Reverse engineer how something like this was created and it is mind boggling. The initial intelligence gathering of the target systems, developing the plan of attack, recruit experts on the siemens hardware and physicists to explain the things that could go wrong, development and QA must have been grueling, since the expense of failure is so great! Never mind the deployment and monitoring to see if it was effective! They probably recreated the entire environment to test different ways to cause havoc.
Stuxnet recorded various data points while the cascades and centrifuges operated normally, in order to replay this data to operators once the sabotage began. They must have had a working system to test this on?! The budget for something like this is probably in the tens of millions if not more. The HR requirement must have been pretty large too. Analysts to gather information, managers, programmers, qa, siemens hardware experts, physicists, deployment, monitoring, etc, etc.
> The budget for something like this is probably in the tens of millions if not more.
Absolutely. This was a massive defense spending project by any measure. How many people do you think worked on it? Assuming the project was highly compartmentalized, I would estimate that there are at least SIX subteams currently working on the next Stuxnet.
- 0-Day exploitation of PCs. How big is the team responsible for discovering / purchasing 0-day exploits?
- Hardware/firmware-level infection. This would require expert knowledge of the specific control systems.
- Networking / infrastructure. This requires an intimate knowledge of target network topology.
- Spear-phishing payload delivery. Perhaps the points of entry were several levels removed from the actual target facility (e.g., security guards' wives' laptops).
- Testing / QA.
All of this of course has to be backed up by world-class intelligence support, which I shan't address further. The technical feats of developing this alone are astounding and intriguing.
In the David Sanger article published in the Times attributing Stuxnet to the US/Israel, this bit really struck me -
"One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant."
And i don't mean to stray off Stuxnet here, but just really quickly: The chosen-prefix collision attack used in signing the Windows Update malware (FLAME) also suspected of being from the US was a never before published variant.
The computing power alone was on the order of $200k, and makes you wonder what else the NSA or the national labs have up their sleeves.
> They must have had a working system to test this on?!
The speculation is that Stuxnet was tested on P-1 centrifuges that the US acquired when Libya dismantled its nuclear program, set up in Israel's nuclear arms facility in Dimona. [1]
We cannot begin to imagine the extent to which world military powers are currently developing and deploying cyberweapons.
Given the success of Stuxnet, it's nearly certain that such offensive cyberwarfare programs have gotten increased funding and support from the highest levels of command. From the article, Stuxnet 0.5 C&C servers first went online in 2005. 2005! George W. Bush ordered the deployment of Stuxnet!
I personally cannot wait to hear about what the cyberweapons fo 2013 look like.
"The 2007 variant resolves that mystery by making it clear that the 417 attack code had at one time been fully complete and enabled before the attackers disabled it in later versions of the weapon."
The thing that struck me most was the use of the word "weapon"[1]. Jeff Moss warned in his 2011 BlackHat opening speech that blurring the line between cyberwarfare and actual warfare is inevitable. Wired's use of "weapon" here signifies that shift, and really reinforces the fact that each one of us who is writing software may play a part in cyber wars, even if inadvertently.
[1]It may have been an unintentional use of "weapon," as Stuxnet is referred to as a "cyberweapon" throughout the article, but the point that we are moving towards describing cyber warfare as actual warfare still stands.
* a pseudofile that resides in memory
* use standard file functions
* cannot be larger than 424 bytes when sent between computers
* can broadcast messages within a domain
Mailslots are an SMB-based IPC mechanism that dates back to Microsoft LanManager (LANMAN).
I could see using mailslots as a mechanism to disguise traffic and potentially thwart NIDS. SMB broadcast traffic is considered "noise" by a lot of admins and might well be excluded from traffic monitoring to prevent "chatty" traffic from filling the logs. Using mailslots, as opposed to rolling a custom broadcast-based protocol, makes the traffic sink into the normal SMB noise floor.
On the third page of the article, there's a screenshot of the fake company website where the command and control servers resided, set up by the CIA/whoever back in 2006.
Today, if you search for the specific phrases used in the navigation bar, Google returns only 3 websites:
Sadly, these sites just look spammy rather than fake sites set up by the CIA (and Alexa shows some SEO work has been done.... but that could be part of the facade).
Still, fishing for CIA CNC servers sounds like a fun game, they must be out there today. Anyone have any ideas how to find them?
