Stuxnet: A Chronology (Ongoing)

October 2, 2010

The NY Times now backtracks, claiming that Israeli cyber warfare experts are “too smart” to leave a clue behind. Thus..by inference…it must be a country that wants to implicate Israel, which..by inference…is Iran (surprise).  Too clever by half, these folks. Another reason I believe Israel or an Israeli-backed team is behind Stuxnet is the fact that Wikileaks apparently had a reference to a possible nuclear “accident” in Iran in July 2009. That is around the time when some researchers argue Stuxnet infections first began.

October 2, 2010

Jeffrey Carr backs off from the allegation that Israel is the culprit, claiming that Ralph Langner was the sole source of the allegation and was irresponsible in posting it on his blog as though it were the opinion of the intelligence community. Carr quotes an earlier piece of his, along with these words:

“Last week I wrote about how the Israel-Iran conspiracy theory around the Stuxnet worm was built entirely on one security engineer’s personal conjecture (Ralph Langner) with absolutely no weighing of alternative possibilities for attribution, nor any objective assessment of the evidence.”

However, if you click on the earlier piece he cites, he wrote nothing of the sort in it. Nowhere in that piece did Carr claim that Langner was the sole source of the allegation; he quotes the NY Times as noting several people who’d reached the same conclusion. Also, there is no hint in the piece that he considered Langner’s allegation speculative or poorly founded. He cited it instead as a likely possibility. This is clear back-pedaling, probably provoked by the fear that the story might lead to a crackdown on Iranian dissidents and foreigners. Well, of course it will. But that’s not the fault of journalists reporting on the story. Or of Ralph Langner, who clearly states on his blog that he is “speculating” (see previous link).

The fault lies with the unknown cybercriminal/s who came up with Stuxnet.

“Stuxnet Speculation Fuels Crackdown By Iranian Intelligence,” Jeffrey Carr, The Firewall, Forbes, October 2, 2010/

*October 1, 2010

[See “Clues Emerge About Genesis Of Stuxnet Worm,” CS Monitor, October 1, 2010]

*October 1, 2010

[“Israel: Smart Enough To Create Stuxnet; Stupid Enough To Use It” War In Context, Oct. 1, 2010]

*October 1, 2010

Cryptome is arguing that Israel would never have done anything so sloppy as what’s alleged. Could it be that some group is deliberately playing off one side against the other, that is, playing divide-and-conquer? Or is this more “plausible deniability”?

On looking back, I notice that one of the first people to launch the “Israel did it” allegation is one Richard Falkenrath, who works for the Chertoff Group (my emphasis).

That makes me wonder.

Here’s Cryptome:

“Really? Personally I’d be surprised if a crack team of Israeli software engineers were so sloppy that they relied on outdated rootkit technology (e.g. hooking the Nt*() calls used by Kernel32.LoadLibrary() and using UPX to pack code). Most of the Israeli developers I’ve met are pretty sharp. Just ask Erez Metula.

http://www.blackhat.com/presentations/bh-usa-09/METULA/BHUSA09-Metula-ManagedCodeRootkits-
PAPER.pdf

“It may be that the “myrtus” string from the recovered Stuxnet file path

“b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb” stands for “My-RTUs”

as in Remote Terminal Unit. See the following white paper from Motorola, it examines RTUs and PICs in SCADA systems. Who knows? The guava-myrtus connection may actually hold water.

http://www.motorola.com/web/Business/Products/SCADA%20Products/_Documents/Static%20Files/SCADA_
Sys_Wht_Ppr-2a_New.pdf

As you can see, the media’s propaganda machine is alive and well.”

I am completely out of my depth in the technical part of this. But not in the propaganda part.

As an instance of the way group conflicts can be set off, think of how during the financial crisis there were an inordinate number of Indians being trotted out to do the explaining…and taking the brunt of the public’s anger, although last I looked, despite a respectable number of Indian billionaires, the head honchos of the major banks (with one exception) and the biggest and most important speculators, managers, and  international officials were not Indian, to phrase it as politely as possible.

