| The Glade 4.0 https://gladerebooted.net/ |
|
| Cyber Warfare https://gladerebooted.net/viewtopic.php?f=8&t=4498 |
Page 1 of 3 |
| Author: | Midgen [ Mon Oct 25, 2010 6:54 pm ] |
| Post subject: | Cyber Warfare |
Interesting article about Stuxnet.. This is a blog post I found on someones LinkedIn profile. I'm not presenting as an authoritative source, but as a discussion point on the potential for cyber warfare. It probably doesn't need to be in Hellfire, but I figured I'd play it safe. Posted without commentary http://warintel.blogspot.com/2010/10/st ... 20-30.html Gerald The Internet Anthropologist wrote: Stuxnet 2.0
We were going to write about the next generation of Stuxnet. But realized the Iranian Reactor Stuxnet is the 2.0 version. This paradigm was developed from paradigm Intel, BSU's and OSINT. US to Iran CHECKMATE: From our post of 10/17/2009 03:27:00 PM http://warintel.blogspot.com/2009/10/ir ... -fail.html The trade publication Nucleonics Week, let me summarize an article that appeared in its Oct. 8 issue. It reported that Iran's supply of low-enriched uranium -- the potential feedstock for nuclear bombs -- appears to have certain "impurities" that "could cause centrifuges to fail" if the Iranians try to boost it to weapons grade. The impurities, certain metallic fluoride compounds, would interfere with centrifuge enrichment" at Iran's facility at Natanz From one of our sources inside the beltway. "Their uranium is highly contaminated with molybdenum hexafluoride (MoF6)." If they try and use it in the centrifuges it destroys them. Iran took it all out and dumped it, they have no idea how it happened. Our hypothesis is Stuxnet 1.0 did the deed. And the current version of Stuxnet is 2.0, and was meant to be discovered. Version 1.0 is much stealthier, and as of yet still undiscovered. Version 2.0 exposure alone will stop Iran from trying to produce nukes. 2.0 is built for persistence, Iran still can't get rid of it, if it exist on any of the PC's or control machines it will reinfect everything, unless you kill every instance of it all at once. 1.0 is much stealthier and has to date still avoided exposure. And is hiding through Irans infrastructure, and if Iran is successful in killing 2.0 then the invisible will reinfect 2.0 all over again, Iran's Nuclear bomb program is doomed. And if Iran knows 2.0 is looking they will not try and restart a bomb program. They might try and rebuild the reactors and centrifuges but run the risk of infection they can't seem to kill. Our report from the Russians indicated Stuxnet successfully hit 1368 of 5000 centrifuges at the uranium enrichment plant at Natanz, as well as disrupted launch date of nuclear plant at Bushehr. At this point Iran cannot even start an enrichment program to make a nuke. Every time they do the product destroys the centrifuges. And they don't know why or how. Their head scientist that is the head of the Atomic Energy Organization of Iran , Gholam Reza Aghazadeh (Gholam Reza Aghazadeh) resigned without explanation. The Regime viewed him as a failure. This is the second time Iran has tried to enrich product approaching nuclear bomb grade and is the second time their centrifuges have been destroyed trying. Check Mate, Iran is helpless before the cyber techno-threat. Stuxnet has crippled the Iranian Nuclear program for the foreseeable future. As the sanctions cripple the economy. Next move "Green Party" regime, change. Its up to you now. |
|
| Author: | Diamondeye [ Mon Oct 25, 2010 7:26 pm ] |
| Post subject: | Re: Cyber Warfare |
Why would the Iranians have their centrifuge control systems on systems attached to the internet? |
|
| Author: | Stathol [ Mon Oct 25, 2010 8:11 pm ] |
| Post subject: | |
They wouldn't have to. Stuxnet spreads by infected USB drives. I work for an engineering company that, among other things, designs SCADA systems, so I've been keeping an eye on the Stuxnet saga. I don't know if Iran's uranium enrichment was the target or not, but I'll say this -- Stuxnet is goddamn creepy. And the more I learn about it, the more difficult it is to believe that it could have been created by anything other than a state-sponsored agency of some kind. Hell, no one has even managed to break all of its encryption yet (and it was discovered over a year ago), so we still don't know precisely what it does or who it's targeting. However, what is clear from the parts that have been decrypted is that it does have a specific target it looks for on a continual basis (every 5 seconds, I believe), and then...does something. We don't know -- that's one the parts that still hasn't been decrypted. What's more, Stuxnet was first discovered in the wild in mid-2010. However, once the world knew what to look for, existing infected systems revealed versions dating back as far as mid-2009. The damn thing survived for 12 months straight without being detected by