Cyberwar: Iran's nuclear plants targetted by Stuxnet worm

[SandsofTime]

Stuxnet worm hits Iran nuclear plant staff computers

A complex computer worm has infected the personal computers of staff at Iran's first nuclear power station, the official IRNA news agency reported.

However, the operating system at the Bushehr plant - due to go online in a few weeks - has not been harmed, project manager Mahmoud Jafari said.

The Stuxnet worm is capable of seizing control of industrial plants.

Some Western experts say its complexity suggests it could only have been created by a "nation state".
Continue reading the main story
“Start Quote

An electronic war has been launched against Iran”

End Quote Mahmoud Liayi Ministry of industries

It is the first sign that Stuxnet, which targets systems made by the German company Siemens, has reached equipment linked to Iran's nuclear programme.

The West fears Iran's ultimate goal is to build nuclear weapons. Iran says its programme is aimed solely at peaceful energy use.

Stuxnet is tailored to target weaknesses in Siemens systems used to manage water supplies, oil rigs, power plants and other utilities.
'Electronic war'

The fact that Stuxnet has now been detected on the personal computers of staff will have no impact on plans to make the Bushehr plant operational next month, Mr Jafari said.

A team is now trying to remove the malicious software, or malware, from several affected computers, he told IRNA.

It is believed to be the first-known worm designed to target major infrastructure facilities.

A working group of experts met last week to discuss ways of fighting the worm, which Mr Liayi said has now infected about 30,000 IP addresses in Iran.

BBC News - Stuxnet worm hits Iran nuclear plant staff computers

 

[SandsofTime]

US does not know source, purpose of Stuxnet worm: official

ARLINGTON, Virginia — The United States is analyzing the "Stuxnet" computer worm but does not know who is behind it or its purpose, a top US cybersecurity official said Friday.

"One of our hardest jobs is attribution and intent," Sean McGurk, director of the National Cybersecurity and Communications Integration Center (NCCIC), told reporters.

"We've conducted analysis on the software itself," McGurk said during a tour of the Department of Homeland Security facility outside Washington which is responsible for coordinating government cybersecurity operations.

"It's very difficult to say 'This is what it was targeted to do,'" he said of Stuxnet, which some computer security experts have said may be intended to sabotage a nuclear facility in Iran.

The worm has been found lurking on Siemens systems in India, Indonesia, Pakistan and elsewhere, but the heaviest infiltration appears to be in Iran, according to software security researchers.

McGurk said Stuxnet had been found not only in power facilities but water purification or chemical plants which use the particular Siemens system it targets.

"We haven't seen any impacts or effects of what it does," he said. "We know that it's not doing anything specifically malicious right now."

McGurk said he could not say who is behind the worm. "It would be premature to speculate at this time," he said.

"We're not looking for where it came from but trying to prevent the spread," he said, adding that Siemens is "reaching out to their customer base" to deal with the infection.

Stuxnet is able to recognize a specific facility's control network and then destroy it, according to German computer security researcher Ralph Langner, who has been analyzing Stuxnet since it was discovered in June.

Stuxnet was tailored for Siemens supervisory control and data acquisition (SCADA) systems commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.

Langner suspected Stuxnet's target was the Bushehr nuclear facility in Iran. Unspecified problems have been blamed for a delay in getting the facility fully operational.

AFP: US does not know source, purpose of Stuxnet worm: official

 

[SandsofTime]

Was Stuxnet Built to Attack Iran's Nuclear Program?

By Robert McMillan, IDG News

A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran's Bushehr nuclear reactor.
That's the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they've broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker -- possibly a nation state -- and it was designed to destroy something big.

Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company discovered the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers who say they've never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran's nukes.

Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm's attack.

Experts had first thought that Stuxnet was written to steal industrial secrets -- factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings -- a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device -- and then it injects its own code into that system.

Because of the complexity of the attack, the target "must be of extremely high value to the attacker," Langner wrote in his analysis.