Follow the malware. Dan Danchev [1] used to be quite forthcoming with his analysis until he wasn't anymore. If you set up a malware aquarium [2] you can see the C&C servers these things use. Although not all malware reproduces in captivity.
The most amazing thing about stuxnet is that if hollywood were to make a movie about it we would find it too unrealistic, even if it was less fantastic than the real facts.
We would find it unrealistic because Hollywood would get the details wrong. Encryption would be portrayed as wiggly squares on a screen. "Port scanning" would be confused with "hacking."
The example I gave to a politically minded friend: Imagine a political drama with dialog like this:
"We've found a bug in the parliamentary procedure! Call the senator!"
"Oh no! Quick, we've got to omnibus the filibuster before the cloture overflows and the whole bill crashes!"
I wonder if such weapons have already been directed against our advanced fighters, ships, and submarines.
I remember reading about the COTS (Commercial Off the Shelf) program in the late 90's and the use of Windows NT 4 on AEGIS vessels. Supposedly, there was a protocol for rebooting everything, every two weeks. Hopefully, nothing critical would be down the moment there was an attack. (To be fair, the NT4 kernel is rock solid, so long as you leave it unmolested, which Microsoft didn't.)
Well nothing works forever on a warship anyways, and the Navy is already very big on Preventative Maintenance (i.e. "fix it until it's broke"). So any plan assuming that a system will stay up for an entire deployment is negligent from the start; you might as well practice having to reboot the system from that perspective.
Am I missing something or had stuxnet started development before any of the centrifuges were installed? Was there perhaps an even larger game afoot which led Iran to choose certain hardware in the first place?
I suppose development of the software could have started without knowing which PLC's it would target eventually, but that seems doubtful to me. Of course, the easiest explanation is that I'm missing something in the timeline.
I remember when the "NSA" variable name was found in Windows source code that accidentally leaked out. Some people claimed that the NSA had backdoors into Windows and nearly everybody singed happily: "Conspiracy theorists".
I'm not so sure that nowadays with all this Stuxnet insight people would be so hard-pressed to label these people conspiracy theorists.
Also, no more Windows source code did leak out with all the comments and variable names in the clear etc.
One has to wonder how "open" Windows actually is to the NSA and if all these 0-days so commonly found are really honest mistakes or not...
[+] [-] WestCoastJustin|13 years ago|reply
Stuxnet recorded various data points while the cascades and centrifuges operated normally, in order to replay this data to operators once the sabotage began. They must have had a working system to test this on?! The budget for something like this is probably in the tens of millions if not more. The HR requirement must have been pretty large too. Analysts to gather information, managers, programmers, qa, siemens hardware experts, physicists, deployment, monitoring, etc, etc.
[+] [-] JakeSc|13 years ago|reply
Absolutely. This was a massive defense spending project by any measure. How many people do you think worked on it? Assuming the project was highly compartmentalized, I would estimate that there are at least SIX subteams currently working on the next Stuxnet.
- 0-Day exploitation of PCs. How big is the team responsible for discovering / purchasing 0-day exploits?
- Hardware/firmware-level infection. This would require expert knowledge of the specific control systems.
- Networking / infrastructure. This requires an intimate knowledge of target network topology.
- Boots-on-the-ground payload delivery (nontechnical).
- Spear-phishing payload delivery. Perhaps the points of entry were several levels removed from the actual target facility (e.g., security guards' wives' laptops).
- Testing / QA.
All of this of course has to be backed up by world-class intelligence support, which I shan't address further. The technical feats of developing this alone are astounding and intriguing.
Holy shit.
[+] [-] deeqkah|13 years ago|reply
"One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant."
And i don't mean to stray off Stuxnet here, but just really quickly: The chosen-prefix collision attack used in signing the Windows Update malware (FLAME) also suspected of being from the US was a never before published variant.
The computing power alone was on the order of $200k, and makes you wonder what else the NSA or the national labs have up their sleeves.
[+] [-] confluence|13 years ago|reply
We could just as easily nuke, bomb or invade Iran - we would easily overwhelm them.
But sabotage is a hell of a lot easier, cheaper, faster and less risky, with no civilian deaths.
[+] [-] brigade|13 years ago|reply
The speculation is that Stuxnet was tested on P-1 centrifuges that the US acquired when Libya dismantled its nuclear program, set up in Israel's nuclear arms facility in Dimona. [1]
[1] http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet...;
[+] [-] tbrock|13 years ago|reply
http://www.youtube.com/watch?feature=player_detailpage&v...
