Wired reports: A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.
The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.
Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.
The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.
“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, in a statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country.”
Early analysis of Flame by the Lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality.
The malware, which is 20 megabytes when all of its modules are installed, contains multiple libraries, SQLite3 databases, various levels of encryption — some strong, some weak — and 20 plug-ins that can be swapped in and out to provide various functionality for the attackers. It even contains some code that is written in the LUA programming language — an uncommon choice for malware.
Kaspersky Lab is calling it “one of the most complex threats ever discovered.”
“It’s pretty fantastic and incredible in complexity,” said Alexander Gostev, chief security expert at Kaspersky Lab.
Flame appears to have been operating in the wild as early as March 2010, though it remained undetected by antivirus companies. [Continue reading…]
Symantec adds: Based on the number of compromised computers, the primary targets of this threat are located in the Palestinian West Bank, Hungary, Iran, and Lebanon. However, we have additional reports in Austria, Russia, Hong Kong, and the United Arab Emirates. These additional reports may represent a targeted computer that was temporarily taken to another region–for example, a laptop. Interestingly, in addition to particular organizations being targeted, many of the compromised computers appear to be personal computers being used from home Internet connections.
Evgeny Morozov writes: Should we worry about cyberwarfare? Judging by excessively dramatic headlines in the media, very much so. Cyberwarfare, the argument goes, might make wars easier to start and thus more likely.
Why so? First, cyberwarfare is asymmetric; being cheap and destructive, it may nudge weaker states to conflicts with stronger states — the kinds of conflicts that would have been avoided in the past. Second, since cyberattacks are notoriously difficult to trace, actors may not fear swift retaliation and behave more aggressively than usual. Third, as it’s hard to defend against cyberattacks, most rational states would prefer to attack first. Finally, since cyberweapons are surrounded by secrecy and uncertainty, arms control agreements are hard to implement. More cyberwarfare, in other words, means more wars.
Not so fast, cautions a new and extremely provocative article by Princeton doctoral candidate Adam Liff in the Journal of Strategic Studies. According to Liff, to assume that cyberwarfare has an inherent logic — a teleology — that would always result in more conflict is short-sighted. Furthermore, it fails to consider the subtleties of both military strategy and power relations. Instead of basing our cyber policy on outlandish scenarios from second-rate films, we have to remember that those who would deploy cyberweapons have real agendas and real interests—and would have to pay real costs if something goes awry.
Given today’s geopolitical situation, Liff sees no reason for the doom-and-gloom fearmongering of leading ambassadors of the cyber-industrial complex, most notoriously Richard Clarke and his best-selling 2010 book Cyberwar. Liff even spells out several scenarios where cyberwarfare would actually decrease armed conflict. That’s right: The advent of cyberweapons may eventually promote world peace. Hippies of the world unite — and learn how to mount cyberattacks! [Continue reading…]
Andy Greenberg writes: At a Google-run competition in Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin.
A team of hackers from French security firm Vupen were playing by different rules. They declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.
“We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.
In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques. Those intrusion methods include attacks on software such as Microsoft Word, Adobe Reader, Google’s Android, Apple’s iOS operating systems and many more—Vupen bragged at HP’s hacking competition that it had exploits ready for every major browser. And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee.
Tom Gjelten reports on efforts to defend the US from a Stuxnet-type attack — keeping mind that many experts believe that the Stuxnet worm, the first cyberweapon of its kind ever seen, was created by the US government.
The prospect of a cyberattack on U.S. infrastructure assets has prompted the Department of Homeland Security to arrange a new training program for the people who are supposed to protect the electric grid, manufacturing plants, refineries, water treatment centers and other critical facilities.
The top concern is the industrial control systems (ICS) that oversee the operation of key equipment at those facilities, from the valves to the breaker switches.
By hacking into the computer networks behind the industrial control systems, an adversary could reprogram an ICS so that it commands the equipment to operate at unsafe speeds or the valves to open when they should remain closed. This is roughly the way Stuxnet was able to damage the centrifuges in Iran.
Participants in the training program, based at the Idaho National Laboratory in Idaho Falls, are taken step by step through a simulated cyber-intrusion, so they can experience firsthand how a Stuxnet-like attack on their facilities might unfold.
During an Idaho National Laboratory exercise that was staged for visiting reporters in late September, instructor Mark Fabro installs his “red” team on the second floor of the training center, with the mission of penetrating the computer network of an unsuspecting industrial company, set up on the floor below.
The trainees on the “blue” team downstairs sit in a mock control room, monitoring their computer screens for any sign of trouble.
At first, everything appears normal. The attackers have managed to take control of the computer network without the defenders even realizing it. But gradually, problems develop in the control room.
“It’s running really slow,” says one operator. “My network is down.”
Sitting at their monitors upstairs, the attacking team is preparing to direct the computer system to issue commands to the industrial equipment.
“Take this one out,” says Fabro, pointing to a configuration that identifies the power supply to the control room. “Trip it. It should be dark very soon.”
Within 30 seconds, the mock control room downstairs is dark.
