An opportunity to reflect on Stuxnet and cyberweapons

A new documentary titled Zero Days recently presented at the Berlin Film Festival provided further details on the intelligence operations that led to the Stuxnet attacks.

The documentary is directed by Alex Gibney, also known for other interesting documentaries, including the Oscar-winning “Taxi to the Dark Side” that reported the use of torture by American interrogators, and the notorious “We Steal Secrets: The Story of WikiLeaks.”

Stuxnet is a powerful malware considered by security experts the first malware cyberweapon used by a government against a foreign government.

The documentary sheds light on the effort spent by the US intelligence in creating a cyber arsenal for its war program. Stuxnet was just one of the products designed by the US Military; the documentary also reveals that hundreds of thousands of network implants and backdoors in Iran networks were managed by Western entities to penetrate Iranian infrastructure and destroy them.

Zero Days confirms that Stuxnet was developed under the Information warfare operation called “Olympic Games,” which is part of a wider program dubbed “Nitro Zeus” that involves hundreds of US cyber security experts.

The Olympic Games program was launched under the George Bush Junior’s administration, but according to the New York Time, the effort by the Obama’s administration in the information warfare was crucial for the birth of the cyber weapon that was designed to interfere with the Iranian nuclear enrichment program.

The US Government was not alone; the Israeli Government had a primary role in the Nitro Zeus program.

While US Cyber Command was involved in the Nitro Zeus operations, the NSA Tailored Access Operations (TAO) unit was trying to hack Iranians networks in the attempt to serve malicious code into the enemy systems.

The documentary confirms that the nation-state hackers behind Stuxnet spent a significant effort in the attempting to cover their operations, they also designed the threat by restricting its operation only against Iranian machines.

Nitro Zeus was a contingency plan of the US Government that would be carried out if diplomatic efforts to curb the Iranian nuclear development program failed.

The Nitro Zeus program was devised to hit Iranian critical infrastructure, including, communications systems, power grid and, of course, defenses in case of a conventional attack.

Figure 1 – Ahmadinejad visits the Natanz uranium enrichment plant in Iran

One of the most intriguing thesis supported in the documentary is the involvement of the British intelligence GCHQ. The film sustains that the GCHQ provided information for the development of the four zero-day exploits specifically designed to hit the control systems at the Natanz facility.

The experts at the NSA have hardly worked to cover the tracks after the infection became public, but the author of the report confirmed the existence of a more aggressive version of Stuxnet developed by the Israeli force that went out of control infecting thousands of computers across more than 115 countries.

It is not clear if the GCHQ was informed about the Nitro Zeus program.

The US government was preparing its military to face threats from the cyberspace and move cyber attacks against its enemies.

The American intelligence also developed a separate plan to hit systems at the Fordo nuclear enrichment site, inside an Islamic Revolutionary Guards Corps base, located in a mountain near the city of Qum.

Figure 2 – Fordo nuclear enrichment site (NY Times)

The intelligence experts have chosen the cyber weapon to hit the Fordo plant because it was very difficult to reach in a different way. The operation would benefit from the success obtained with the attack that destroyed centrifuges at Natanz.

The documentary “Zero Days” tries to describe the cyber operations launched by the Western alliance against the Iran in response to tension with the government of Teheran.

The producer Mr. Gibney and his collaborators interviewed current and former participants in the Iran program who revealed details of the effort to breach the Iran’s computer networks with “implants” that could be used to monitor the country’s activities and attack the infrastructure of the country.

The NY Time that interviewed many US officials that confirmed the operations against the Iran represents the most important operation conducted by the United States Cyber Command.

“This was an enormous, and enormously complex, program,” said one of the participants to the Operations of the US Government who requested anonymity to discuss a classified program. “Before it was developed, the U.S. had never assembled a combined cyber and kinetic attack plan on this scale.”

The cyber operations of the American military accelerated in 2012 and 2013 when the Iran moved more than 3,000 centrifuges in the Fordo’s plant.

The US Government under the Obama Administration planned the development of a new computer worm to compromise systems at Fordo, but it is still a mystery how American the hackers planned to infect systems at the underground nuclear facility.

According to a blog post published by Buzzfeed, there was also a second version of Stuxnet in the wild that was unilaterally released by the Israeli cyber army, this version was more aggressive and once discovered shocked the US intelligence.

The secrecy of the operation has been blown,” a US source told the filmmakers, according to BuzzFeed. “Our friends in Israel took a weapon that we jointly developed—in part to keep Israel from doing something crazy—and then used it on their own in a way that blew the cover the operation and could’ve led to war.”

Part of the intelligence communities does not trust the revelations of the Zero Days film, the popular cyber security expert Ralph Langner, told the Dark Reading publication that there’s no evidence that there was in the wild an Israeli version of Stuxnet more aggressive of the one developed in the joint effort with the US experts.

“Multiple deliberate design elements in the 2009 version of Stuxnet,” he said, “suggest that the developers had anything in mind but to stay under cover and widen the operation for another couple of years.”