Setting race and nation each against other is of course the modus operandi of the power elite, and both Kashmir and Israel have played that divisive role in the past….and continue to do so.

*October 1, 2010

A link to an Examiner piece is coming up right at the top of a Google search of Stuxnet and Israel. With all due respect to the author, who probably thinks he/she is on the side of the angels and simply preempting an outburst of anti-Semitism by this effort, the piece is quite misleading….and, apparently, deliberately so, as an examination of the other links listed here, from a variety of  sources in the West (see this NY Times pieces) will prove.

For instance, the Examiner piece doesn’t cite the reports from many western security companies and research teams (see links below) that have extensively researched the issue, nor does it acknowledge that it was these sites that first advanced the claim that Israel/Israeli hackers were likely responsible. Instead, it cites a Times of India piece that republishes the claims.

The attempt, apparently, is to mislead the public into thinking that the allegation of Israeli involvement is one mainly advanced by untrustworthy foreigners with axes to grind (note the description “Iran’s friend, India”).

“Another of Iran’s friends, India, is pushing the notion that Israel did it. According to an http://timesofindia.indiatimes.com on Friday, “A Biblical reference has been detected in the code of the computer virus that points to Israel as the origin of the cyber attack.” It’s further explained that the word “myrtus” is in the code, and that this is a “reference to the myrtle tree”

In point of fact, it was western security companies and western researchers who came to that conclusion.  Moreover, the targets of the worm fit very well with Anglo-Zionist imperial objectives – covering as they do the largest Muslim populations in Asia.

[See “German Firm Employee May Have Created Stuxnet; Israel Blames.” Examiner.com, October 1, 2010

*September 30, 2010

Quote:

“Buried in Stuxnet’s code is a marker with the digits “19790509” that the researchers believe is a “do-not infect” indicator. If the marker equals that value, Stuxnet stops in its tracks, and does not infect the targeted PC. The researchers — Nicolas Falliere, Liam O Murchu and Eric Chen — speculated that the marker represents a date: May 9, 1979. While on May 9, 1979, a variety of historical events occurred, according to WikipediaHabib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community,” the researchers wrote. Elghanian, a prominent Jewish-Iranian businessman, was charged with spying for Israel by the then-new revolutionary government of Iran, and executed May 9, 1979.”

Quote:

“Last weekend, Iranian officials confirmed that tens of thousands of PCs in their country had been infected by Stuxnet, including some used at a nuclear power plant in southwestern Iran that’s planned to go online next month. The Symantec researchers also revealed a host of other Stuxnet details in their paper, including a “kill date” of June 24, 2012, after which the worm will refuse to execute.”

[See “Stuxnet Code Hints At Possible Israeli Origin, Researchers Say,” by Gregg Keizer, Symantec, Sept. 30, 2010]

*September 30, 2010

Symantec puts out a dossier of information on Stuxnet that includes the following:- attack scenario and timeline, infection statistics, malware architecture, description of all the exported routines, injection techniques and anti-AV, the RPC component, propagation methods, command and control feature, and the PLC infector.

Eric Chien summarizes findings about the worm:

“Only more recently did the general public realize Stuxnet’s ultimate goal was to sabotage an industrial control system.

Analyzing Stuxnet has been one of the most challenging issues we have worked on. The code is sophisticated, incredibly large, required numerous experts in different fields, and mostly bug-free, which is rare for your average piece of malware. Stuxnet is clearly not average. We estimate the core team was five to ten people and they developed Stuxnet over six months. The development was in all likelihood highly organized and thus this estimate doesn’t include the quality assurance and management resources needed to organize the development as well as a probable host of other resources required, such as people to setup test systems to mirror the target environment and maintain the command and control server.”