“This is not good,” says Jeff Hahn, a cybersecurity trainer who this day is playing the role of the CEO of the industrial company under attack. The blue team is under his direction.
“Our screens are black and the lights are out. We’re flying blind,” Hahn says.
During the exercise, the critical industrial facility under attack is a pumping station, such as might be found in a chemical plant or water treatment center. As the operators sit helpless at their terminals, the pumps suddenly start running, commanded by some unseen hand. Before long, water is gushing into a catch basin.
“There’s nothing we can do,” one of the operators tells the CEO. “We can only sit here and watch it happen.”
If this mock facility were an actual chemical plant, hazardous liquids could be spilling. If it were an electric utility, the turbines could be spinning out of control.
If it were a refinery, the tanks could be bursting or pipelines could be blowing up, all because the cyberattackers have been able to take over the computer network that controls the key operations.
The cyberattack scenario is all the more worrisome, because it is not clear that such attacks can be effectively stopped.
“Some of these [systems] can’t be protected,” says Weiss, the industrial control systems security expert. “We’re going to have to figure out how to recover from events that we simply can’t protect these systems from.”
Lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said “2011 Recruitment Plan.” It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.
The parent company disclosed the breach on March 17 in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA’s popular SecurID security service. As spring gave way to summer, bloggers and computer-security experts found evidence that the attack on RSA had come from China. They also linked the RSA attack to the penetration of computer networks at some of RSA’s most powerful defense-contractor clients—among them, Lockheed Martin, Northrop Grumman, and L-3 Communications. Few details of these episodes have been made public.
The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty. Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government. In some cases, the evidence suggests that government and military groups are executing the attacks themselves. In others, Chinese authorities are merely turning a blind eye to illegal activities that are good for China’s economy and bad for America’s. Last year Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit Intel, Morgan Stanley, and several dozen other corporations. (The attack was given that name because the word “aurora” appears in the malware that victims downloaded.) Earlier this year, details concerning the most sweeping intrusion since Operation Aurora were discovered by the cyber-security firm McAfee. Dubbed “Operation Shady rat,” the attacks (of which more later) are being reported here for the first time. Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits—or for fear of offending the Chinese and jeopardizing their share of that country’s exploding markets. The U.S. government, for its part, has been fecklessly circumspect in calling out the Chinese.
The hacker group Anonymous has declared a cyberwar against the City of Orlando, disabling Web sites for the city’s leading redevelopment organization, the local Fraternal Order of Police and the mayor’s re-election campaign.
Anonymous, a large yet loosely formed group of hackers that claimed responsibility for crashing the Web sites of MasterCard and the Church of Scientology, began attacking the Orlando-based Web sites earlier this week.
The group described its attacks as punishment for the city’s recent practice of arresting members of Orlando Food Not Bombs, an antipoverty group that provides vegan and vegetarian meals twice a week to homeless people in one of the city’s largest parks.
“Anonymous believes that people have the right to organize, that people have the right to give to the less fortunate and that people have the right to commit acts of kindness and compassion,” the group’s members said in a news release and video posted on YouTube on Thursday. “However, it appears the police and your lawmakers of Orlando do not.”
The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.
The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country’s military.
In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.
Recent attacks on the Pentagon’s own systems—as well as the sabotaging of Iran’s nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.
This cyber attack didn’t go after people playing war games on their PlayStations. It targeted a company that helps the U.S. military do the real thing.
Lockheed Martin says it was the recent target of a “significant and tenacious” hack, although the defense contractor and the Department of Homeland Security insist the attack was thwarted before any critical data was stolen. The effort highlighted the fact that some hackers, including many working for foreign governments, set their sights on information far more devastating than credit card numbers.
Information security experts say a rash of cyber attacks this year — including a massive security breach at Sony Corp. last month that affected millions of PlayStation users — has emboldened hackers and made them more willing to pursue sensitive information.
“2011 has really lit up the boards in terms of data breaches,” said Josh Shaul, chief technology officer at Application Security, a New York-based company that is one of the largest database security software makers. “The list of targets just grows and grows.”
Iran told atomic inspectors this week that it had run into a serious problem at a newly completed nuclear reactor that was supposed to start feeding electricity into the national grid this month, raising questions about whether the trouble was sabotage, a startup problem, or possibly the beginning of the project’s end.
In a report on Friday, the International Atomic Energy Agency said Iran told inspectors on Wednesday that it was planning to unload nuclear fuel from its Bushehr reactor — the sign of a major upset. For years, Tehran has hailed the reactor as a showcase of its peaceful nuclear intentions and its imminent startup as a sign of quickening progress.
But nuclear experts said the giant reactor, Iran’s first nuclear power plant, now threatens to become a major embarrassment, as engineers remove 163 fuel rods from its core.
Iran gave no reason for the unexpected fuel unloading, but it has previously admitted that the Stuxnet computer worm infected the Bushehr reactor. On Friday, computer experts debated whether Stuxnet was responsible for the surprising development.
