The Stuxnet virus – on cyberwar and nuclear plants

In: Guests / 6 comments / Written by:

2 Oct 2010

Iran’s Bushehr Nuclear Power Plant

When Iranians started building the Bushehr nuclear power plant in 1970 they asked the Germans for help. Things didn’t go too well so eventually they started building it through an agreement with the Russian government – however, the famous German company Siemens supplied most of the reactor control devices, including software.

A controversial topic, closed and reopened many times over time, the Bushehr nuclear reactors are still inoperative 30 years later.

It’s possible for this to be due, among other things, to a computer virus called Stuxnet.

A special virus

In July 2010, VirusBlokada, a company in Belarus, announced the discovery of a new computer virus which seemed to do some very interesting things. The announcement said mainly that this virus includes a rootkit component which is signed with a valid digital certificate from RealTek. This has several serious implications and it’s a major event in itself. Digital certificates are used almost everywhere today for authentication. Essentially, a driver signed by RealTek means it is written by RealTek, a reputable company; so it should be OK to install it – what’s more, when a digital signature is present, Windows automatically gives the bearer of the signature a new level of confidence. So how can a virus get to be signed with a valid digital certificate from a major hardware company? Essentially, there are two possibilities: someone (or something) managed to steal the digital certificate, or that company knowingly sold it to the authors of the virus. Of course, when it comes to RealTek, the second option is very unlikely; so we are left with the first possibility. This became even more likely when a second version of the virus was discovered that was using this time a digital certificate stolen from JMicron.

A 1,000,000$ virus

After that announcement, security companies worldwide started to examine the new virus called Stuxnet. All sorts of findings started emerging. Besides having a driver signed by RealTek, which was used to hide the infection in the system, the virus was using a new method to spread – LNK files and a Windows vulnerability that allowed automatic execution of the program from a memory stick the moment the stick was explored. Just for an overview, it should be mentioned that this type of vulnerability is sold for big money on the black market, reaching 250,000$. As time passed, things became increasingly worrisome. Besides the type 0-day vulnerability related to LNK files, we discovered 2 more in the virus that we immediately reported to Microsoft. At the same time, other researchers discovered another 0-day vulnerability, bringing the total to 4. To make it clearer for everyone, by now we are talking about $1 million invested in this virus, and only for the vulnerabilities explored.

“Return on investment” – how much money can you make with a 1,000,000$ investment?

Things got even more complicated when it was discovered that the virus seemed to attack SCADA industrial control systems. SCADA stands for “supervisory control and data acquisition” and represents a class of systems used in industrial control, from water, electricity, traffic lights to nuclear power plants. As the analysis progressed, it was discovered that the virus didn’t attack just any SCADA system but, in particular, a software version created by Siemens and called SIMATIC WinCC.

It may seem a little strange that these discoveries happened over the course of two or three months, but it’s perfectly normal. Nowadays, the analysis of a complex virus such as Stuxnet can take months and even after 5-6 months there might still be some unanalyzed code fragments.

To understand how the interaction with SCADA works, you need software and tools worth 40-50,000$, amount that you can easily add to the costs of developing the virus. Clearly, its authors had knowledge of the functioning of those systems and access to systems controlled by SIMANTEC WinCC.

Going back to the virus’s interaction with SCADA systems, perhaps the most interesting discovery was that it wasn’t trying to steal information. Originally, it was believed that it was a virus that spies on industrial systems and steals their plans. The shock came when it was discovered that it didn’t steal plans, it sabotaged the functioning of a particular control system.

Explosive actions

Of course, we can ask ourselves, what can you do with a virus that cost over 1 million dollars and that can sabotage industrial systems?

The explanation can be shocking but it marks a unique moment in the history of computer viruses – the moment when we have the confirmation of cyberwar between states.

The vast majority of viruses that appear today are made to steal information that can later be sold. Stuxnet was not written to steal anything and it was very expensive, but it seemed to sabotage a specific industrial system.

What system could that be?

The victims

If we look at the list of countries that were infected (http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers), we see that it’s a bit unusual. India is a popular candidate but Iran isn’t. Epidemics in Iran are very rare; what’s more, we must bear in mind that Stuxnet doesn’t spread on the internet; it spreads only in local networks. Essentially, that means that someone was very active in trying to spread it in Iran through methods that involved someone’s physical presence at the scene.

Although there is no direct evidence, the most likely targets in Iran for this virus are the nuclear reactors at Bushehr and the uranium enrichment plant at Natanz. Recently, both have had problems: “Delay hits Iran Bushehr plant” http://english.aljazeera.net/news/middleeast/2010/09/2010929145616730389.html and “Iran’s Natanz Nuclear Facility Suffers Growing Pains” –  http://blog.heritage.org/2010/02/11/iran%E2%80%99s-natanz-nuclear-facility-suffers-growing-pains/.

