US Power Stations hit by Viruses, DoD seeks to Jump the Gap into Secure Networks

 US Power Plant

The Control Systems of two American Power Stations were infected by viruses according to a report by the US Department of Homeland Security (ICS-CERT). Both were infected by USB drive based viruses. Interestingly enough, this is the same way Stuxnet was allowed to infect Iran’s air gaped secure network.

The US military is also looking at other ways to gain access to secure networks by “Jumping the Gap”.

Iran’s nuclear enrichment facilities were protected against outside attack, so they thought, because they used a closed or air gaped network. There was no physical network connections between the secured computers and the outside world. But Stuxnet, the virus that successfully attacked and hindered Iranian nuclear ambitions infiltrated the “air gap” via USB flash drive.

As America pushes to secure their critical infrastructure and SCADA systems from outside attacks, these two unnamed power plants were both infected late last year from internal threats.

One of the viruses seemed to have been brought in via USB drive by a third party contractor, infecting the control system with a crimeware type virus that infected 10 networked computers.

But the second is more concerning. The virus somehow infected a maintenance workers USB drive and two critical workstations:

Investigators found sophisticated although unspecified malware on two engineering workstations associated with running critical applications. The subsequent cleanup operation was complicated by a lack of backups.”

Though both of these infections were via USB flash drives, which are banned in most secure facilities(?!?!?), the ability to infect closed secured systems via alternate methods is of great interest to the military.

Recently, reps from 60 tech companies attended a government planning day hosted by the Army’s Intelligence and Information Warfare Directorate (I2WD) to discuss new methods of cyber and electronic warfare.

Included in the discussion were high tech methods to infiltrate secure networks without being physically present via RF and electromagnetic distortions using ground based and aerial units:

“Imagine being able to roll a vehicle near a facility, sit for a short period while inserting a worm, and leave without having to buy off any employee or sneak anything past an attentive guard. Better yet, a stealthy unmanned aerial vehicle could be quietly flown far above a facility to insert code even in contested airspace.”

Electronic warfare and cyber are two of the top areas of concern to the modern war fighter. “We have to understand better the electromagnetic spectrum,” said Admiral Jon Greenert, Chief of Naval Operations, “Cyber, our radar and communication, everything. If you control the electromagnetic spectrum, you control the fight.”

Imagine the possibilities of infiltrating a secured wired network by sniffing and manipulating electromagnetic waves. Next to the military’s targetable EMP beam weapon, this has to be the most fascinating cyber warfare research currently being undertaken.

The Right to Keep and Bear Cyber Arms: The 2nd Amendment and CyberWar

There have been several articles floating around about “Cyber Militias”, and though I will probably regret it, I think it is time to talk about cyber weapons and the second amendment.

I’ve seen some interesting video lately, where two armed thugs enter a business and threaten everyone inside. An armed civilian defends himself and everyone inside by drawing his weapon and chasing the perps out of the business with some well aimed shots. But what if your business, that you worked very hard to build with blood, sweat and toil, is targeted by cyber criminals, what can you do?

Well, right now, all you can legally do is contact the authorities. Even if you knew how, you can not take matters into your own hands and counter-hack the attackers. With all the media hype over Stuxnet, cyber war and cyber weapons – should US citizens be legally allowed to own and use these deadly weapons in accordance with their 2nd Amendment rights?

Okay, I am poking fun with the “deadly” thing, as so far no one has been officially killed by a “cyber weapon”. But Joel Harding has some very interesting points in his latest post on cyber militias. If Switzerland stays true to course, and hands out government made cyber code to home guard soldiers, shouldn’t American civilians have access to such weapons also?

Honestly, as the amendment is written and as code is being quantified as a weapon, why shouldn’t Americans be allowed to actively defend themselves against online electronic risks as well as physical threats?

Of course, I can foresee that a single user Denial-of-Service weapon would probably be given out without much ado, but there will probably be a ban on large capacity distributed DoS weapons. And of course their will be a 10 day waiting period on Stuxnet based threats.

Wouldn’t want someone blowing up a couple nuclear power processing plants in Iran just because they had a bad day at the office…

Alright, alright… All kidding aside, should the 2nd amendment apply to cyber weapons – what do you think?

Stuxnet, Duqu and Flame made by same Team

Indepth research shows that Flame and Stuxnet, two serious pieces of malware released against the Iranians were made in co-operation with each other. A report from Kapersky Labs today pretty much solidifies what many security experts assumed, that both programs were made by the same group.

According to the report, “a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.” Some other interesting points from the report include:

  • Flame was created first, as Stuxnet includes one of Flames Modules
  • Flame and Stuxnet use the same USB infector mechanism
  • In 2010, Flame and Stuxnet joint development seems to have ended

The module that was shared between both programs is called “Resource 207”. According to Kapersky, the “module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name “atmpsvcn.ocx”. This particular file, as it is now revealed by Kaspersky Lab’s investigation, has a lot in common with the code used in Flame.”

and,

The primary functionality of the Stuxnet “Resource 207” module was distributing the infection from one machine to another, using the removable USB drives and exploiting the vulnerability in Windows kernel to obtain escalation of privileges within the system. The code which is responsible for distribution of malware using USB drives is completely identical to the one used in Flame.

The code seemed to be shared at the program level, not the binary level. This actually makes a lot of sense. Two teams, one presumably American and one Israeli could have worked together with the overall attack plan, and co-created the code. Then they could have split up to create code to accomplish individual end goals. One being disabling the physical equipment and process, the other being remote access tool and data miner.

Cool stuff, makes you wonder what else Israel and the US is working on.

Officials confirm, Stuxnet was a US-Israel Creation

We have met the creator of Stuxnet, and the creator is us…

US, Israel and European officials confirm that Stuxnet was part of an ever increasing program of computer attacks against Iran to slow or stop it’s nuclear ambitions.

According to an article on the New York Times:

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.

Really no shocker here, most assumed that it was US and Israel backed. Now we know for sure. According to The Register, members of Israel’s ultra cool Unit 8200 and our cyber ninjas at the NSA worked together to create the cyberweapon Stuxnet.

The Times article hints that the cyber attacks were intended to slow down Iran’s progress on obtaining nuclear weapons and satiate Israel so they would not perform a physical strike, leading to an un-stabilized Middle East.

But what one has to ask, if they knew the attacks would only delay Iran from obtaining nukes, why do this at all? They seemed to be determined to obtain nuclear weapons. What would be gained by delaying them another year or so?

I am curious if this is why key members of Iran’s nuclear program are being and have been assassinated. Knowing that Stuxnet was only a temporary fix, someone (apparently Israel) is taking further steps to hamstring Iran’s nuclear ambitions.