anyone. In and of itself, that's an amazing feat of malware engineering. But when we also consider that many of its targets were very sensitive government systems ... yeah. But the creepiness doesn't end there. When those early versions were finally analyzed, one of the driver components had a compile-time stamp of Jan 1, 2009. This rather strongly suggests that there are even earlier versions of Stuxnet somewhere out there. And yet, so far no one has managed to discover them. I'm not sure I can adequately emphasis how bizarre it is that a family of malware could undergo such intense scrutiny, and yet still have strains remain hidden in the wild for nearly 2 years. And that's really only scratching the surface of the bizarre, highly sophisticated, and improbable features that Stuxnet has. I don't know if Iran is the target or not, but it seems unlikely to me that this could have been a private endeavor. |
|
| Author: | Slythe [ Mon Oct 25, 2010 8:20 pm ] |
| Post subject: | Re: Cyber Warfare |
Diamondeye wrote: Why would the Iranians have their centrifuge control systems on systems attached to the internet? If that's actually the case, then the answer of course is because most people are idiots. No 'mission critical' computer system within any society should be connected to the internet. |
|
| Author: | Diamondeye [ Mon Oct 25, 2010 8:21 pm ] |
| Post subject: | Re: |
Stathol wrote: They wouldn't have to. Stuxnet spreads by infected USB drives. Ok that would work, but once you cleaned it off once, couldn't you just shut off all your USB ports and be fairly certain that it wouldn't get abck on if you specifically authorized each device? That's what the Army did after problems with infected USB drives. |
|
| Author: | Slythe [ Mon Oct 25, 2010 8:24 pm ] |
| Post subject: | Re: |
Stathol wrote: ...clip... So what's your opinion? If you believe this is state-sponsored, which 'state' produced this? US? Israel? China? Russia? |
|
| Author: | Stathol [ Mon Oct 25, 2010 9:53 pm ] |
| Post subject: | Re: Re: |
Diamondeye wrote: Ok that would work, but once you cleaned it off once, couldn't you just shut off all your USB ports and be fairly certain that it wouldn't get abck on if you specifically authorized each device? That's what the Army did after problems with infected USB drives. Unfortunately, it's not quite that simple. I should have said that initial infection is spread by infected USB keys. Once a system is infected, it will seek to infect other machines over LAN, in particular looking for a machine on the local network with internet access. Once it finds one, it can update (and if necessary, re-infect) the local network via either C&C servers (they all went offline after Stuxnet was discovered) or, failing that, from its own peer-to-peer protocol. But part of the problem, here, is dealing with "once you cleaned it off". Because Stuxnet functions as a rootkit, and still has significant portions of un-analyzed code, and is known to have multiple "dropper" components, you can't really be sure that a host, once infected, is ever really "clean" again. And then multiply that by all of the computers and PLCs the infect machine is potentially connected to, and all of the computers and PLCs those are connected to ... Given the sophistication exhibited by Stuxnet thus far, I wouldn't even count on being able to get rid of it by a "naive" OS reload. Pretty much the only sure solution is to nuke it from orbit, and by that, I mean actually zeroing the hard drive of every computer and PLC on the network, and rebuilding completely from scratch. Problem is, you can't just (easily) do that when the whole purpose of your network is to control critical infrastructure and/or potentially very dangerous nuclear systems. And, of course, if Stuxnet really is the result of state-sponsored cyber-warfare, then you can never really be sure that you don't have someone sabotaging the system from the inside. Slythe wrote: So what's your opinion? If you believe this is state-sponsored, which 'state' produced this? US? Israel? China? Russia? I can't say that I really have one. That depends heavily on who its target is. Stuxnet pulls certain information out of Siemen's WinCC/PCS 7 databases, builds a fingerprint from it, compares it to a target fingerprint, and then takes some as of yet unknown action if they match -- presumably something Very Bad(TM). But the fingerprinting system is basically a hash of some kind; you can't "reverse" the target from the fingerprint. This points back to my speculation above that whoever Stuxnet is targeting has every reason to suspect a man on the inside. The only way to build the target fingerprint in the first place would be to have very specific field data from the target SCADA system -- data that shouldn't be accessible from off-site in any reasonably secure facility. To me this one of the aspects that really