“Code analysis does not show any evidence that the spreading that we have seen in the 2009 version of Stuxnet was unintentional,” he explained “I also do not see that the 2009 version of Stuxnet was developed hastily, thereby causing detection that prevented [widening] the whole operation to other targets like Fordow.”

The opinion of Liam O’Murchu, a security researcher at Symantec, who was involved in the early analysis of Stuxnet, is different. O’Murchu said to DarkReading that the theory of a more aggressive variant of the Stuxnet malware confirms the evidence collected by his team.

“We did see the threat get dramatically more aggressive, and the end of 2009 and the beginning of 2010, when they added the USB and zero-day.”

In February 2013, Symantec announced the discovery of an earlier variant of Stuxnet that demonstrated the attacks on the Natanz nuclear facility dated back as early as 2005 and targeted another piece of uranium-enrichment equipment.

“When we looked at this telemetry, it did strike us as strange that previous versions had been so quiet and [spread] in such a discreet manner. And then this version spread all over the world,” explained O’Murchu, who also confirmed to have shared the results of its investigation with the directors of the Zero Days film.

“When we found those [earlier] versions [of Stuxnet], they were less aggressive in the way they spread.”

Symantec researchers detected one of the first variants of Stuxnet having a version number embedded in its source code. The version was 0.5 and analyzing the date of website domain registration Stuxnet 0.5 may have been used as early as 2005.  Another interesting information on this version of Stuxnet is that it stopped infecting computers on July 4th, 2009, a few days before the version 1.001 was created.

Figure 3 – Stuxnet variant (Symantec – 2013)

Figure 4 – Stuxnet Timeline (Symantec 2013)

Symantec highlighted the differences of Stuxnet 0.5 with subsequent instances of the worm:

  • Later versions significantly increased their spreading capability and use of vulnerabilities
  • Replacement of Flamer platform code with Tilded platform code
  • Later versions adopted an alternative attack strategy from uranium enrichment valve disruption to centrifuge speed modification

The most important change between the two versions was the strategy of attack; earlier Stuxnet had the ability to shut critical gas valves potentially causing an explosion, later version replaced this capability with the one to alter the speed of centrifuges. However, Stuxnet significantly increased in time its spreading capabilities introducing exploits for various vulnerabilities.

A quick look to previous reports on Stuxnet

The journalist David Sanger’s book titled “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power” confirms that both the US and Israeli governments developed and deployed Stuxnet.

Stuxnet was designed with the intent of interfering with and destroying the control systems in the Iranian nuclear plant in Natanz that US intelligence assumed was being carried out by the design of President Ahmadinejad of developing a nuclear arsenal.

According to security experts, the United States began building replicas of Iran’s P-1 centrifuges, a project that the Iranian government purchased from Abdul Qadeer Khan, the Pakistani nuclear chief.

The US fortunately already owned a P-1s model because when Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani nuclear ring. The US Government placed the centrifuges in storage at a weapons laboratory in Tennessee. The US experts developed malware that was able to shut down operations in the infected plant.

The US intelligence operated in a joint effort with the Israeli peers, the development of the Stuxnet worm is the result of an intensive collaboration of the NSA and the secret Israeli 8200 unit.

In 2011, The New York Times published a detailed article on an Israeli test on worm crucial to interfere and delay the nuclear program of Iran.

The Israeli experts have built a replica of the Natanz facility in their Negev Nuclear Research Center in Dimona; the same plant referred in 1986 by The Sunday Times as a strategic plant for the Israeli intelligence.

“The target of the attack was to modify the operation of high-frequency power drives made by Vacon and Fararo Paya. These drives were controlling the centrifuges that were enriching uranium.” wrote Mikko Hypponen.

Figure 5 – News about the Negev Nuclear Research Center in Dimona

The researchers tested Stuxnet in the plant before spreading it in the wild and compromise the real target. The NY Times reported an intense collaboration of researchers from the Idaho National Laboratory at Idaho Falls and experts from Siemens.

Inside the Idaho National Laboratory, the US experts conducted a series of tests on the Siemens PLC systems to discover security vulnerabilities and exploit them in the Stuxnet attack. Siemens only confirmed that its support was a routine effort to improve the resilience of its solutions against cyber attacks.

“Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran‘s efforts to make a bomb of its own,” reported The New York Times.

Figure 6 – Image Copyright Idaho National Laboratory and Siemens

“Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.”

The Stuxnet targeted a grid of 984 converters, the same industrial equipment that international inspectors found out of order when visited the Natanz enrichment facility in late 2009.

“The cyber attack against the Cascade Protection System infects Siemens S7-417 controllers with a matching configuration. The S7-417 is a top-of-the-line industrial controller for big automation tasks. In Natanz, it is used to control the valves and pressure sensors of up to six cascades (or 984 centrifuges) that share common feed, product, and tails stations” states Technical Analysis of What Stuxnet’s Creators Tried to Achieve, by the expert Ralph Langner.