Langner is set to present his findings at a closed-door security conference in Maryland this week, which will also feature a technical discussion from Siemens engineers. Langner said he wasn't yet ready to speak to a reporter at length ("the fact of the matter is this stuff is so bizarre that I have to make up my mind how to explain this to the public," he said via e-mail) but others who have examined his data say that it shows that whoever wrote Stuxnet clearly had a specific target in mind. "It's looking for specific things in specific places in these PLC devices. And that would really mean that it's designed to look for a specific plant," said Dale Peterson, CEO of Digital Bond.

This specific target may well have been Iran's Bushehr reactor, now under construction, Langner said in a blog posting. Bushehr reportedly experienced delays last year, several months after Stuxnet is thought to have been created, and according to screen shots of the plant posted by UPI, it uses the Windows-based Siemens PLC software targeted by Stuxnet.

Peterson believes that Bushehr was possibly the target. "If I had to guess what it was, yes that's a logical target," he said. "But that's just speculation."

Langner thinks that it's possible that Bushehr may have been infected through the Russian contractor that is now building the facility, JSC AtomStroyExport. Recently AtomStroyExport had its Web site hacked, and some of its Web pages are still blocked by security vendors because they are known to host malware. This is not an auspicious sign for a company contracted with handling nuclear secrets.

Tofino Security Chief Technology Officer Eric Byres is an industrial systems security expert who has tracked Stuxnet since it was discovered. Initially he thought it was designed for espionage, but after reading Langner's analysis, he's changed his mind. "I guessed wrong, I really did," he said. "After looking at the code that Ralph hauled out of this thing, he's right on."

One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35. This Siemens component monitors critical factory operations -- things that need a response within 100 milliseconds. By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too, Byres said. "The only thing I can say is that it is something designed to go bang," he said.

Whoever created Stuxnet developed four previously unknown zero-day attacks and a peer-to-peer communications system, compromised digital certificates belonging to Realtek Semiconductor and JMicron Technology, and displayed extensive knowledge of industrial systems. This is not something that your run-of-the-mill hacker can pull off. Many security researchers think that it would take the resources of a nation state to accomplish.

Last year, rumors began surfacing that Israel might be contemplating a cyber attack on Iran's nuclear facilities.

Bushehr is a plausible target, but there could easily be other facilities -- refineries, chemical plants or factories that could also make valuable targets, said Scott Borg, CEO of the U.S. Cyber Consequences Unit, a security advisory group. "It's not obvious that it has to be the nuclear program," he said. "Iran has other control systems that could be targeted."

Iranian government representatives did not return messages seeking comment for this story, but sources within the country say that Iran has been hit hard by the worm. When it was first discovered, 60 percent of the infected Stuxnet computers were located in Iran, according to Symantec.

Now that the Stuxnet attack is public, the industrial control systems industry has come of age in an uncomfortable way. And clearly it will have more things to worry about

"The problem is not Stuxnet. Stuxnet is history," said Langner in an e-mail message. "The problem is the next generation of malware that will follow."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Was Stuxnet Built to Attack Iran's Nuclear Program? - PCWorld Business Center

 

[Markus]

Its hard to believe that US (and/or Israel) is not behind this. Stuxnet is doing exactly what the they want to do.

The very fact that Stuxnet is affecting only Siemens C/S (which are the ones also known to be employed at Iran's nuclear plant (as reports suggest), this is extremely planned work pointing to those ppl who are are against Iran's nuclear ambitions.

Its anybody's guess as to those ppl are.....

 

[SandsofTime]

Yup. All fingers are pointed in US Israeli directions. I hope they don't take things too far and set something on destruct mode and make it look like a nuclear accident by Iran.

 

[Markus]

Yup. All fingers are pointed in US Israeli directions. I hope they don't take things too far and set something on destruct mode and make it look like a nuclear accident by Iran.

On the contrary, I want Stuxnet to execute what it was created for. If Stuxnet succeeds in disabling Iran's nuclear plant (atleast some critical C/S components - SCADA, PLC and DCS), we can actually prevent a war, thousands of lives can be saved.

If req., Stuxnet may infuse malicious ladder programming code which may result in some industrial fireworks , again that is a better option, atleast then US or Israel will not have an excuse to go war with Iran.

 

[SpArK]

Stuxnet worm 'targeted high-value Iranian assets​

Some have speculated the intended target was Iran's nuclear power plant



One of the most sophisticated pieces of malware ever detected was probably targeting "high value" infrastructure in Iran, experts have told the BBC.