points to state-sponsored activity. If the target is military or national, getting a man on the inside would be very difficult for Joe Q. Hacker. If the target is private industry or just some municipal system, then it could be the work of a disgruntled employee, etc., but that theory is hard to swallow based on the sheer complexity of Stuxnet. So without knowing the target, it's really hard to say. Initial infection analysis seemed to indicate that the epicenter was Iran. If we speculate that this was, in fact, the target, then the most likely culprits are Israel or the U.S. I'd say that the former is probably more likely than the latter, and that "both" is somewhere in between. I'm not buying any of the supposed "Israel connections" in the code itself, but that doesn't change their position in the list of suspects, frankly. On the other hand, there are now lots of infections of China. I tend to not think China is the target because these appear to be late infections, but there are a few a counter-arguments to suggest China as a target: 1) Stuxnet's drivers are digitally signed with stolen certificates belonging to JMicron and Realtek; both are Taiwanese chip manufacturers. Neither has been able to determine how the certificates were stolen. One of the more interesting theories notes that both companies have offices in Hsinchu Science Park, and suggests that the inability to find any electronic intrusion to explain the theft could imply physical espionage. It's interesting, but I'm not sure that's anything but a red herring. If you pick any two Taiwanese chip manufacturers, I'm sure you'll find a similar connection somewhere. It's a small world. And the lack of evidence for an electronic theft could simply indicate that the culprit was very good. Given the skill with which the rest of Stuxnet was executed, that's a very real possibility. 2) One of the original C&C servers was located in Malaysia (the other was in Denmark, though). It's a pretty weak connection given how easily even amateur hackers can acquire or subvert a server in pretty much any country in the world, but we don't have much else to go on. As an aside, what's interesting to me about 1) and 2) is not what they might say about the potential target, but simply the fact that both trails have yielded absolutely nothing. Regardless of how the certificates were stolen, it's impressive that someone could pull it off not once, but twice, without leaving any evidence behind. As to the C&C servers, the lack of fringerprints there is a bit less impressive than the certificate theft, but it's still worth noting. Following the C&C trail has busted a number of "expert" crackers out there, including (most notriously) the NetSky guy. Again, to me this points to a level of expertise that's a little hard to attribute to conventional cracker groups -- even very good ones. Final thought: whoever owns the target system almost certainly knows they were the target. Supposing that it were Iran, what would they do with that information? I really don't know. Normally, I'd say that they're not the type to shy away from an opportunity to point the finger at Israel or the U.S., but I'm not sure what they could hope to accomplish by doing so. Whoever the target is, if the speculation is correct that Stuxnet is being targeted via inside information, then I'm guessing it would be in their best interest not to acknowledge their awareness. |
|
| Author: | shuyung [ Mon Oct 25, 2010 11:40 pm ] |
| Post subject: | |
Stathol, since you seem to have an interest, you may want to consider participating in the SCADAsec mailing list http://news.infracritical.com/mailman/listinfo/scadasec |
|
| Author: | Elmarnieh [ Tue Oct 26, 2010 8:40 am ] |
| Post subject: | |
Disconnect all inter-connectivity. Take out the data mediums at the hardware level - replace them one at a time. Once all are replaced re-enable interconnectivity. Long, slow, expensive but certain. |
|
| Author: | Aizle [ Tue Oct 26, 2010 9:24 am ] |
| Post subject: | Re: |
Elmarnieh wrote: Disconnect all inter-connectivity. Take out the data mediums at the hardware level - replace them one at a time. Once all are replaced re-enable interconnectivity. Long, slow, expensive but certain. Not necessarily. As soon as you replace one data medium, it will likely be infected by the remaining data mediums. |
|
| Author: | Taskiss [ Tue Oct 26, 2010 9:44 am ] |
| Post subject: | |
Lots of times industrial equipment is required to be networked together just to manage the operations. A standalone CNC mill ... would just stand there. You have to get the work files from the CAD design workstation there somehow, you're certainly not going to program it where it stands. The workstation needs management too... a single station can be managed, but when you multiply the infrastructure by thousands it's more problematic. Slip in an infected USB drive, or a workstation ethernet card with infected firmware, or even a networked printer... pwned. I have no idea how these centrifuges or other infected systems actually work, but I'd not be surprised if there were similarities. |