The authors of the Stuxnet worm designed a number of features to evade detection; its source code was digitally signed, and the malware uses a man-in-the-middle attack to fool the operators into thinking everything is normal.

“But as Mr. Langner kept peeling back the layers, he found more — what he calls the “dual warhead.” One part of the program is designed to lie dormant for long periods, then speed up the machines so that the spinning rotors in the centrifuges wobble and then destroy themselves. Another part, called a “man in the middle” in the computer world, sends out those false sensor signals to make the system believe everything is running smoothly. That prevents a safety system from kicking in, which would shut down the plant before it could self-destruct.” wrote The New York Times.

According to a leaked embassy cable obtained by Wikileaks, there would other enrichment plants in Iran involved in the Iran Nuclear Program.  Attacking such unknown targets with cyber sabotage makes much more sense than, say, trying to bomb them. A worm will find even the facilities that you do not know about.

Ethical Hacking Training – Resources (InfoSec)

The use of a cyber weapon against these potential targets presents a number of advantages, from the difficult attribution to the secrecy of the operations.

President Obama decided to accelerate the operations to stop the Iranian plan of building a nuclear weapon. The New Your Times reported of a tense meeting held at the White House Situation Room, within days of the cyber offensive. The meeting was attended by President Obama, the Vice President Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta.

During the meeting was discussed the opportunity to stop the diffusion of the malware outside Iran.

“Should we shut this thing down?” President Obama asked.

The effectiveness of cyber operation that was damaging SCADA systems at the Iran’s nuclear plant in Natanz, a circumstance that led to the decision to continue with the attacks, despite the virus was spreading outside Iran. Considering the potential offensive threat this decision is really questionable, the virus could damage other critical infrastructures worldwide, including Western countries, with unpredictable consequences.

President Obama concluded the secret summit declaring that when it came to stopping Iran, the United States had no other choice.

In the following weeks, at least two new versions of the Stuxnet worm hit the Natanz nuclear plant and other facilities in Iran.

“Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the CIA, said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,” rather than just slow another computer, or hack into it to steal data.

“Somebody crossed the Rubicon,” he said.

According to the information collected by the New York Times, Obama requested to be constantly updated on the evolution of the cyber attacks.

“From his first days in office, he was deep into every step in slowing the Iranian program — the diplomacy, the sanctions, every major decision,” a senior administration official said.

The problems began during the summer of 2010 when the diffusion of the malware gone out of control, starting to spread itself out of Natanz plant. It was not clear the reason for the unexpected spread:

“We think there was a modification done by the Israelis,” one of the briefers told the President, “and we don’t know if we were part of that activity.”

Mr. Biden reported to the President, “It’s got to be the Israelis. They went too far.”

Conclusions

Let’s close by enumerating the main revelations made by the Zero Days documentary:

  • The US government conducted hacking operations involving its personnel at the Remote Operations Center (ROC) in Fort Meade, Maryland, to compromise control systems in several Iran’s critical infrastructure. The attacks aimed to support a possible conventional military attack;
  • Israel spread a modified, and more aggressive, version of Stuxnet against Iranian nuclear facilities.
  • A number of official within the US Government expressed concern about the legality and ethics of some of cyber attacks against civilian as well as military infrastructure;
  • The British intelligence supported the spread of Stuxnet against Iranian facilities.

The documentary raised once again the discussion around the efficiency of cyber weapons and their use made by intelligence agencies worldwide.

How many nation-states’ malware are secretly operating in the wild?

It is impossible to provide an answer to the question, for sure the militarization of cyberspace is becoming a pillar of the cyber strategy of any government.

The governments of N. KoreaChina, Russia, and Iran are spending a significant effort in increasing their cyber capabilities, including the development of a new generation of lethal cyber weapons, for this reason, it is essential to protect critical infrastructure worldwide and define a legal framework for the use cyber weapon.

References

http://securityaffairs.co/wordpress/44564/intelligence/gchq-helped-us-developing-stuxnet.html

http://securityaffairs.co/wordpress/6048/intelligence/olyimpic-games-and-boomerang-effect-it-isnt-sport-but-cyber-war.html

http://securityaffairs.co/wordpress/43677/malware/new-revelations-stuxnet-attack.html

http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0

http://www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-planned-if-iran-nuclear-negotiations-failed.html

http://www.darkreading.com/perimeter/stuxnet-part-of-widespread-cyber-intrusion-of-iranian-infrastructure-new-film-claims/d/d-id/1324334

http://securityaffairs.co/wordpress/12616/malware/stuxnet-was-dated-2005-symantec-discovered-earlier-version-05.html

http://securityaffairs.co/wordpress/6373/intelligence/flame-and-stuxnet-the-union-is-strength.html

http://www.buzzfeed.com/jamesball/us-hacked-into-irans-critical-civilian-infrastructure-for-ma#.mjproVWVov