Russia, which provided the fuel to Iran, said earlier this month that the worm’s infection of the reactor should be investigated, arguing that it might trigger a nuclear disaster. Other experts said those fears were overblown, but noted that the full workings of the Stuxnet worm remained unclear.
In interviews Friday, nuclear experts said the trouble behind the fuel unloading could range from minor safety issues and operational ineptitude to serious problems that would bring the reactor’s brief operational life to a premature end.
Following Saturday’s New York Times report that the Stuxnet malware targeting Iran’s nuclear program was a joint US-Israeli operation, the Daily Telegraph reports that Russian nuclear scientists are concerned that the Bushehr nuclear plant could suffer catastrophic damage.
Fuel rods were inserted in the new reactor at the end of November and the plant is due to start producing electricity in the coming weeks. Ralph Langner, whose German team first identified Iran’s nuclear program as Stuxnet’s target, says the plant’s steam turbine is vulnerable to attack and in November wrote: “If you blow a 1000 Megawatt turbine, you will very likely be able to see the impact by satellite imagery.”
Russian scientists working at the plant have become so concerned by Iran’s apparent disregard for nuclear safety issues that they have lobbied the Kremlin directly to postpone activation until at least the end of the year, so that a proper assessment can be made of the damage caused to its computer operations by Stuxnet.
The Iranian government is bitterly opposed to any further delay, which it would regard as another blow to national pride on a project that is more than a decade behind schedule. While Western intelligence officials believe Iran’s nuclear programme is aimed at producing nuclear weapons, Iran insists the project’s goals are peaceful.
The Russian scientists’ report to the Kremlin, a copy of which has been seen by The Daily Telegraph, concludes that, despite “performing simple, basic tests” on the Bushehr reactor, the Russian team “cannot guarantee safe activation of the reactor”.
It also accuses the Iranian management team, which is under intense political pressure to stick to the deadline, of “not exhibiting the professional and moral responsibility” that is normally required. They accuse the Iranians of having “disregard for human life” and warn that Russia could find itself blamed for “another Chernobyl” if it allows Bushehr to go ahead.
While it’s natural that the Russians would be concerned about being blamed, in such a scenario it’s a bit difficult to see how US interests would be served if vital shipping lanes and America’s Gulf allies were also put in jeopardy.
An American expert in nuclear intelligence told the New York Times “that Israel worked in collaboration with the United States in targeting Iran, but that Washington was eager for ‘plausible deniability'” — plausible deniability that the US no longer has.
Does this raise the possibility that the US might need to discreetly intervene to prevent an Israeli-made disaster?
On the eve of the release of a new IAEA report on Iran, officials linked to the UN nuclear oversight agency have added to speculation on the possible impact that the Stuxnet malware may have had on Iran’s nuclear program — including the possibility that it could lead to the meltdown of the reactor in the Bushehr nuclear power plant.
Iran’s nuclear program has suffered a recent setback, with major technical problems forcing the temporary shutdown of thousands of centrifuges enriching uranium, diplomats told The Associated Press on Monday.
The diplomats said they had no specifics on the nature of the problem that in recent months led Iranian experts to briefly power down the machines they use for enrichment — a nuclear technology that has both civilian and military uses.
But suspicions focused on the Stuxnet worm, the computer virus thought to be aimed at Iran’s nuclear program, which experts last week identified as being calibrated to destroy centrifuges by sending them spinning out of control.
[…]
Tehran has taken hundreds of centrifuges off line over the past 18 months, prompting speculation of technical problems.
A U.N official close to the IAEA said a complete stop in Iran’s centrifuge operation would be unprecedented to his knowledge but declined to discuss specifics.
[…]
Separately, another official from an IAEA member country suggested the worm could cause further damage to Iran’s nuclear program.
The official also asked for anonymity because his information was privileged. He cited a Western intelligence report suggesting that Stuxnet had infected the control system of Iran’s Bushehr reactor and would be activated once the Russian-built reactor goes on line in a few months.
Stuxnet would interfere with control of “basic parameters” such as temperature and pressure control and neutron flow, that could result in the meltdown of the reactor, raising the specter of a possible explosion, he said.
Reporting on the latest findings on the design of the Stuxnet malware which targeted Iran’s nuclear program, the New York Times says that Ralph Langner — a German software engineer who has been one of the leading investigators — has identified two forms of attack directed at different targets.
In a statement Friday on his Web site, he described two different attack modules that are designed to run on different industrial controllers made by Siemens, the German industrial equipment maker. “It appears that warhead one and warhead two were deployed in combination as an all-out cyberstrike against the Iranian nuclear program,” he wrote.
In testimony before the Senate on Wednesday, federal and private industry officials said that the Iranian nuclear program was a probable target, but they stopped short of saying they had confirming evidence. Mr. Langner said, however, that he had found enough evidence within the programs to pinpoint the intended targets. He described his research process as being akin to being at a crime scene and examining a weapon but lacking a body.
