version.
I’m tempted to try to excerpt the most interesting points of the presentation, but if you want to know about Stuxnet’s PLC code you should just watch it.
Can’t resist; I found
- encryption routine in the wrapper with hard coded key
- the mysterious DB 8061
- all of the Natanz numerology
- the strike condition
- FC 6065 manipulate outputs, FC 6079 replay recorded data
- Design flaws not vulnerabilities, “this is how the pro’s do it”
- Zero chance of Stuxnet working without a test facility
and much more fascinating even after a second viewing.
Thx for posting the video. Very interesting and convincing, so now thevtarget is more or less confirmed… But from a forensic aspect it would be nice to confirm who is behind the attack.
The 100% certainty seems to assume that coincidence of certain numbers is unique to Natanz. Is there some evidence that other UF6 enrichment installations use strictly different parameters?
The following countries are known to operate enrichment facilities: Argentina, Brazil, China, France, Germany, India, Iran, Japan, the Netherlands, North Korea, Pakistan, Russia, the United Kingdom, and the United States.
There’s only two real enemies on that list. That narrows it down a bit.
When one considers the number of countries infected by Stuxnet, and where the concentration of infection was, and then consider who really has the technical capability to both produce such a weapon AND has a problem with one or more of the countries infected, you are reduced to two countries: the US and Israel.
Clive Robinson over at Bruce Schneier’s blog thinks North Korea was the ultimate target, with Iran as the backdoor due to contact between the two countries. I doubt that because even with that sort of contact between the two countries, introducing Stuxnet into North Korea would be an order of magnitude more difficult than introducing it to Iran. I don’t recall any reports of infection in North Korea precisely because of that isolation.
And Israel doesn’t care about North Korea.
So the fact that the Stuxnet data structures match almost exactly to the cascades in Natanz pretty much seals the deal.
You would have to find similar layouts of cascades in other countries that were infected by Stuxnet AND be able to point to an enemy of those countries who would have the technical ability to produce Stuxnet to make a case for any other target.
Pakistan vs India? Doubtful. China vs India? Possibly. More likely than the US and Israel vs Iran? Doubtful. A global attack on all enriching nations – or even all Muslim nations with nuclear facilities? Possible but doubtful.
I think the case is made that either or both Israel and the US targeted this toward Natanz – possibly as a trial run against other enriching countries, but certainly against Iran.
One alternative I have heard of:
If you wanted to dry run a SCADA attack against western industry, who better to attack than Iran, when all fingers will immediately point elsewhere?
Wheels within wheels…
I agree with Mr. Eigler: I think there is not enough evidence that the main aim was Natazi. I am not an expert in nuclear engineering, but very often the same purpose leads to about the same (optimal) design. It means that many enrichment facilities around the world may share about the same configuration. This view, in particular, may explain the extraordinary complexity of attacking condition: authors wanted to deal with more than one plant in the same code. If this is the case then instead of act of war we have here an attempt to sabotage global uranium supply. And that leads to the very different game.
I repeat: this could be the case iff numerology, revealed in the video, is not unique for Natazi. I would love to hear from experts on the topic.
It’s pretty obvious, with ALL of the pressure release valves at Fukushima sticking shut via a powered command even with operators trying to vent, and the fact that Israel published the fact that a team from Dimona had a full time data link into the Fukushima reactor rooms all the way through the disaster, that something is fishy there.
Fukushima needed no power to remain safe, the real emergency backup systems are powered by reactor steam, and will activate unless a direct command from the controller tells them not to.
Why did they not activate?
Think about that.
Hello Jimstone,
I wonder if nuclear research centers are into intelligence gathering, planning, and executing also.
Michael
stuxnet digits pry into illoculars that undeniably echo into a cyber zone of Iraq. Nuclear spindle controller are Siemens PLC at 164 centrifuges with group enrichment. Possible use with open source available are nuclear waste processors of China, warhead launchers of India, Pakistan or N. Korea and so on. Not interesting but down right scary.
The video is no longer available at the provided link as of 21st Nov. 2012:
http://vimeo.com/35806770
Could you please upload it again? Or, point to an alternate location where it is available?
Sorry about that. Something changed in the site / vimeo / wordpress. We will fix it.
In the meantime you can see all the S4 2012 videos at Digital Bond’s S4 2012 Video Channel, http://vimeopro.com/user10193115/s4-2012