<<<
Monday, January 17, 2011
>>>
 
New Info on Stuxnet Posted by Mikko @ 12:13 GMT

SCADA

Stuxnet continues to make headlines. The New York Times published a long story on the latest findings, including these:

President George Bush started an experimental cyber attack program against Iran already in 2008.

The NY Times claims that Stuxnet was developed jointly by USA and Israel. They offer no direct proof though.

Israel has built a replica of the Iranian Natanz enrichment facility in their Negev Nuclear Research Center in Dimona. It was used to test drive Stuxnet before it was deployed.

Dimona Israel Negev

Embassy cables leaked by WikiLeaks seem to prove that Iran's nuclear program was indeed using Siemens PLC gear.

Stuxnet cable

The NY Times claims that Idaho National Laboratory at Idaho Falls used their security testing of the Siemens PLC systems to find vulnerabilities to be used in the Stuxnet attack. Apparently Siemens thought this testing was done in order to secure industrial systems. In any case, it is easy to confirm that Siemens and INL did joint security testing in 2008, see this slide:

Stuxnet INL
Image copyright Idaho National Laboratory & Siemens

The target of the attack was to modify the operation of high-frequency power drives made by Vacon and Fararo Paya. These drives were controlling the centrifuges that were enriching uranium.

Vacon drives

Stuxnet specifically targets a grid of 984 converters.

Curiously, when international inspectors visited Natanz enrichment facility in late 2009, they found that the Iranians had taken out of service a total of exactly 984 machines.

Siemens S7-400 PLC

While Stuxnet is doing malicious modifications to the system, it uses a man-in-the-middle attack to fool the operators into thinking everything is normal.

Iranian President Mahmoud Ahmadinejad confirmed in November 2010 that a cyber attack had indeed caused problems with their centrifuges.

Centrifuges

Another leaked embassy cable would indicate that there would other, unknown enrichment plants in addition to Natanz. Attacking such unknown targets with cyber sabotage makes much more sense than, say, trying to bomb them. A worm will find even the facilities that you do not know about.

Stuxnet cable

There is a real fear that we will eventually see modified copies of Stuxnet.

While modifying Stuxnet is obviously not easy, it is easier than creating the same functionality from scratch.

Finding a copy of Stuxnet is not hard at all as you can see from this forum posting we found:

Finding Stuxnet

For further background info, see our Stuxnet Q&A and Ralph Langner's thorough article on Stuxnet for the Control Global magazine.

Or, watch our new Stuxnet video which we just published.







<<< Update: IE vulnerability (Security Advisory 2488013)
|
Learning Malware Analysis >>>