[See W32.Stuxnet Dossier, Eric Chien, Sept. 30, 2010]

*September 25, 2010

Quote:

The director of the Information Technology Council of the Industries and Mines Ministry has announced that the IP addresses of 30,000 industrial computer systems infected by this malware have been detected, the Mehr New Agency reported on Saturday. An electronic war has been launched against Iran,” Mahmoud Liaii added.“This computer worm is designed to transfer data about production lines from our industrial plants to (locations) outside of the country,” he said.

[See “Iran Successfully Battling Cyber Attack,” Mehr News, Sept. 25, 2010]

*September 24, 2010

A piece in the Guardian suggests that a government agency is most likely behind the worm but warns against leaping to conclusions. It notes that many hackers/criminals might have become sophisticated enough to create a worm of this type. The piece notes that attacks against Iran have increased and that the identification of the worm was originally made by a Belarus security firm for an Iranian client and that Iran had been experiencing problems with their nuclear facility at Bushehr for months. It notes that the worm uses a stolen cryptographic key from the Taiwanese semiconductor manufacturer Realtek.

[See “Stuxnet Worm Is The Work Of A National Government Agency,” Josh Halliday, Guardian, Sept. 24, 2010]

“Stuxnet: The Trinity Test Of Cyberwarfare,” War In Context, Sept. 23, 2010

*September 16, 2010

Symantec researchers say that Stuxnet had to be created by a state, because it was the most devious and sophisticated malware they’d come across.

Quote:

“I don’t think it was a private group,” said O Murchu. “They weren’t just after information, so a competitor is out. They wanted to reprogram the PLCs and operate the machinery in a way unintended by the real operators. That points to something more than industrial espionage.”

The necessary resources, and the money to finance the attack, puts it out the realm of a private hacking team, O Murchu said.

“This threat was specifically targeting Iran,” he continued. “It’s unique in that it was able to control machinery in the real world.”

“All the different circumstances, from the multiple zero-days to stolen certificates to its distribution, the most plausible scenario is a nation-state-backed group,” said Schouwenberg, who acknowledged that some people might think he was wearing a tin foil hat when he says such things. But the fact that Iran was the No. 1 target is telling.”

[See “Is Stuxnet the Best Malware Ever?” Gregg Keizer, Symantec Security Response, Sept. 16, 2010]

*September 13, 2010

German computer security research Ralph Langner speculates that Stuxnet is part of cyberwar:

Ralph’s theory — completely speculative from here

“It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange — they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don’t seem to be overly concerned about cyber security. When I saw this screenshot last year (http://www.upi.com/News_Photos/Features/The-Nuclear-Issue-in-Iran/1581/2/) I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half year before scheduled going operational of a nuke plant they’re playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don’t understand (and therefore don’t worry about) the deeper message that this tells.

Now you may ask, what about the many other infections in India, Indonesia, Pakistan etc. Strange for such a directed attack. Than, on the other hand, probably not. Check who comissions the Bushehr plant. It’s a Russian integrator that also has business in some of the countries where we see high infection rates. What we also see is that this company too doesn’t seem to be overly concerned about IT security. As I am writing this, they’re having a compromised web site (http://www.atomstroyexport.com/index-e.htm) that tries to download stuff from a malware site that had been shut down more than two years ago (www.bubamubaches.info). So we’re talking about a company in nukes that seems to be running a compromised web presence for over two years? Strange.
I could give some other hints that have a smell for me but I think other researchers may be able to do a much better job on checking the validity of all this completely non-technical stuff. The one last bit of information that makes some sense for me is the clue that the attackers left in the code, as the fellows from Symantec pointed out — use your own imagination because you will think I’m completely nuts when I tell you my idea.

Welcome to cyberwar.”

[See “Stuxnet is a directed attack: hack of the century,” Ralph Langner]

*September 8, 2010

German computer security expert Ralph Langner writes to a friend:

Historical document: Ralph informs Joe Weiss what Stuxnet is. Note the date of the email.

*July 22, 2010

Symantec analyzed W32.Stuxnet as a worm that uses a  hitherto unknown Windows bug to attack and then searches the target for SCADA systems and design documents. SCADA is a network used to control utilities, transportation and other critical infrastructure. The worm then contacted Command &Control servers that control the infected machines and retrieved the stolen information. The servers were located in Malaysia and Symantec redirected traffic away from them to prevent the take-over of the information.