The second code module — aimed at the [Bushehr] nuclear power plant — was written with remarkable sophistication, he said. The worm moves from personal computers to Siemens computers that control industrial processes. It then inserts fake data, fooling the computers into thinking that the system is running normally while the sabotage of the frequency converters is taking place. “It is obvious that several years of preparation went into the design of this attack,” he wrote.
The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was.
Langner says: “Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield.”
Why would Israel target a civilian nuclear facility that is generally understood to pose no proliferation threat?
In line with its practice of paying selective attention to international opinion, Israel’s public position has been that Iran should not be “rewarded” for its defiance of the international community by being allowed to operate Bushehr. Moreover, there could also be a political motive for trying to prevent Bushehr from operating successfully, that being, to undermine the credibility of the nuclear program in the eyes of the otherwise widely supportive Iranian public.
Langner says that a cyber attack targeting a nuclear reactor is virtually impossible but that Bushehr’s steam turbine (located outside the containment facility) could be hit and that “Stuxnet can destroy the turbine as effectively as an air strike.”
Like everyone else, the Israelis understand that the most critical part of the infrastructure in Iran’s nuclear program is not made of steel or concrete — it is the expertise of Iran’s nuclear scientists and engineers. (For that reason, Israel’s covert war against Iran apparently includes a “decapitation” program aimed at eliminating the top figures in Iran’s nuclear operations.)
Since many of the skills required to run a civilian nuclear power program are presumably transferable to a military program, sabotage on any of Iran’s nuclear facilities will have the net effect of becoming a drain on the human resources available to advance the program as a whole.
The fact is, after decades of nuclear development, Iran still has precious little to show for its efforts. Keep in mind, the construction of Bushehr began 35 years ago and Iran’s nuclear program was launched in the 1950s!
The latest evidence revealed by two independent groups of researchers studying the code in the Stuxnet malware — the world’s first identified cyber weapon — indicates the Iran’s uranium enrichment facility at Natanz was almost certainly the target for attack. Not only was it aimed at programmable logic controllers that regulate motor speeds in a limited number of applications, mainly in uranium enrichment. Stuxnet would also alter operating speeds in such a way that centrifuges would unpredictably malfunction — the intent clearly being that the sabotage would be both effective yet also go unrecognized as sabotage.
Once Stuxnet has locked its sights on the target, it alternately brings the centrifuge process to either a grinding slowdown or an explosive surge – by sabotaging the centrifuge refining process. It tells the commandeered PLC to force the frequency converter drive to do something it’s not ever supposed to do: Switch back and forth from high speed to low speed at intervals punctuated by long period of normal operation. It also occasionally pushes the centrifuge to far exceed its maximum speed.
“Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months,” Symantec researcher Eric Chien reported Nov. 12 on his blog. “Interfering with the speed of the motors sabotages the normal operation of the industrial control process.”
Normal operating frequency of the special drive is supposed to be between 807 and 1210 Hz – the higher the hertz, the higher the speed. One hertz means that a cycle is repeated once per second.
Stuxnet “sabotages the system by slowing down or speeding up the motor to different rates at different times,” including sending it up to 1410 Hz, well beyond its intended maximum speed. Such wide swings would probably destroy the centrifuge – or at least wreck its ability to produce refined uranium fuel, others researchers say.
“One reasonable goal for the attack could be to destroy the centrifuge rotor by vibration, which causes the centrifuge to explode” as well as simply degrading the output subtly over time, Ralph Langner, the German researcher who first revealed Stuxnet’s function as a weapon in mid-September, wrote on his blog last week.
All of the circumstantial evidence points in the same direction: Natanz.
The Natanz nuclear centrifuge fuel-refining plant may have been hit first by Stuxnet in mid-2009, said Frank Rieger, a German researcher with Berlin encryption firm GSMK. The International Atomic Energy Agency found a sudden drop in the number of working centrifuges at the Natanz site, he noted in an interview in September.
“It seems like the parts of Stuxnet dealing with PLCs have been designed to work on multiple nodes at once – which makes it fit well with a centrifuge plant like Natanz,” Mr. Rieger says. By contrast, Bushehr is a big central facility with many disparate PLCs performing many different functions. Stuxnet seems focused on replicating its intrusion across a lot of identical units in a single plant, he said.
That and Symantec’s new findings also dovetail nicely with Mr. Langner’s detailed findings in his ongoing dissection of Stuxnet. Parts of the code show Stuxnet causing problems for short periods, then resuming undisturbed operation, Symantec’s findings show. As a result, Langner writes, “the victim, having no clue of being under a cyber attack, will replace broken centrifuges by new ones – until ending in frustration. It’s like a Chinese water torture.”
A defense official quote in this report from the Washington Post says: “Al Qaeda is everywhere.”
That’s the same as saying that anyone who has a blog is “everywhere” — presence on the web is by its nature global. Still, it’s a dubious claim when coming out of the mouth of a US government official because it will inevitably be used to justify the extension of government powers in ways that vastly exceed the size or scope of the threat that they are designed to counter.
The Pentagon’s new Cyber Command is seeking authority to carry out computer network attacks around the globe to protect U.S. interests, drawing objections from administration lawyers uncertain about the legality of offensive operations.