Other interesting news:

Was there or wasn’t there…

Perhaps the biggest question that remains is whether the virus worked or not. According to the data we have, the first infections occurred last year in July, around the same time as the resignation of Iran’s nuclear chief. This year, in September, Russia announced that it will no longer sell Iran missiles to defend nuclear plants against airborne attacks. At the same time, problems are announced both at Bushehr and at Natanz.

Within the Stuxnet virus there is a condition check that determines if the virus runs on the right system, identified after a specific signature. If this signature is detected, the code routine returns the value “DEADF007” in hex, which can be read as “dead foot”. At the same time, the virus inserts in the control processors a code whose main role is to ignore potential alarm messages which could signal the overheating of a system or a different critical condition. This is when “dead foot” happens…

The world after Stuxnet

What is clear in our case is that we are dealing with attackers that have substantial resources (millions of dollars) they are willing to invest in a computer weapon that has surgical precision. At first glance, the plans didn’t work very well: the reactors didn’t explode and now everyone knows about the attack. The attackers, upset at the failure, might have forced at a political level the deal with the defense missiles in order to solve the problem in a conventional way. At http://en.wikipedia.org/wiki/Nuclear_program_of_Iran we can read something interesting:

“During the Iran-Iraq war, Iran’s Bushehr reactors were damaged by multiple Iraqi air strikes and work on the nuclear program came to a standstill. Iran notified the International Atomic Energy Agency of the blasts, and complained about international inaction and the use of French made missiles in the attack.[66][67] “

So, there have been other attempts in the past to block the construction of the reactor, but these attempts weren’t very elegant. At a later date, they may have found a more elegant alternative: a computer virus able to mess up the German control systems from Siemens and produce at least as much damage as a conventional attack. When this failed, everyone returned to the old methods.

Of course the story presented here is only a small piece of the puzzle – searching the internet, many other events that easily fall within the timeline can be found.

What is sure, however, is that Stuxnet marks the moment in history when the superpowers in our world seriously started the “cybernetic” cold war. What is next? Or who will be the next victim?

(English version by Teodora Popescu)

Original Romanian versionVirusul Stuxnet – despre cyberwar si centrale nucleare

Centrala atomica iraniana de la Bushehr

Cand iranienii s-au apucat sa construiasca centrala atomica de la Bushehr, prin 1970, au cerut ajutorul nemtilor. Lucrurile nu au decurs prea bine asa ca pana la urma s-au apucat sa-l construiasca printr-un acord cu guvernul rus – totusi, celebra companie germana Siemens a livrat majoritatea aparaturii de control pentru reactor, inclusiv soft-urile.

Un subiect controversat, oprit si restartat de multe ori de-a lungul timpului, reactoarele nucleare de la Bushehr sunt inca inoperative, 30 de ani mai tarziu.

Este posibil ca acest lucru sa fie datorat, printre alte lucruri, unui virus informatic denumit Stuxnet.

Un virus deosebit

In iulie 2010, firma VirusBlokada din Belarus anunta descoperirea unui nou virus de computere, ce parea sa faca niste lucruri foarte interesante. In principal, anuntul spunea ca acesta include o componenta de ascundere („rootkit”) care este semnata cu un certificat digital valid de la RealTek. Acest lucru are mai multe implicatii foarte serioase si este deja un eveniment major in sine. Certificatele digitale sunt folosite aproape peste tot in ziua de astazi, pentru autentificare. In esenta, un driver semnat de RealTek inseamna ca este scris de RealTek, o firma reputabila, deci ar trebui sa fie OK sa il instalam – mai mult, Windows-ul ii ofera automat un alt nivel de incredere in momentul in care o semnatura digitala este prezenta.  Cum poate ajunge un virus sa fie semnat cu un certificat digital valid de la o firma serioase de hardware? In esenta, ar fi doua posibilitati: cineva (sau ceva) a reusit sa fure certificatul digital sau, firma respectiva l-a vandut in cunostinta de cauza catre autorii virusului. Desigur, cand vine vorba de RealTek, a doua varianta este putin probabil, deci ramane prima optiune. Acest lucru a devenit si mai probabil in momentul in care o a doua versiune a fost descoperita, ce folosea de aceasta data un certificat digital furat de la firma JMicron.

