Iran Double Agents Planted Stuxnet in Nuclear Facilities

As if the story of Stuxnet was not interesting enough already, a report last week from places a shadowy cloak and dagger spin to it. Reportedly, anonymous US Officials claimed that Iran’s Stuxnet infection was a targeted attack by Israeli backed Iran double agents:

“They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system.”

According to the report the double agents connected the infected USB drives and once the associated icon was activated, the virus spread rapidly through the network infecting all of the systems, but only activating when it found the target devices.

Apparently the Iran double agents were part of a violent group called the Mujahedeen-e-Khalq (MEK):

Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism. He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” Other former agency officials confirmed this.”

If this is true, then the same group could have also been responsible for the assassinations and bombings that targeted Iranian scientists and heads of the nuclear enrichment program. It would also explain why Iran began arresting what it claimed were “Nuclear Spies” after Stuxnet was discovered.

The ISSSource article is full of interesting quotes from current and former US officials and intelligence agents, and not just about Stuxnet. According to one official the US had infiltrated a lot of Soviet military equipment in the 1980’s:

“We put in bugs inside the Soviet computers to feed back satellite information that had been ‘leeched’ off hard drives, in the Soviet Defense Ministry and others,” said a former U.S. intelligence official.

And claimed that prior to the start of Desert Storm the CIA and British GCHQ released a flood of viruses against Iraq’s command and control, but unfortunately the infected machines were destroyed by kinetic attacks before they could take full effect:

“Once in place, NSA and GCHQ believed the virus would spread like a virulent cancer through the Iraqi Command and Control system, infecting every computer system it came across. But before the virus had reached its target, the air war began. U.S. planes destroyed Saddam’s command and control network, including the buildings where the infected computer hardware had been so successfully inserted. As a result, one of the most successful intelligence operations of the war was buried beneath the rubble. “The intelligence people were very pissed — all that work for nothing,” said a former senior DoD official.”

If it is true, this is very interesting indeed. And it seems to follow the pattern that we have mentioned before on cyber war – that for this type of warfare to be successful, cyber attacks will be used alongside physical attacks.

Water Utilities Hacked, End of the World Imminent

By now you probably have heard about the Water Utilities that have reportedly been hacked.  But is this the advanced uber world ending SCADA cyber attack that we have all been warned of? You know, the one that ends life as we know it and sends us back to the stone age? No, hate to disappoint, but it is not.

Then, what is it?

This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this. I’m sorry this ain’t a tale of advanced persistent threats and stuff, but frankly most compromises I’ve seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”

Says hacker “Pr0f” in an e-mail interview with Threat Post. Prof allegedly hacked into a South Houston Water plant after becoming frustrated with reports that surfaced after the Illinois Water Plant was attacked:

My eyes were drawn, nary, pulled, to a particular quote:

‘In an email sent several hours after this article was first published, DHS spokesman Peter Boogaard wrote: “DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”‘

This was stupid. You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***** the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done.”

Pr0f said on a post on Pastebin that included pictures allegedly from the South Houston Water Plant (one is used as the graphic for this post as posted on The Register.).

In the Threat Post article, Pr0f claims to have used a “scanner that looks for the online fingerprints of SCADA systems.” Shodan, dubbed the “Google for Hackers” comes to mind. Just surf to Shodan’s website and you are greeted with, “Expose Online Devices.
Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones.”

Power Plants? That is kind of unnerving. But anyone who has used Shodan knows that with the right keyword search many unsecured or lightly secured systems can be found. Pr0f claims that the South Houston site was protected by a three letter password!

This brings up numerous questions that must be asked and answered:

  • Why are public utility systems found through simple online searches that are completely or lightly protected? Especially after years of warnings of possible hacker attacks?
  • Why haven’t Federal agencies used the same search engines to look for open utilities and locked them down? Does the Federal Government even have a “Red Team” to do this?
  • Why would utilities themselves (again after several years of warnings) use a three character or easily guessable password to secure systems available online? Aren’t there rules set for password length and complexity for public utilities?

The press seems to be making this out as the missing links of cyber attacks. The proof needed that an “End of the World” attack is not only possible, but imminent. But so far, the proof available seems to show that this is nothing of the sort.

The closest call that I have ever heard of had nothing to do with hackers. Working in the Oil & Gas sector for a while I heard a nuclear power plant executive engineer tell a harrowing story.