Within a 72 hours period Symantec identified close to 14,000 IP addresses infected with W32.Stuxnet trying to contact the C&C server. 58.85 % came from Iran, with the rest coming from Indonesia (18.22%), India (8.31%), with the Azerbaijan, US, and Pakistan making up the other affected countries, with under 2% each (this information is also provided at the Microsoft website).

[See Symantec Security Response,W32.Stuxnet – Network Information, Vikram Thakur, July 22, 2010]

*July 21, 2010

Quote:

“The zero-day vulnerability, rootkit, main binaries, stolen digital certificates, and in-depth knowledge of SCADA software are all high-quality attack assets. The combination of these factors makes this threat extremely rare, if not completely novel.

Quote:

The complexity and quality of the attack assets lead some to believe only a state would have the resources to conduct such an attack. However, the usage of the second digital certificate is a bit odd. One could make the case that once the first attack succeeded, a state would take cover and not waste the second digital certificate. Instead, by signing a very similar binary, security companies were immediately able to detect the second stolen certificate, making it useless in further compromises…..

Quote:

.. Hackers bound by a common cause may target another country, organization, or company that they feel are their enemies. Such hacking groups often have the patience and expertise to gather such attack assets. Further, their goals of continued attack may lead them to continue to refine their attack as they are thwarted or discovered, such as resigning their driver files with a newly stolen digital certificate, modifying their binaries to avoid security product detection, and moving their command-and-control hosts as they are decommissioned…..

Quote:

…..This scenario [terrorism] is like something out of movie and, while for most attacks we’d immediately dismiss this as a possibility, given the amount and quality of the attack assets, terrorism even seems within the realms of possibility in this case.

[See “The Hackers Behind Stuxnet” by Patrick Fitzgerald, Symantec Security Response,  July 21, 2010]

*July 17, 2010

Researchers find that Stuxnet targets industrial control systems of the kind that control manufacturing and utility companies. It targets Siemens management software called Simatic WinCC, which runs on the Windows operating system.

The systems that run the Siemens software, called SCADA (supervisory control and data acquisition) systems, aren’t usually connected to the Internet, but the virus spreads when an infected USB stick is inserted. If it detects the Siemens software, the virus logs in using a default password.

[See “New Virus Targets Industrial Secrets,” Robert McMillan, Computer World, July 17, 2010]

*July 16, 2010

Symantec starts a blog series on the Stuxnet infection that continues through the summer and into September

[See also Microsoft Security Advisory, July 16, 2010 and Krebson Security, July 16, 2010]

*July 7, 2010

Stuxnet could well have caused the glitch in the solar panels of India’s Insat-4B satellite on July 7, 2010. That led to the shutting down of 12 out of 24 of the transponders and 70% of the customers dependent on Direct to Home (DTH) including those using Doordarshan (Indian TV), Sun TV and Tata’s VSNL. The customers were redirected to point to the Chinese satellite  ASIASAT-5, owned and operated by Asia Satellite Telecommunications Co., Ltd (AsiaSat) whose two main shareholders are General Electric (GE) and China International Trust and Investment Co. (CITIC), a state-owned company

[See “Did The Stuxnet Worm Kill India’s INSAT-4B Satellite?” by Jeffrey Carr, The Firewall, Forbes.com, Sept. 29, 2010]

*June 16, 2010

Symantec Security Response Team begins its investigation into the Stuxnet worm. The first sample dates from June 2010, but the team believes the worm dates back a year, or maybe even earlier.

*June 2010

The malware is first identified by a Belarus security company, Virusblokada, for its Iranian client.

[See Symantec Security Response, webpage, Sept 30, 2010]

*January 2010

Stuxnet infection begins, according to Symantec

*July 2009

Stuxnet infection begins, according to to Kasperksy

Leave a Reply

Your email address will not be published.