Stuxnet's complexity suggests it could only have been written by a "nation state", some researchers have claimed.

It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

It was first detected in June and has been intensely studied ever since.

"The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it," Liam O'Murchu of security firm Symantec, who has tracked the worm since it was first detected, told BBC News.




Some have speculated that it could have been aimed at disrupting Iran's delayed Bushehr nuclear power plant or the uranium enrichment plant at Natanz.

However, Mr O'Murchu and others, such as security expert Bruce Schneier, have said that there was currently not enough evidence to draw conclusions about what its intended target was or who had written it.

Initial research by Symantec showed that nearly 60% of all infections were in Iran. That figure still stands, said Mr O'Murchu, although India and Indonesia have also seen relatively high infection rates.

'Rare package'
Stuxnet was first detected in June by a security firm based in Belarus, but may have been circulating since 2009.

Unlike most viruses, the worm targets systems that are traditionally not connected to the internet for security reasons.

Instead it infects Windows machines via USB keys - commonly used to move files around - infected with malware.

Once it has infected a machine on a firm's internal network, it seeks out a specific configuration of industrial control software made by Siemens.

The worm searches out industrial systems made by Siemens



Once hijacked, the code can reprogram so-called PLC (programmable logic control) software to give attached industrial machinery new instructions.

"[PLCs] turn on and off motors, monitor temperature, turn on coolers if a gauge goes over a certain temperature," said Mr O'Murchu.

"Those have never been attacked before that we have seen."

If it does not find the specific configuration, the virus remains relatively benign.

However, the worm has also raised eyebrows because of the complexity of the code used and the fact that it bundled so many different techniques into one payload.

"There are a lot of new, unknown techniques being used that we have never seen before," he said These include tricks to hide itself on PLCs and USB sticks as well as up to six different methods that allowed it to spread.

In addition, it exploited several previously unknown and unpatched vulnerabilities in Windows, known as zero-day exploits.

"It is rare to see an attack using one zero-day exploit," Mikko Hypponen, chief research officer at security firm F-Secure, told BBC News. "Stuxnet used not one, not two, but four."

He said cybercriminals and "everyday hackers" valued zero-day exploits and would not "waste" them by bundling so many together.

Microsoft has so far patched two of the flaws.

'Nation state'

Mr O'Murchu agreed and said that his analysis suggested that whoever had created the worm had put a "huge effort" into it.

"It is a very big project, it is very well planned, it is very well funded," he said. "It has an incredible amount of code just to infect those machines."


His analysis is backed up by other research done by security firms and computer experts.

"With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge," said Ralph Langner, an industrial computer expert in an analysis he published on the web.

"This is not some hacker sitting in the basement of his parents' house. To me, it seems that the resources needed to stage this attack point to a nation state," he wrote.

Mr Langner, who declined to be interviewed by the BBC, has drawn a lot of attention for suggesting that Stuxnet could have been targeting the Bushehr nuclear plant.

In particular, he has highlighted a photograph reportedly taken inside the plant that suggests it used the targeted control systems, although they were "not properly licensed and configured".

Mr O'Murchu said no firm conclusions could be drawn.

However, he hopes that will change when he releases his analysis at a conference in Vancouver next week.

"We are not familiar with what configurations are used in different industries," he said.

Instead, he hopes that other experts will be able to pore over their research and pinpoint the exact configuration needed and where that is used.

'Limited success'
A spokesperson for Siemens, the maker of the targeted systems, said it would not comment on "speculations about the target of the virus".

He said that Iran's nuclear power plant had been built with help from a Russian contractor and that Siemens was not involved.

"Siemens was neither involved in the reconstruction of Bushehr or any nuclear plant construction in Iran, nor delivered any software or control system," he said. "Siemens left the country nearly 30 years ago."

Siemens said that it was only aware of 15 infections that had made their way on to control systems in factories, mostly in Germany. Symantec's geographical analysis of the worm's spread also looked at infected PCs.

"There have been no instances where production operations have been influenced or where a plant has failed," the Siemens spokesperson said. "The virus has been removed in all the cases known to us."