Un virus de 1,000,000$

Dupa anuntul respectiv, firmele de securitate din toata lumea au inceput sa analizeze virusul nou, denumit Stuxnet. Descoperirile nu au incetat sa apara. Pe langa faptul ca avea un driver semnat de RealTek, care era folosit pentru a ascunde infectia in sistem, virusul folosea o metoda noua pentru a se raspandi – fisiere cu extensia LNK si o vulnerabilitiate in Windows care permitea executia automata a programului de pe un memory stick in momentul in care acesta era explorat. Ca idee, trebuie mentionat ca o vulnerabilitate de acest gen se vinde cu bani grei pe piata neagra, ajungand pana la 250,000$. Pe masura ce timpul trecea lucrurile deveneau din ce in ce mai ingrijoratoare. Pe langa vulnerabilitatea de tip 0-day legata de fisierele LNK, am mai descoperit in virus inca 2, pe care le-am raportat imediat la Microsoft. In paralel, alti cercetatori au mai descoperit o vulnerabilitate 0-day, ridicand totalul la 4. Ca sa fie mai clar pentru toata lumea, pana acum vorbim de aproximativ 1,000,000$ investiti in acest virus, doar pentru vulnerabilitatile exploatate.

„Return of investment” – cati bani poti face cu o investitie de 1,000,000$?

Lucrurile s-au complicat si mai mult cand a fost descoperit faptul ca virusul pare sa atace sistemele de control industrial de tip SCADA. SCADA este prescurtarea pentru „supervisory control and data acquisition” si reprezinta o clasa de sisteme folosite pentru control industrial, de la apa, curent, lumini de trafic pana la centrale atomice. Pe masura ce analiza progresa, s-a descoperit ca virusul nu ataca orice fel de sisteme SCADA, ci in particular, o versiune a unui soft creeat de Siemens, denumit SIMATIC WinCC.

Poate parea un pic ciudat faptul ca aceste descoperiri s-au intamplat de-a lungul a doua – trei luni, insa este pefect normal. In ziua de azi, analiza unui virus complex, precum este Stuxnet, poate dura luni si chiar si dupa 5-6 luni, este posibil ca sa fi ramas inca fragmente de cod neanalizate.

Pentru a intelege cum functioneaza interactiunea cu sistemele SCADA, sunt necesare echipamente si soft in valoare de 40-50,000$, suma pe care o putem adauga usor la costurile dezvoltarii virusui. In mod clar, autorii acestuia au avut cunostinte de varf despre functionarea sistemelor respective si acces la sisteme controlate de SIMATIC WinCC.

Revenind la interactiunea virusului cu sistemele SCADA, poate cea mai interesanta descoperire a fost ca acesta nu incearca sa fure informatii. Initial s-a crezut ca este un virus ce spioneaza sistemel industriale si fura planuri ale acestora. Socul a fost in momentul in care s-a descoperit ca nu fura planuri ci saboteaza functionarea unui anumit sistem de control.

Actiuni explozive

Desigur, ne putem intreba, ce anume se poate face cu un virus care a costat peste 1 mil de dolari si care saboteaza sisteme industriale?

Explicatia poate fi socanta, insa marcheaza un moment unic in istoria virusilor informatici – momentul in care avem confirmare a razboiului cibernetic intre state.

Mare majoritatea a virusilor ce apar in zilele noastre sunt facut sa fure informatii, care pot fi ulterior vandute. Stuxnet nu a fost scris sa fure nimic si a costat foarte mult, insa pare sa saboteze un anumit sistem industrial.

Ce sistem ar putea fi acesta?

Victimele

Daca ne uitam la lista cu tarile care au fost infectate (http://www.securelist.com/en/blog/325/Myrtus_and_Guava_the_epidemic_the_trends_the_numbers), putem observa ca acesta este un pic anormala. India este un candidat popular, insa Iran-ul nu este. Foarte rar exista epidemii in Iran; in plus, trebuie sa ne gandim ca Stuxnet nu se raspandeste pe Internet ci doar in retelele locale. In esenta, asta inseamna ca cineva a fost foarte activ in a incerc sa-l raspandeasca in Iran, prin metode ce au implicat prezenta fizica la locul faptei.

Desi nu exista dovezi directe, tintele cele mai probabile in Iran pentru acest virus sunt reactoarele nucleare de la Bushehr si centrala de imbogatire a uraniului de la Natanz. Ambele au avut probleme recent: „Delay hits Iran Bushehr plant” http://english.aljazeera.net/news/middleeast/2010/09/2010929145616730389.html si “Iran’s Natanz Nuclear Facility Suffers Growing Pains” –  http://blog.heritage.org/2010/02/11/iran%E2%80%99s-natanz-nuclear-facility-suffers-growing-pains/.

Alte stiri interesante:

A fost sau nu a fost

Poate cea mai mare intrebare care ramane este daca virusul a functionat sau nu. Conform datelor pe care le avem, primele infectii au avut loc anul trecut prin iulie, aproximativ in aceeasi perioada cand seful programului nuclear al Iranului a demisionat. Anul acesta, in septembrie, Rusia a anuntat ca nu va mai vinde Iranului rachete cu care sa apere centralele impotriva atacurilor din aer. In acelasi timp, probleme sunt anuntate si la Bushehr si la Natanz.