Cyber Command’s chief, Gen. Keith B. Alexander, who also heads the National Security Agency, wants sufficient maneuvering room for his new command to mount what he has called “the full spectrum” of operations in cyberspace.
Offensive actions could include shutting down part of an opponent’s computer network to preempt a cyber-attack against a U.S. target or changing a line of code in an adversary’s computer to render malicious software harmless. They are operations that destroy, disrupt or degrade targeted computers or networks.
But current and former officials say that senior policymakers and administration lawyers want to limit the military’s offensive computer operations to war zones such as Afghanistan, in part because the CIA argues that covert operations outside the battle zone are its responsibility and the State Department is concerned about diplomatic backlash.
The administration debate is part of a larger effort to craft a coherent strategy to guide the government in defending the United States against attacks on computer and information systems that officials say could damage power grids, corrupt financial transactions or disable an Internet provider.
The effort is fraught because of the unpredictability of some cyber-operations. An action against a target in one country could unintentionally disrupt servers in another, as happened when a cyber-warfare unit under Alexander’s command disabled a jihadist Web site in 2008. Policymakers are also struggling to delineate Cyber Command’s role in defending critical domestic networks in a way that does not violate Americans’ privacy.
In an assessment of the dangers posed by cyber-warfare and while noting that the threats posed by cyber-warfare and cyber-espionage are repeatedly being conflated, Seymour Hersh points out that the interests of the National Security Agency and those of hackers coincide: both want communications networks that remain open to interception. But John Arquilla, who has taught since 1993 at the U.S. Naval Postgraduate School in Monterey, argues that privacy and security are complimentary. “We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted,” he writes in his book, Worst Enemies.
At the same time, cyber-warfare fearmongers like Richard Clarke describe apocalyptic scenarios in which America could be crippled by China, though China’s motives for engaging in such an attack would be hard to fathom.
Within a quarter of an hour, 157 major metropolitan areas have been thrown into knots by a nationwide power blackout hitting during rush hour. Poison gas clouds are wafting toward Wilmington and Houston. Refineries are burning up oil supplies in several cities. Subways have crashed in New York, Oakland, Washington, and Los Angeles. . . . Aircraft are literally falling out of the sky as a result of midair collisions across the country. . . . Several thousand Americans have already died.
Hersh quotes James Lewis, a senior fellow at the Center for Strategic and International Studies, who points out that China is massively invested in the maintenance — not destruction — of America’s economic health: “Current Chinese officials have told me that we’re not going to attack Wall Street, because we basically own it” — a reference to China’s holdings of nearly a trillion dollars in American securities — “and a cyber-war attack would do as much economic harm to us as to you.”
[President Obama’s coordinator for cyber security] Howard Schmidt doesn’t like the term “cyber war.” “The key point is that cyber war benefits no one,” Schmidt told me in an interview at the Old Executive Office Building. “We need to focus on that fact. When people tell me that these guys or this government is going to take down the U.S. military with information warfare I say that, if you look at the history of conflicts, there’s always been the goal of intercepting the communications of combatants — whether it’s cutting down telephone poles or intercepting Morse-code signalling. We have people now who have found that warning about ‘cyber war’ has become an unlikely career path” — an obvious reference to McConnell and Clarke. “All of a sudden, they have become experts, and they get a lot of attention. ‘War’ is a big word, and the media is responsible for pushing this, too. Economic espionage on the Internet has been mischaracterized by people as cyber war.”
Schmidt served in Vietnam, worked as a police officer for several years on a SWAT team in Arizona, and then specialized in computer-related crimes at the F.B.I. and in the Air Force’s investigative division. In 1997, he joined Microsoft, where he became chief of security, leaving after the 9/11 attacks to serve in the Bush Administration as a special adviser for cyber security. When Obama hired him, he was working as the head of security for eBay. When I asked him about the ongoing military-civilian dispute, Schmidt said, “The middle way is not to give too much authority to one group or another and to make sure that we share information with each other.”
Schmidt continued, “We have to protect our infrastructure and our way of life, for sure. We do have vulnerabilities, and we do talk about worst-case scenarios” with the Pentagon and the Department of Homeland Security. “You don’t see a looming war and just wait for it to come.” But, at the same time, “we have to keep our shipping lanes open, to continue to do commerce, and to freely use the Internet.”
How should the power grid be protected? It does remain far too easy for a sophisticated hacker to break into American networks. In 2008, the computers of both the Obama and the McCain campaigns were hacked. Suspicion fell on Chinese hackers. People routinely open e-mails with infected attachments, allowing hackers to “enslave” their computers. Such machines, known as zombies, can be linked to create a “botnet,” which can flood and effectively shut down a major system. Hackers are also capable of penetrating a major server, like Gmail. Guesses about the cost of cyber crime vary widely, but one survey, cited by President Obama in a speech in May, 2009, put the price at more than eight billion dollars in 2007 and 2008 combined. Obama added, referring to corporate cyber espionage, “It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to one trillion dollars.”