A while ago, an engineer was looking for a gas leak near a Nuclear Power plant control room. He was in an area that has ALL the wires running through it that enter into the control room. He caught the room on fire, but they were able to put it out in time before any wires or controls were damaged.

How did he do this? He was using his lighter as a light to find the gas leak!

Our infrastructure will be much safer if and when utility providers are held to secure their systems, are checked and tested for security regularly and all lighters are banned from vulnerable areas!

Duqu Update: Iran Nuke Sites Hit and a Possible Age of Duqu

Several new pieces of information about the Duqu infection, AKA “The Son of Stuxnet”, have been released recently.

We knew from the initial Symantec analysis that infections were discovered in six organizations in eight different countries.  And that Symantec has been busy in tracking down servers used in Command & Control of the malware. First a server in Mumbai, India was identified, then earlier this month a server from Belgium’s largest web hosting providers was taken down.

But come on, what about Iran? We know that Stuxnet specifically targeted Iran’s nuclear ambition. Duqu must have been targeting Iran also. Symantec does mentioned Iran as one of the countries initially affected, but nothing further.

Finally on Sunday, Iran admitted that their nuclear sites have been hit and that they have just started removing it:

Iranian officials admitted Sunday that they had uncovered evidence of the Duqu computer virus — labeled “Son of Stuxnet” by cyber experts — at the Islamic Republic’s nuclear sites, state-controlled IRNA news agency reported.

“We are in the initial phase of fighting the Duqu virus,” Gholamreza Jalali, was quoted as saying. “The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.”

Also, it looks like Duqu may have taken some time to create. A very interesting (and somewhat humorous) report on Duqu from Kaspersky Lab Expert Aleks Gostev was posted last week. In the analysis, Alex shows that the creators of Duqu appear to be fans of the TV show Dexter, and could have spent over four years developing the virus:

“The driver loaded by the exploit into the kernel of the system had a compilation date of August 31, 2007. The analogous driver found in the dropper from CrySyS was dated February 21, 2008. If this information is correct, then the authors of Duqu must have been working on this project for over four years!”

As talks of physical strikes against Iran heat up again, one has to wonder what actual damage did Duqu do to Iran (It seems to be just an information gatherer), and is there a Stuxnet III out there?

Should the US Apply Cold War Doctrines to Cyber War?

Cold war doctrines on how to respond to nuclear attack need to be applied to the 21st century threats of cyber attacks and espionage.

That was what Michael Chertoff, former US Homeland Security secretary, said this week at the RSA Security Conference in London, according to The Register.

Chertoff also mentioned that 100 countries now have the capabilities to perform cyber attacks and cyber espionage. Though cyberwar is a serious threat, should US cyber war doctrine be the same doctrine we used to defend ourselves against a nuclear attack?

Nuclear weapons could vaporize an entire area and leave it inhospitable for 20-30 years. Where many times cyber attacks are more espionage related, they could turn deadly if power, telecommunications or infrastructure is damaged in a large city. Civil security, medical and food supply could be the heaviest hit.

But one thing that really sticks out to me is the sheer number of nations that have cyber war capabilities. When you compare 9 countries that have nuclear weapon capabilities to the 100 that have cyber attack capabilities, this is a whole new ball game. The attack could almost come from almost anywhere and strike anywhere at anytime.

Cyberwar is very cheap compared to the technology, infrastructure and financial output it takes to build nukes. Also, if someone launched a nuke, pretty sure it could be tracked back to the country of origin fairly easily. Where cyber attacks are very stealthy and sometimes are bounced through several different countries before hitting their target.

What is scary too is that Chertoff mentioned an attack against air traffic control systems. Ira Winkler, former NSA agent and president of the Internet Security Advisors Group said that not only is such an attack possible, but security was never built into air traffic control systems to begin with.

This brings up another issue. The level of force used in responding to a cyber attack. If a third world country launches a cyber attack against the US and disables it’s air traffic control systems while planes are in the air, hundreds of planes and thousands of lives would be at risk. Would we respond by disabling their air traffic control system, when they may only have ten airplanes total in the whole country?

Many experts have said that the US will not take cyber security seriously unless there is a cyber 9/11. The US needs to sit down with the international community and hammer out realistic policy now on responding to cyber attacks. The longer we continue without black and white policies the greater the risk will become.