In virusul Stuxnet exista o verificare de conditie, care determina daca virusul ruleaza pe sistemul corect, identificat dupa o semnatura specifica. In cazul in care aceasta semnatura este detectata, rutina de cod intoarce valoarea “DEADF007” in hexa, care se poate citi ca “dead foot”. In acelasi timp, virusul introduce un cod in procesoarele de control care are ca rol principal ignorarea unor mesaje potential de alarma, care ar putea sa semnaleze supraincalzirea unui sistem sau o alta conditie critica. Moment in care se intampla… “dead foot”.

Lumea de dupa Stuxnet

Ce este clar in cazul nostru, este ca avem de-a face cu niste atacatori ce dispun de resurse substantiale (milioane de $) pe care sunt dispusi sa le investeasca intr-o arma informatica de precizie chirurgiala. La prima vedere, planurile nu au functionat foarte bine: reactoarele nu au explodat si acum toata lumea stie despre atac. Este posibil ca atacatorii, suparati de esec, sa fi fortat la nivel politic afacerea cu rachetele de aparare, pentru a putea rezolva problema in mod conventional. La adresa http://en.wikipedia.org/wiki/Nuclear_program_of_Iran putem citi un lucru interesant:

“During the Iran-Iraq war, Iran’s Bushehr reactors were damaged by multiple Iraqi air strikes and work on the nuclear program came to a standstill. Iran notified the International Atomic Energy Agency of the blasts, and complained about international inaction and the use of French made missiles in the attack.[66][67] “

Asadar, au mai fost incercari in trecut de a bloca constructia reactorului, insa nu tocmai “elegante”. Este posibil ca intr-un moment ulterior sa se fi gasit o alternativa mai eleganta: un virus informatic capabil sa dea peste cap sistemele de control germane de la Siemens si sa produca cel putin la fel de multe pagube ca un atac conventional. In momentul in care acesta a esuat, s-a revenit la vechile metodele.

Desigur, povestea prezentata aici este doar a mica bucatica din puzzle – cautand pe net, pot fi gasite multe alte evenimente care se integreaza usor in timeline.

In mod cert insa, Stuxnet marcheaza momentul in istorie in care superputerile au inceput in mod serios razboiul rece “cybernetic”. Ce va urma, oare? Sau, cine va fi urmatoarea victima?

Comments

Avatar

Adrian Balcan

October 2nd, 2010 at 12:16 pm

Destul de interesant, cum un virus poate face rautati dincolo de software, si daca ne gandim ca era vorba de o centrala nucleara, ne putem imagina ceva foarte grav.

Reply to this comment

Avatar

MVCaraiman

October 2nd, 2010 at 4:58 pm

f. interesant. felicitari ptr articol !

Reply to this comment

Avatar

Marius Corici

October 4th, 2010 at 2:18 pm

Nimic nou sub soare (ma refer la razboiul cibernetic) 😉 si mi se pare cu atat mai normal cat timp vizeaza Iranul

Reply to this comment

Avatar

Catalin Rares Petru

April 19th, 2011 at 1:27 pm

Reply to this comment

Comments on other blogs

Avatar

Tweets that mention Virusul Stuxnet – despre cyberwar si centrale nucleare | Radu Georgescu -- Topsy.com

October 2nd, 2010 at 9:36 am

[…] This post was mentioned on Twitter by Radu Georgescu, Cristian Badea and Adrian Rus, Ștefan Emil Ionescu. Ștefan Emil Ionescu said: Insider info 🙂 RT @GeorgescuRadu: Blog Post: Virusi, Iran si Cyberwar: http://8d.ro/l/3dj […]

Avatar

frumoasa teorie « Catalin Petru

October 2nd, 2010 at 10:43 pm

Add comment

  • Ceasuri online: Vector Watch este un ceas de care vorbeste toata lumea. O campanie de marketing ce face sa i se just [...]
  • nartip: * 'Ouale' alea depinde de care sunt...unul e un cont de banca,altul de Facebook si/sau de alte tipur [...]
  • Bogdan: Ok... Este doar o constatare sau e prezentarea unei probleme ce necesita o solutie? Un comentariu [...]
  • Andu Potorac: Eu folosesc 1Password si ti-l recomand. Rezolva problema conturilor si a tuturor parolelor, si e sin [...]
  • nartip: Fiind stearsa culoarea am crezut ca e un subsol.Macar neagra fa-o.Cu respect,nartip. [...]
Radu Georgescu
GECAD Group