One solution is mandated encryption: the government would compel both corporations and individuals to install the most up-to-date protection tools. This option, in some form, has broad support in the technology community and among privacy advocates. In contrast, military and intelligence eavesdroppers have resisted nationwide encryption since 1976, when the Diffie-Hellman key exchange (an encryption tool co-developed by Whitfield Diffie) was invented, for the most obvious of reasons: it would hinder their ability to intercept signals. In this sense, the N.S.A.’s interests align with those of the hackers.
Ben D, a commenter at this site and Arms Control Wonk is skeptical about my assertion that Siemens SCADA software is being used at Iran’s Bushehr nuclear facility. I based that claim on a UPI photograph that led the German industrial security expert, Ralph Langner, to speculate that Bushehr was the intended target of the Stuxnet malware.
These are Ben’s qualms:
Concerning the UPI image of a control panel with a MS look window superimposed that says.. “WinCC Runtime License: Your software license has expired. Please obtain a valid license”, well it doesn’t prove a thing.
First of all, the WinCC window could so easily be a photo- shopped overlay on the image of a process control panel.
Secondly, the Control Panel image is typical of process control panels everywhere and even if the WinCC window was not photo-shopped, what has that got to do with Bushehr. There is nothing else in the image to provide any information whatsoever about the local environment to provide any context as to its locality or purpose.
Thirdly, UPI does not provide a source for anyone claiming that the UPI Photo by Mohammad Kheirkhah is actually Bushehr, they just provide a narrative to imply that it is.
Fourthly, Ralph Lagner is not claiming the UPI image is actually genuine or that it is of Bushehr, he merely prefaces his speculative theory with ” If the picture is authentic, which I have no means of verifying,….”.
Has the image been doctored? I’m not in a position to determine that, but the Hacker Factor Blog did some image analysis and concluded that it was not doctored. He has other reasons for questioning whether it was taken at Bushehr but found no evidence that it had been manipulated with Photoshop.
This image apparently confirms that the photograph is of a computer monitor and the continuity in the ripple pattern across the part of the screen where the WinCC message appears seems to confirm that this was not inserted from a different screen image. (This ripple pattern can be seen both in the blue image and the close-up image.)
So, assuming that the WinCC expired-licence message was actually appearing on that monitor screen, is there any evidence that the monitor and the control system it depicts is in Bushehr?
Frankly, I was willing to accept that UPI was not misrepresenting or incorrectly labeling its photos, but still, some additional analysis was both in order and turned out to be fruitful. There is indeed evidence that this image depicts a Bushehr control system.
The elements in the schematic have a uniform numbering system — UA04B001, UA04B002 etc.
Another UPI photograph appears to show the physical components depicted on the system control monitor. This vessel shown on the right is numbered UA06B002. That particular number doesn’t appear on the monitor image but it’s hard to believe that this is not part of the same system.
OK. But maybe the screen image and the image of an Iranian technician turning a valve were taken some place other than Bushehr.
Well, UPI’s photographer was one among a group of international journalists who were shown around Bushehr in February 2009. They included Jon Leyne, a reporter for the BBC, and a video in his report shows the same assembly of pale gray vessels that appear in the UPI photo. Indeed, an AFP image in the same report shows the same technician, from a different angle, doing his valve-turning performance for the assembled press.
With the evidence that I’ve laid out I will assert with even more confidence that the Bushehr nuclear plant uses Siemens WinCC SCADA software. I also see little reason to doubt that Iranian officials were telling the truth when they said that Stuxnet had been found on personal computers used by the facility’s operators. What I remain skeptical about is their claim that the malware did not penetrate the system. How confident the Iranians are on that question may become evident in the coming months when the plant begins or fails to begin generating electricity.
A USB memory stick carrying the Stuxnet malware is believed to have provided intruders with access to Iran’s nuclear program. The same technique was used in November 2008 to break into CENTCOM, providing a foreign government with unfiltered access to the Pentagon’s command of the wars in Iraq and Afghanistan. Did both attacks come from the same source?
Cyber warfare has quietly grown into a central pillar of Israel’s strategic planning, with a new military intelligence unit set up to incorporate high-tech hacking tactics, Israeli security sources said on Tuesday.
Israel’s pursuit of options for sabotaging the core computers of foes like Iran, along with mechanisms to protect its own sensitive systems, were unveiled last year by the military intelligence chief, Major-General Amos Yadlin.
The government of Prime Minister Benjamin Netanyahu has since set cyber warfare as a national priority, “up there with missile shields and preparing the homefront to withstand a future missile war”, a senior source said on condition of anonymity.
Back in 1997, when the US did not overtly support political assassinations, President Clinton intervened to save the life of Khalid Meshaal. The Hamas political bureau chief had been poisoned by Mossad operatives (carrying stolen Canadian passports) on the streets of Jordan’s capital, Amman.
Clinton wasn’t trying to help Hamas but knew that a peace treaty he had helped broker between Israel and Jordan would be in jeopardy if Prime Minister Netanyahu thought he could disregard the sovereignty of Jordan and carry out assassinations with impunity. Likewise, neither King Hussein nor the Canadian government believed that Israeli actions showing a flagrant disregard for the authority of their respective governments could go unanswered.