|
| Author: | Elmarnieh [ Tue Oct 26, 2010 9:46 am ] |
| Post subject: | Re: Re: |
Aizle wrote: Elmarnieh wrote: Disconnect all inter-connectivity. Take out the data mediums at the hardware level - replace them one at a time. Once all are replaced re-enable interconnectivity. Long, slow, expensive but certain. Not necessarily. As soon as you replace one data medium, it will likely be infected by the remaining data mediums. By what remaining data mediums? We've disconnected it from everything else and are replacing the data hardware itself. Unless the virus can live in unpowered copper wire itself - its gone. |
|
| Author: | Stathol [ Tue Oct 26, 2010 10:34 am ] |
| Post subject: | Re: |
Taskiss wrote: *words* Yeah, pretty much this. If you found that you had an infection within a large-scale industrial system like an oil refinery...ugh. Doing a complete shutdown, reload, and restart of every computer and PLC in the entire system could take weeks, if not longer. The cost would easily be in the millions, and if anything was missed, it could all have been in vain. |
|
| Author: | Hannibal [ Tue Oct 26, 2010 1:57 pm ] |
| Post subject: | |
They don't make viruses for the abacus. Just sayin' |
|
| Author: | Kaffis Mark V [ Tue Oct 26, 2010 2:01 pm ] |
| Post subject: | Re: |
Hannibal wrote: They don't make viruses for the abacus. Just sayin' Sure they do. Ebola. |
|
| Author: | Corolinth [ Tue Oct 26, 2010 2:18 pm ] |
| Post subject: | |
When you get right down to it, they do. How do you think a computer works? |
|
| Author: | Hannibal [ Tue Oct 26, 2010 2:19 pm ] |
| Post subject: | |
So you're saying Ebola was engineered in order to get rid of the abacus? You best be citin sources or Imma call ya out on it foo. |
|
| Author: | Kaffis Mark V [ Tue Oct 26, 2010 4:49 pm ] |
| Post subject: | Re: |
Hannibal wrote: So you're saying Ebola was engineered in order to get rid of the abacus? You best be citin sources or Imma call ya out on it foo. No, but it spreads via the abacus vector, and destroys the abacus' CPU. |
|
| Author: | Hannibal [ Tue Oct 26, 2010 5:22 pm ] |
| Post subject: | Re: Re: |
Kaffis Mark V wrote: Hannibal wrote: So you're saying Ebola was engineered in order to get rid of the abacus? You best be citin sources or Imma call ya out on it foo. No, but it spreads via the abacus vector, and destroys the abacus' CPU. Easily prevented by not licking your abacus. Or washing your hands after letting someone else use your abacus. |
|
| Author: | Corolinth [ Tue Oct 26, 2010 5:29 pm ] |
| Post subject: | |
Not with the soaps typically available in societies that still rely on the abacus as the primary means of computation. |
|
| Author: | Hannibal [ Tue Oct 26, 2010 5:44 pm ] |
| Post subject: | |
Ok, don't touch your mucous membranes after touching your abacus. Of course maybe Ebola is just bleach in the gene pool. |
|
| Author: | Diamondeye [ Tue Oct 26, 2010 9:16 pm ] |
| Post subject: | Re: |
Corolinth wrote: Not with the soaps typically available in societies that still rely on the abacus as the primary means of computation. If they use abacuses for computation they probably don't have TV either so I doubt they would have soaps at all. |
|
| Author: | Ladas [ Wed Oct 27, 2010 7:26 am ] |
| Post subject: | |
How does molybdenum hexafluoride destroy the centrifuges? |
|
| Author: | Diamondeye [ Wed Oct 27, 2010 7:49 am ] |
| Post subject: | Re: Cyber Warfare |
I'm going to guess that the centrifuges (which are highly precise pieces of equipment) are calibrated around a specific mass-volume ratio and around specific sizes of molecules for the substances to be centrifuged. When they get the wrong substances being centrifuged, it tears up that highly precise machinery. |
|
| Author: | Taskiss [ Wed Oct 27, 2010 8:16 am ] |
| Post subject: | |
http://lewis.armscontrolwonk.com/archiv ... o-the-bomb Quote: Richard Stone in this week’s Science Magazine further documents the problems that Iran is having purifying hex at its Uranium Conversion Facility (UCF) near Esfahan:
Creating purified UF6, which can be fed as a gas into centrifuges for isotope separation, would be a much bigger one. According to an official at the U.S. State Department, Iran has struggled to convert UF4 into UF6, a dangerous process involving highly toxic and corrosive fluorine gas. The official also claims that Iranian UF4 is tainted with large amounts of molybdenum and other heavy metals. These oxyfluoride impurities in UF6 “might condense” and thereby “risk blockages” of valves and piping, an IAEA specialist told Science. |
|
| Page 1 of 3 | All times are UTC - 6 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|