Details about worm that disabled Iran's nuclear program for over a year.......

[Mizzou B-ball fan]

Sorry if already posted. Thought this was pretty interesting stuff. How long until we have our first worm-triggered war?

FoxNews.com - Mystery Surrounds Cyber Missile That Crippled Iran's Nuclear Weapons Ambitions

[tucking fypo]

Great find. Had heard about the worm but didn't know much about it. Fascinating read.

[jeff061]

The person that finally discovers it posts of it's existence to security bulletin site. That site(and mirrors apparently) are immediately hit with a denial of service for 24 hours as the handler for the worm cleans things up.

I wonder how much of a success it was really considered to be by whoever created it(Israel/US). Sounds like it was designed to run for at least several years undetected. Otherwise they could have just destroyed equipment rather than wearing them down.

Really cool stuff. Thanks for the link.

[SportsDino]

The sooner it destroys the less effective it is. By being so subtle it probably cost them a year of time and a lot of materials and confused results. If it tried to crash things to abruptly they probably would have wiped their systems and contained it in shorter time (although it may have done more damage in dollars perhaps).

It seems a tricky area to be entering, just because it is a computer doesn't change the fact it is sabotage, and nations have been known to kill spies and rattle sabers over similar acts in the past during peace time. I'm nervous about agitating yet another insane war in the Middle East. If they do start a war against a potential nuclear power, I hope they do the opposite of recent trends and start off with good intel and a narrow powerful strike at the actual weapons instead of a useless 'shock and awe' broad occupation which turns everyone against us and gives them the time to funnel nukes to terrorists or fire them off in retaliation.

[jeff061]

Quote:

The sooner it destroys the less effective it is. By being so subtle it probably cost them a year of time and a lot of materials and confused results. If it tried to crash things to abruptly they probably would have wiped their systems and contained it in shorter time (although it may have done more damage in dollars perhaps).

I understand this. I'm curious to what "shorter time" equates to and if it's still less than a year. I wonder what the actual duration they had set for a goal was.

Obviously it seems from a purely technical standpoint it was a home run. All the required intel required to even conceptualize this worm, then to write it up, set it free and watch it succeed? Must have been pure ecstasy for the people involved.

[SteveMax58]

Quote:

Originally Posted by SportsDino

It seems a tricky area to be entering, just because it is a computer doesn't change the fact it is sabotage, and nations have been known to kill spies and rattle sabers over similar acts in the past during peace time. I'm nervous about agitating yet another insane war in the Middle East. If they do start a war against a potential nuclear power, I hope they do the opposite of recent trends and start off with good intel and a narrow powerful strike at the actual weapons instead of a useless 'shock and awe' broad occupation which turns everyone against us and gives them the time to funnel nukes to terrorists or fire them off in retaliation.

Iran does this already by supplying arms & aid to terrorist organizations (obviously Hezbollah tops that list). They are simply attempting to disable the nuclear component of such aid. While I don't think it was the intention to have the worm discovered quickly, I do think this puts the ball squarely into Iran's court to respond (if they so choose to respond) and demonstrate what type of "action" they will engage in beyond rhetoric. To be clear...not to "provoke" such action, but to ensure that Iran is the initiator of any military action. I think it is genius.

Based on that level of response, the US/Israel will be completely justified to retaliate in a similar manner and will have the domestic support needed to do so...as well as international support (where it counts anyway).

Just to hedge off the silliness...I'm not saying all out war should be provoked, encouraged, or should be entered into by choice...it simply gives the US/Israel the justification to counter attack with full force & without the same kid gloves used in Iraq. In other words...the US/Israel could not be an occupying force in Iran (for logistic & intl relations reasons)...but if Israel gets a few missiles lobbed into its cities now...bombing the crap out of the nuclear facilities in Iran will be much more justifiable, IMHO.

[Ryan S]

Quote:

Originally Posted by SportsDino

I hope they do the opposite of recent trends and start off with good intel and a narrow powerful strike at the actual weapons instead of a useless 'shock and awe' broad occupation which turns everyone against us and gives them the time to funnel nukes to terrorists or fire them off in retaliation.

Any war with Iran would need to start with simultaneous strikes on all nuclear locations.

[SackAttack]

The thing is, from what I was reading, this particular worm is able to change details and still make it look like everything is normal.

So depending on how long it was running, yes, it could have affected any number of things with their enrichment program in terms of how enriched the uranium actually is, etc. It won't halt the program but it could have the effect of setting them back not just the year of actual lost time, but time taken to get back to where they 'should' be.

The example I read was a worm like this one altering the Coke formula while still reporting that things are 'normal.' Industrial sabotage, if you will. Interesting stuff.

[AFShadow]

Quote:

Originally Posted by SackAttack

The thing is, from what I was reading, this particular worm is able to change details and still make it look like everything is normal.