Netanyahu would probably have found Clinton’s pressure unpersuasive were it not for the fact that the Israeli operatives had already been arrested. In exchange for their release, the Israelis supplied the antidote that saved Meshaal’s life while also releasing the Hamas spiritual leader Sheikh Ahmed Yassin.
Then came 9/11.
Before long, Yassin had been assassinated, the US was using Israeli methods of torture in its campaign against an amorphous Islamic threat, Israel’s own war crimes were sanctioned by the US in the name of the war on terrorism, and the use of stolen foreign passports by Mossad agents committing murder on foreign soil provoked nothing more than a diplomatic slap on the wrists.
The willingness of this and the previous administration to allow Israel to disregard international law shows that even if the Israel lobby can no longer flourish like a night flower, its power is barely diminished. Even so, the appearance of the Stuxnet malware should be a wake-up call to every government around the world that refuses to place Israel’s national interests above its own.
In its conception, Stuxnet can be viewed very much like a targeted killing — but one designed to attack silently and leave no trace of its origin.
It’s creators understood that they had designed an exceedingly dangerous weapon and so they made sure its damage could be contained. But it seems not to have worked according to plan and so caution got tossed out of the window. Apparently, Israel did what it has done so many times before: pursued what it regarded as its own interests with an utter disregard for the international consequences.
The original infection method, which relied on infected USB drives, included a counter that limited the spread to just three PCs, said [Liam] O Murchu [operations manager with Symantec’s security response]. “It’s clear that the attackers did not want Stuxnet to spread very far,” he said. “They wanted it to remain close to the original infection point.”
O Murchu’s research also found a 21-day propagation window; in other words, the worm would migrate to other machines in a network only for three weeks before calling it quits.
Those anti-propagation measures notwithstanding, Stuxnet has spread widely. Why?
Kaspersky’s [Roel] Schouwenberg [a senior antivirus researcher] believes it’s because the initial attack, which relied on infected USB drives, failed to do what Stuxnet’s makers wanted.
“My guess is that the first variant didn’t achieve its target,” said Schouwenberg, referring to the worm’s 2009 version that lacked the more aggressive propagation mechanisms, including multiple Windows zero-day vulnerabilities. “So they went on to create a more sophisticated version to reach their target.”
That more complex edition, which O Murchu said was developed in March of this year, was the one that “got all the attention,” according to Schouwenberg. But the earlier edition had already been at work for months by then — and even longer before a little-known antivirus vendor from Belarus first found it in June. “The first version didn’t spread enough, and so Stuxnet’s creators took a gamble, and abandoned the idea of making it stealthy,” said Schouwenberg.
In Schouwenberg’s theory, Stuxnet’s developers realized their first attempt had failed to penetrate the intended target or targets, and rather than simply repeat the attack, decided to raise the ante.
“They spent a lot of time and money on Stuxnet,” Schouwenberg said. “They could try again [with the USB-only vector] and maybe fail again, or they could take the risk of it spreading by adding more functionality to the worm.”
O Murchu agreed that it was possible the worm’s creators had failed to infect, and thus gain control, of the industrial systems running at their objective(s), but said the code itself didn’t provide clear clues.
What is clear, O Murchu said in a news conference Friday morning, is that Stuxnet evolved over time, adding new ways to spread on networks in the hope of finding specific PLCs (programming logic control) hardware to hijack. “It’s possible that [the attackers] didn’t manage to get to all of their targets [with the earlier version],” O Murchu said. “The increased sophistication of Stuxnet in 2010 may indicate that they had not reached their target.”
With the proliferation of Stuxnet, Schouwenberg said that the country or countries that created the worm may have themselves been impacted by its spread. But that was likely a calculated risk the worm’s developers gladly took.
And that risk may have been quite small. “Perhaps they knew that their own critical infrastructure wouldn’t be affected by Stuxnet because it’s not using Siemens PLCs,” Schouwenberg said.
The danger now posed by Stuxnet is not simply through its direct proliferation but by virtue of the fact that it provides a blueprint that can be adapted by other parties who would otherwise lack the resources to create malware this sophisticated from scratch.
What might have been conceived as a tool to prevent the creation of a weapon of mass destruction could itself be turned into a WMD.
“Stuxnet opened Pandora’s box,” said Ralph Langner, a German researcher whose early analysis of the worm’s ability to target control systems raised public awareness of the threat. “We don’t need to be concerned about Stuxnet, but about the next-generation malware we will see after Stuxnet.”
Sean McGurk, director of the U.S. National Cybersecurity and Communications Integration Center at the Department of Homeland Security, said that the department posted its first report to industry recommending steps to mitigate the effects of Stuxnet on July 15. But “not even two days later,” he said, a hacker Web site posted the code so that others could use it to exploit the vulnerabilities in Microsoft.
“So we know that once the information is out in the wild, people are taking it and they’re modifying it,” he said.