He also said that according to global security standards, Microsoft software "may not be used to operate critical processes in plants".

It is not the first time that malware has been found that affects critical infrastructure, although most incidents occur accidentally, said Mr O'Murchu, when a virus intended to infect another system accidentally wreaked havoc with real-world systems.

In 2009 the US government admitted that software had been found that could shut down the nation's power grid.

And Mr Hypponen said that he was aware of an attack - launched by infected USB sticks - against the military systems of a Nato country.

"Whether the attacker was successful, we don't know," he said.


BBC News - Stuxnet worm 'targeted high-value Iranian assets'

 

[Super Falcon]

well whatever is happeneing in the world no only this world USA and israel is behind each and everything for sure no doubt on it

 

[SpArK]

well whatever is happeneing in the world no only this world USA and israel is behind each and everything for sure no doubt on it

Thank u for not adding India in the list for the first time..

good going . Cheers.

 

[Super Falcon]

hahahahah yes why you indian always think that we blame all the time india but fact is fact india is a problematic country in asia for sure but im not fully against india im against indian policies not indian nation i respect indian nation who are peace lovers

 

[Pasban]

Computer attacks linked to wealthy group or nation

09/26/10
LOLITA C. BALDOR, Associated Press Writer
Email this story to a friend

WASHINGTON (AP) — A powerful computer code attacking industrial facilities around the world, but mainly in Iran, probably was created by experts working for a country or a well-funded private group, according to an analysis by a leading computer security company.

The malicious code, called Stuxnet, was designed to go after several "high-value targets," said Liam O Murchu, manager of security response operations at Symantec Corp. But both O Murchu and U.S. government experts say there's no proof it was developed to target nuclear plants in Iran, despite recent speculation from some researchers.

Creating the malicious code required a team of as many as five to 10 highly educated and well-funded hackers. Government experts and outside analysts say they haven't been able to determine who developed it or why.

The malware has infected as many as 45,000 computer systems around the world. Siemens AG, the company that designed the system targeted by the worm, said it has infected 15 of the industrial control plants it was apparently intended to infiltrate. It's not clear what sites were infected, but they could include water filtration, oil delivery, electrical and nuclear plants.

None of those infections has adversely affected the industrial systems, according to Siemens.

U.S. officials said last month that the Stuxnet was the first malicious computer code specifically created to take over systems that control the inner workings of industrial plants.

The Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss."

Symantec's analysis of the code, O Murchu said, shows that nearly 60 percent of the computers infected with Stuxnet are in Iran. An additional 18 percent are in Indonesia. Less than 2 percent are in the U.S.

"This would not be easy for a normal group to put together," said O Murchu. He said "it was either a well-funded private entity" or it "was a government agency or state sponsored project" created by people familiar with industrial control systems.

A number of governments with sophisticated computer skills would have the ability to create such a code. They include China, Russia, Israel, Britain, Germany and the United States. But O Murchu said no clues have been found within the code to point to a country of origin.

Iran's nuclear agency has taken steps to combat the computer worm that has affected industrial sites in the country,ghout the country, including its first nuclear power station just weeks before it was set to go online. Experts from the Atomic Energy Organization of Iran met this past week to discuss how to remove the malware, according to the semiofficial ISNA news agency.

The computer worm, which can be carried or transmitted through portable thumb drives, also has affected the personal computers of staff working at the plant, according to IRNA, Iran's official news agency. The news agency said it has not caused any damage to the plants major systems.

German security researcher Ralph Langner, who has also analyzed the code, told a computer conference in Maryland this month that his theory is that Stuxnet was created to go after the nuclear program in Iran. He acknowledged, though, that the idea is "completely speculative."

O Murchu said there are a number of other possibilities for targets, including oil pipelines. He said Symantec soon will release details of its study in the hope that industrial companies or experts will recognize the specific system configuration being targeted by the code and know what type of plant uses it.

At the Homeland Security Department's National Cybersecurity & Communications Integration Center, a top U.S. cyberofficial on Friday displayed a portable flash drive containing the Stuxnet code and said officials have been studying it in the lab.

"I've let this run wild to see what it would do," said Sean McGurk, director of the cyberoperations center. "So far we haven't seen a lot of smoke coming out, so we know it's not doing anything specifically malicious right now."