[+] [-] addlepate|13 years ago|reply
[deleted]
[+] [-] JakeSc|13 years ago|reply
Given the success of Stuxnet, it's nearly certain that such offensive cyberwarfare programs have gotten increased funding and support from the highest levels of command. From the article, Stuxnet 0.5 C&C servers first went online in 2005. 2005! George W. Bush ordered the deployment of Stuxnet!
I personally cannot wait to hear about what the cyberweapons fo 2013 look like.
[+] [-] cpeterso|13 years ago|reply
[+] [-] ninetax|13 years ago|reply
[+] [-] GHFigs|13 years ago|reply
[deleted]
[+] [-] mirkules|13 years ago|reply
The thing that struck me most was the use of the word "weapon"[1]. Jeff Moss warned in his 2011 BlackHat opening speech that blurring the line between cyberwarfare and actual warfare is inevitable. Wired's use of "weapon" here signifies that shift, and really reinforces the fact that each one of us who is writing software may play a part in cyber wars, even if inadvertently.
[1]It may have been an unintentional use of "weapon," as Stuxnet is referred to as a "cyberweapon" throughout the article, but the point that we are moving towards describing cyber warfare as actual warfare still stands.
[+] [-] j_s|13 years ago|reply
http://msdn.microsoft.com/en-us/library/windows/desktop/aa36...
[+] [-] EvanAnderson|13 years ago|reply
I could see using mailslots as a mechanism to disguise traffic and potentially thwart NIDS. SMB broadcast traffic is considered "noise" by a lot of admins and might well be excluded from traffic monitoring to prevent "chatty" traffic from filling the logs. Using mailslots, as opposed to rolling a custom broadcast-based protocol, makes the traffic sink into the normal SMB noise floor.
[+] [-] drivingmenuts|13 years ago|reply
Is this sort of functionality still present in Windows? If so, are they idiots or what?
[+] [-] Scramblejams|13 years ago|reply
http://www.wired.com/threatlevel/2013/02/new-stuxnet-variant...
[+] [-] throwaway29912|13 years ago|reply
Today, if you search for the specific phrases used in the navigation bar, Google returns only 3 websites:
https://encrypted.google.com/search?hl=en&output=search&... The terms are: "media planning" philosophy "creative services" "search solutions" ecrm "ad serving"
Sadly, these sites just look spammy rather than fake sites set up by the CIA (and Alexa shows some SEO work has been done.... but that could be part of the facade).
Still, fishing for CIA CNC servers sounds like a fun game, they must be out there today. Anyone have any ideas how to find them?
[+] [-] ChuckMcM|13 years ago|reply
Follow the malware. Dan Danchev [1] used to be quite forthcoming with his analysis until he wasn't anymore. If you set up a malware aquarium [2] you can see the C&C servers these things use. Although not all malware reproduces in captivity.
[1] http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploit...
[2] https://www.xkcd.com/350/
[+] [-] ianhawes|13 years ago|reply
[+] [-] islon|13 years ago|reply
[+] [-] nitrogen|13 years ago|reply
The example I gave to a politically minded friend: Imagine a political drama with dialog like this:
"We've found a bug in the parliamentary procedure! Call the senator!"
"Oh no! Quick, we've got to omnibus the filibuster before the cloture overflows and the whole bill crashes!"
[+] [-] stcredzero|13 years ago|reply
I remember reading about the COTS (Commercial Off the Shelf) program in the late 90's and the use of Windows NT 4 on AEGIS vessels. Supposedly, there was a protocol for rebooting everything, every two weeks. Hopefully, nothing critical would be down the moment there was an attack. (To be fair, the NT4 kernel is rock solid, so long as you leave it unmolested, which Microsoft didn't.)
[+] [-] mpyne|13 years ago|reply
[+] [-] jmcqk6|13 years ago|reply
I suppose development of the software could have started without knowing which PLC's it would target eventually, but that seems doubtful to me. Of course, the easiest explanation is that I'm missing something in the timeline.
[+] [-] squozzer|13 years ago|reply
[+] [-] martinced|13 years ago|reply
I'm not so sure that nowadays with all this Stuxnet insight people would be so hard-pressed to label these people conspiracy theorists.
Also, no more Windows source code did leak out with all the comments and variable names in the clear etc.
One has to wonder how "open" Windows actually is to the NSA and if all these 0-days so commonly found are really honest mistakes or not...