In other words, what started as an Israeli cyber attack on nuclear installations in Iran could end up crashing the US powergrid or causing havoc anywhere else on the globe.
Even before Stuxnet loomed over the horizon, serious warnings were being issued about the United States’ vulnerability to a crippling cyber attack, yet thus far none of those raising the alarm have pointed to the ways in which Israel’s cyber warfare capabilities may now indirectly or directly threaten the United States and its interests.
– – –
Late last year, 60 Minutes reported on America’s vulnerability to a major cyber attack.
Ever since speculation began, suggesting that Israel is the source of the Stuxnet malware, there has been a buzz of excitement in the Zionist corner of the blogosphere. The DEBKAfile — trusted source for pro-Israel fantasists all over the world — declared that if it turns out that millions of Iranian industrial units have been hit, “this cyber weapon attack on Iran would be the greatest ever.”
Glee at such a prospect is not shared by observers who lack the Zionist pathological obsession with Iran.
Stephen Spoonamore, a veteran cybersecurity consultant interviewed by NPR said: “I can think of very few stupider blowback decisions” than to release code that controls most of the worlds’ hydroelectric dams or many of the world’s nuclear plants or many of the world’s electrical switching stations.
The Stuxnet computer worm has wreaked havoc in China, infecting millions of computers around the country, state media reported this week.
Stuxnet is feared by experts around the globe as it can break into computers that control machinery at the heart of industry, allowing an attacker to assume control of critical systems like pumps, motors, alarms and valves.
It could, technically, make factory boilers explode, destroy gas pipelines or even cause a nuclear plant to malfunction.
The virus targets control systems made by German industrial giant Siemens commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.
“This malware is specially designed to sabotage plants and damage industrial systems, instead of stealing personal data,” an engineer surnamed Wang at antivirus service provider Rising International Software told the Global Times.
“Once Stuxnet successfully penetrates factory computers in China, those industries may collapse, which would damage China’s national security,” he added.
Another unnamed expert at Rising International said the attacks had so far infected more than six million individual accounts and nearly 1,000 corporate accounts around the country, the official Xinhua news agency reported.
Jeffrey Carr, author of “Inside Cyber Warfare,” describes what he believes is the first example of Stuxnet’s destructive power: the loss of India’s INSAT-4B communications satellite which shut down in July. The satellite’s control systems use Siemens S7-400 PLC and SIMATIC WinCC software, both of which are targeted by Stuxnet.
If speculation that Stuxnet was created by Israel has been driven by the circumstantial evidence that Israel’s nemesis Iran appears to have been the primary target, there is now some subtle but concrete evidence again pointing in Israel’s direction.
Buried in Stuxnet’s code is a marker with the digits “19790509” that the researchers believe is a “do-not infect” indicator. If the marker equals that value, Stuxnet stops in its tracks, and does not infect the targeted PC.
The researchers — Nicolas Falliere, Liam O Murchu and Eric Chen — speculated that the marker represents a date: May 9, 1979.
“While on May 9, 1979, a variety of historical events occurred, according to Wikipedia “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community,” the researchers wrote.
Elghanian, a prominent Jewish-Iranian businessman, was charged with spying for Israel by the then-new revolutionary government of Iran, and executed May 9, 1979.
Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.
That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.
Not surprisingly, the Israelis are not saying whether Stuxnet has any connection to the secretive cyberwar unit it has built inside Israel’s intelligence service. Nor is the Obama administration, which while talking about cyberdefenses has also rapidly ramped up a broad covert program, inherited from the Bush administration, to undermine Iran’s nuclear program. In interviews in several countries, experts in both cyberwar and nuclear enrichment technology say the Stuxnet mystery may never be solved.
There are many competing explanations for myrtus, which could simply signify myrtle, a plant important to many cultures in the region. But some security experts see the reference as a signature allusion to Esther, a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project. Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel.
The same report cites Shai Blitzblau, the technical director and head of the computer warfare laboratory at Maglan, an Israeli company specializing in information security, who said he was “convinced that Israel had nothing to do with Stuxnet.”
“We did a complete simulation of it and we sliced the code to its deepest level,” he said. “We have studied its protocols and functionality. Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment.”
Did Blitzblau present his findings at this week’s VB Conference in Vancouver where Stuxnet was the focus of attention? No — which is not surprising given his vacuous claim to have studied the code at its deepest level while other experts say it will take months to penetrate the thousands of lines of code contained in a 500kB piece of software.
As for why Israeli programmers would have inserted clues about about authorship deep inside the malware, the most obvious explanation would be the most prosaic: pride.
Even when the utmost secrecy is called for, there are those who cannot resist the temptation to leave their mark.
As for the significance of another finding — June 24, 2012 is the “kill date” after which the worm will refuse to execute — again, we can only speculate.
Is this the cut-off point for Israel’s campaign of cyber warfare against Iran after which will come the time for real war? Right in the run up to the 2012 US presidential election.
This website or its third-party tools use cookies, which are necessary to its functioning. By closing this banner, you agree to the use of cookies.Ok