Experts at the Energy Department's Idaho National Laboratory have been analyzing it.

McGurk said that "it's very difficult to know what the code was developed for. When you talk about specifically attributing it to a facility with a set purpose from a nation-state actor or criminal actor or 'hacktivist,' it's very difficult for us to say specifically, 'This is what it was targeted to do.'"

Experts in Germany discovered the worm, and German officials transmitted the malware to the U.S. through a secure network. The two computer servers controlling the malware were in Malaysia and Denmark, O Murchu said, but both were shut down after they were discovered by computer security experts earlier this summer.

In plain terms, the worm was able to burrow into some operating systems that included software designed by Siemens AG, by exploiting a vulnerability in several versions of Microsoft Windows.

Unlike a virus, which is created to attack computer code, a worm is designed to take over systems, such as those that open doors or turn physical processes on or off.

Alva Review/Courier

 

[Pasban]

On the contrary, I want Stuxnet to execute what it was created for. If Stuxnet succeeds in disabling Iran's nuclear plant (atleast some critical C/S components - SCADA, PLC and DCS), we can actually prevent a war, thousands of lives can be saved.

How exactly does disabling a civilian nuclear power plant prevent a war and save lives? The only situation where a risk to human life would be a consequence would be in the case of a melt down. I would deem an attack as such to only heighten tensions further.

 

[muse]

Even if the "usual suspects" were behind this attack, what we must prepare for is that in this war, it's mostly a war among equals and the most important elements are analysis and delivery.

 

[Cheetah786]

On the contrary, I want Stuxnet to execute what it was created for. If Stuxnet succeeds in disabling Iran's nuclear plant (atleast some critical C/S components - SCADA, PLC and DCS), we can actually prevent a war, thousands of lives can be saved.

If req., Stuxnet may infuse malicious ladder programming code which may result in some industrial fireworks , again that is a better option, atleast then US or Israel will not have an excuse to go war with Iran.

A highly sophisticated computer worm that has spread through Iran, Indonesia and India.

Markus will be ok with this destroying indian nuclear reactors critical C/S components - SCADA, PLC and DCS, we can actually prevent a war, thousands of lives can be saved or thats no acceptable.

 

[Markus]

How exactly does disabling a civilian nuclear power plant prevent a war and save lives? The only situation where a risk to human life would be a consequence would be in the case of a melt down. I would deem an attack as such to only heighten tensions further.

Please dont get me wrong. I am not advocating a scenario nor will I be happy if there is loss of life in Iran, but I fully support US/Israel in preventing Iran from going nuclear, for multiple reasons which I would not like to discuss here since this thread is meant for something else.

I have a degree in control and instrumentation engg. and have also been exposed to industrial environment involving control systems. Though I was in a chemical plant and not a nuclear plant but again, the control systems are meant to control a process, irrespective of the industry.

With whatever knowledge I gained thru my studies and the my exp. in handling the PLC and DCS (Siemens and Tata Honeywell), I feel that Stuxnet is a fantastic achievement, if it achieves what it is supposed to do.

I dont think the core meltdown is what Stuxnet may be seeking out. As several articles suggest, that faulty ladder programming may also be infused, this can keep crippling (or we can say "tripping") the critical systems or sub systems within a plant.

As you may be knowing, there are lot many other systems in addition to a nuclear reactor, causing damage or preventing other parts to function properly will keep on delaying or temporarily disabling the plant, thereby achieving the mission objectives slowly but steadily.

Obviously, your opinion does not match mine, but its not necessary it should!

---------- Post added at 10:35 PM ---------- Previous post was at 10:34 PM ----------

Markus will be ok with this destroying indian nuclear reactors critical C/S components - SCADA, PLC and DCS, we can actually prevent a war, thousands of lives can be saved or thats no acceptable.

I am not OK with a nuclear meltdown, dont put words in my mouth.
Everybody has their own opinion, understand that.

If Stuxnet is US/Israel sponsored and their motive is to prevent Iran from enabling a nuclear plant and if Stuxnet succeeds in doing that, the proposal to launch a military strike against Iran, then falls flat.