So depending on how long it was running, yes, it could have affected any number of things with their enrichment program in terms of how enriched the uranium actually is, etc. It won't halt the program but it could have the effect of setting them back not just the year of actual lost time, but time taken to get back to where they 'should' be.

The example I read was a worm like this one altering the Coke formula while still reporting that things are 'normal.' Industrial sabotage, if you will. Interesting stuff.

We have been looking at alot of these worms/malware etc that have been doing this or built to. The real worry is what if someone greated one and breached say one of Gerbers automated manufacturing plants and had it alter the baby food with an added harmful ingredient or just alter the ingredients enough to make the harmlful something like that could be difficult to contain until it was too late.

[Dutch]

Quote:

Originally Posted by AFShadow

We have been looking at alot of these worms/malware etc that have been doing this or built to. The real worry is what if someone greated one and breached say one of Gerbers automated manufacturing plants and had it alter the baby food with an added harmful ingredient or just alter the ingredients enough to make the harmlful something like that could be difficult to contain until it was too late.

Welcome to Network Warfare.

[AFShadow]

Quote:

Originally Posted by Dutch

Welcome to Network Warfare.

Thanks 20 + plus years Air Force intel and a three letter agency so not sure if it would be welcome but thanks

[CU Tiger]

Quote:

Originally Posted by AFShadow

The real worry is what if someone greated one and breached say one of Gerbers automated manufacturing plants and had it alter the baby food with an added harmful ingredient or just alter the ingredients enough to make the harmlful something like that could be difficult to contain until it was too late.

I've now seen this same or very similar proposition 3 times in the past week.
Sure you could easily change the mixing percentages along a compound line, but "adding" an otherwise non-present ingredient seems very skeptical to me. Unless the worm is going to convince purchasing to order some chemical not previously used. Given corporate America's non-chalant attitude to everything it would surprise me to see Susie in accounting say, "Weird I never used to order arsenic, but oh well, order away" but at some point this has to be installed in a production line etc.

Certainly a conceivable Tom Clancy novel with a select few guys on the inside carrying out the evil worms orders, but a much less likely scenario, IMHO. Now if a simple reformulation could say increase IRON supplementation from .1% to a toxic 35% level, sure I see that as entirely plausible.

[Dutch]

How about something more widespread? Our water supply runs through water treatment plants. The last stages of that treatment is to add chlorine and flouride and then release the water back into general use. What if the computer that regulated the ammount of chlorine and flouride was duped into thinking it wasn't pumping enough chemicals into the water?

I sure hope we have good network security at those sites and god-forbid we use any sort of wireless connections.

We need to take a real hard look at that stuff because I can guarantee you that the Chinese, Russians, and plenty of other organized hacks are out there investigating American network vunlerabilities.

[jeff061]

It's less about simple network security now than policy and procedure. The servers targeted in Iran did not even have a link to the internet, it was supposedly completely isolated. Instead laptops were infected outside and spread when they walked into the facility and physically plugged in. Even if it was hooked up to the internet an attack like this would bypass all the perimeter security anyways, very hard to defend against unfettered access internally.

Employees, every one top to bottom, needs to be prohibited from using any type of mobile device to connect to both the internal network and everywhere else. That's a tough mandate, only takes one ignorant person to break the rule.

That's from the IS level. But there was a lot of intelligence gathering needed in order to pull this off. They had to know the facility inside and out, processes, every exact piece of equipment with very in depth understanding at how they worked, etc. As much or possibly even more time and money needs to be spent on guarding that information as there is on network security. You can have the most advanced worm in the world, guaranteed to silently infect anything, but if you don't know what the target is or how to manipulate it for your goal it's worthless.

[dawgfan]

Pandora's Box = opened

This kind of shit scares the hell out of me. I would think (hope?) that national security organizations are on top of these kinds of threats enough to protect government infrastructure, but it only takes one idiot (as noted above) to break security.

Industrial sabotage seems much more probable. And while I agree that changing (for example) baby formula to include something clearly poisonous like arsenic isn't going to happen, you could certainly muck with the existing ingredients enough to overconcentrate certain items which could lead to (for example) kidney damage. That's fairly unlikely given procedures to test every batch of formula mix, but who's to say that the worm couldn't be written to also override batch testing results.

We're in a whole new world of warfare.

[DaddyTorgo]

If it was industrial sabotage wouldn't it be more likely just to make the stuff taste bad so you switched to a competitor's brand?

Anything else would take too long to be commercially effective.

[Buccaneer]

Some of you guys make this sound like it's a new thing. Cyber sabotage have been going on for years, both industrial, governmental and international. The scope of this worm is certainly impressive and it underscores the need for us to maintain good IT and physical security practices. We have been working very seriously on NERC CIP for a few years and while we have 25,000-50,000 attacks daily from abroad (mostly from China), they are easily thwarted. But we need to keep the expertise and brains here and not elsewhere.

[jeff061]

What interests me is the merging of human intel and how successfully it was used to carry out such an in depth and customized attack. That's relatively new, at least new to the public.

Cyber sabotage in general usually is just based on DDOS attacks and maybe some type of automated script kiddie kit. I imagine the vast majority of those 25k-50k attacks are just random(not targeted) broadcast hits from zombies.

[Buccaneer]

Quote:

Originally Posted by jeff061

What interests me is the merging of human intel and how successfully it was used to carry out such an in depth and customized attack. That's relatively new, at least new to the public.

Cyber sabotage in general usually is just based on DDOS attacks and maybe some type of automated script kiddie kit. I imagine the vast majority of those 25k-50k attacks are just random(not targeted) broadcast hits from zombies.

That's true but they are getting more sophisticated and any one of them could mask a true attack. We went through an expensive upgrade of our firewalls, not only to handle the volume but to be smarter about it.

[dawgfan]

Quote:

Originally Posted by Buccaneer

Some of you guys make this sound like it's a new thing. Cyber sabotage have been going on for years, both industrial, governmental and international. The scope of this worm is certainly impressive and it underscores the need for us to maintain good IT and physical security practices. We have been working very seriously on NERC CIP for a few years and while we have 25,000-50,000 attacks daily from abroad (mostly from China), they are easily thwarted. But we need to keep the expertise and brains here and not elsewhere.

Not new at all of course. It's just that more and more of our lives are governed by automated processes and computers are ever more connected, so the danger posed by cyber-attacks seems more acute.

[Dutch]

Quote:

Originally Posted by jeff061

It's less about simple network security now than policy and procedure. The servers targeted in Iran did not even have a link to the internet, it was supposedly completely isolated. Instead laptops were infected outside and spread when they walked into the facility and physically plugged in. Even if it was hooked up to the internet an attack like this would bypass all the perimeter security anyways, very hard to defend against unfettered access internally.

I'd argue that restricting personal laptop/thumb drive access to a network IS simple network security that is supposed to be a part of any corporate or govt policy.

[sterlingice]

Fascinating story. Good catch, MBBF.

SI

[jeff061]

More information on the design, development and origins of Stuxnet. I really still find this entire store tremendously interesting.

Stuxnet Worm Used Against Iran Was Tested in Israel - NYTimes.com


Shockingly they point to Israel and the US with help(perhaps unknowingly) from Britain and Germany. They say Israel actually had a lab setup with centrifuges they tested the malware on. Prior to the development of the worm Israel approached the US for permission and equipment for a military strike which they expected would set the program back by 3 years. It was denied and they went this route instead, which they now feel has set it back 3 years minimum.

I wonder how many times countries can get away with an action like this before it is considered an act of war? Or could Iran make that claim now, but it's just not in their best interests.

[AFShadow]

Quote:

Originally Posted by jeff061

More information on the design, development and origins of Stuxnet. I really still find this entire store tremendously interesting.

Stuxnet Worm Used Against Iran Was Tested in Israel - NYTimes.com


Shockingly they point to Israel and the US with help(perhaps unknowingly) from Britain and Germany. They say Israel actually had a lab setup with centrifuges they tested the malware on. Prior to the development of the worm Israel approached the US for permission and equipment for a military strike which they expected would set the program back by 3 years. It was denied and they went this route instead, which they now feel has set it back 3 years minimum.

I wonder how many times countries can get away with an action like this before it is considered an act of war? Or could Iran make that claim now, but it's just not in their best interests.

Thanks Jeff for link. I also find this very informative and helpful.

[gstelmack]

Quote:

Originally Posted by CU Tiger

I've now seen this same or very similar proposition 3 times in the past week.
Sure you could easily change the mixing percentages along a compound line, but "adding" an otherwise non-present ingredient seems very skeptical to me. Unless the worm is going to convince purchasing to order some chemical not previously used. Given corporate America's non-chalant attitude to everything it would surprise me to see Susie in accounting say, "Weird I never used to order arsenic, but oh well, order away" but at some point this has to be installed in a production line etc.

Certainly a conceivable Tom Clancy novel with a select few guys on the inside carrying out the evil worms orders, but a much less likely scenario, IMHO. Now if a simple reformulation could say increase IRON supplementation from .1% to a toxic 35% level, sure I see that as entirely plausible.

The problem with this approach in the U.S. is that we are SUPPOSED to have a safety system that tests and validates, it doesn't just trust that what ingredients go in are what comes out. Quality Control is supposed to be testing all this stuff regularly. Note that several of the food recalls have been detected before folks start getting sick.

I had a friend in college who worked for one of the large beverage companies testing the stuff as it came off the assembly line. Something like this MIGHT work (some stuff certainly still gets through), but is just as likely if not more so to be caught before the product ever left the factory.