Wednesday, November 17, 2010

  • Wednesday, November 17, 2010
  • Elder of Ziyon
Wired magazine reports:
New and important evidence found in the sophisticated “Stuxnet” malware targeting industrial control systems provides strong hints that the code was designed to sabotage nuclear plants, and that it employs a subtle sabotage strategy that involves briefly speeding up and slowing down physical machinery at a plant over a span of weeks.

“It indicates that [Stuxnet's creators] wanted to get on the system and not be discovered and stay there for a long time and change the process subtly, but not break it,” says Liam O Murchu, researcher with Symantec Security Response, which published the new information in an updated paper on Friday.

The Stuxnet worm was discovered in June in Iran, and has infected more than 100,000 computer systems worldwide. At first blush, it appeared to be a standard, if unusually sophisticated, Windows virus designed to steal data, but experts quickly determined it contained targeted code designed to attack Siemens Simatic WinCC SCADA systems. SCADA systems, short for “supervisory control and data acquisition,” are control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment.

Researchers determined that Stuxnet was designed to intercept commands sent from the SCADA system to control a certain function at a facility, but until Symantec’s latest research, it was not known what function was being targeted for sabotage. Symantec still has not determined what specific facility or type of facility Stuxnet targeted, but the new information lends weight to speculation that Stuxnet was targeting the Bushehr or Natanz nuclear facilities in Iran as a means to sabotage Iran’s nascent nuclear program.

According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.

The malware, however, doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.

The malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz. Information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 around the time the nuclear incident WikiLeaks mentioned would have occurred.

Researchers who have spent months reverse-engineering the Stuxnet code say its level of sophistication suggests that a well-resourced nation-state is behind the attack. It was initially speculated that Stuxnet could cause a real-world explosion at a plant, but Symantec’s latest report makes it appear that the code was designed for subtle sabotage. Additionally, the worm’s pinpoint targeting indicates the malware writers had a specific facility or facilities in mind for their attack, and have extensive knowledge of the system they were targeting.

Stuxnet is very specific about what it does once it finds its target facility. If the number of drives from the Iranian firm exceeds the number from the Finnish firm, Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones, a different sequence is initiated.

Once Stuxnet determines it has infected the targeted system or systems, it begins intercepting commands to the frequency drives, altering their operation.

“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”

“That’s another indicator that the amount of applications where this would be applicable are very limited,” O Murchu says. “You would need a process running continuously for more than a month for this code to be able to get the desired effect. Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium. If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges … and the final grade of uranium you would get out would be a lower quality.”

O Murchu said that there is a long wait time between different stages of malicious processes initiated by the code — in some cases more than three weeks — indicating that the attackers were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would attract notice.
Nice.

Let's hope that there are other specifically targeted Stuxnets out there that haven't been discovered yet.

EoZTV Podcast

Podcast URL

Subscribe in podnovaSubscribe with FeedlyAdd to netvibes
addtomyyahoo4Subscribe with SubToMe

search eoz

Loading...

Recent posts from other blogs

comments

Speaking

follow me

Follow by Email

Contact

elder -at- elderofziyon dot com

translate

E-Book

For $18 donation








Sample Text

EoZ's Most Popular Posts Ever

Hasbys!

Elder of Ziyon - حـكـيـم صـهـيـون

Elder of Ziyon - حـكـيـم صـهـيـون
This blog may be a labor of love for me, but it takes a lot of effort, time and money. For over 11 years and over 23,000 articles I have been providing accurate, original news that would have remained unnoticed. I've written hundreds of scoops and sometimes my reporting ends up making a real difference. I appreciate any donations you can give to keep this blog going.

Donate!

Monthly subscription:
Payment options

One time donation:

subscribe via email

Follow EoZ on Twitter!

Tweets

Compliments

The Jerusalem Report:"A seemingly indefatigable one-man operation, armed only with a computer, chutzpa and stamina."

Algemeiner: "Fiercely intelligent and erudite"

Omri: "Elder is one of the best established and most respected members of the jblogosphere..."
Atheist Jew:"Elder of Ziyon probably had the greatest impression on me..."
Soccer Dad: "He undertakes the important task of making sure that his readers learn from history."
AbbaGav: "A truly exceptional blog..."
Judeopundit: "[A] venerable blog-pioneer and beloved patriarchal figure...his blog is indispensable."
Oleh Musings: "The most comprehensive Zionist blog I have seen."
Carl in Jerusalem: "...probably the most under-recognized blog in the JBlogsphere as far as I am concerned."
Aussie Dave: "King of the auto-translation."
The Israel Situation:The Elder manages to write so many great, investigative posts that I am often looking to him for important news on the PalArab (his term for Palestinian Arab) side of things."
Tikun Olam: "Either you are carelessly ignorant or a willful liar and distorter of the truth. Either way, it makes you one mean SOB."
Mondoweiss commenter: "For virulent pro-Zionism (and plain straightforward lies of course) there is nothing much to beat it."
Didi Remez: "Leading wingnut"

Interesting Blogs

Categories

Abbas liar Academic fraud administrivia al-Qaeda algeria American Jews Amnesty analysis anti-semitism apartheid arab refugees Arafat archaeology art ASHREI B'tselem bahrain bbc BDS BDSFail Bedouin Beitunia beoz book review breaking the silence Cardozo Chanukah Christians conspiracy theories Cyprus Daphne Anson Davis report DCI-P double standards Egypt Elder gets results ElderToons Electronic Intifada EoZNews eoztv Erekat EU Euro-Mid Observer Fake Civilians 2014 Fatah featured fisking flotilla free gaza freedom of press palestinian style future martyr gaza Gaza Platform George Galloway gideon levy gilad shalit gisha Goldstone Report Good news Grapel Guardian gunness hamas Hamas war crimes hasbara Hasby 2014 Hasby 2016 Hebron helen thomas hezbollah history Hizballah Holocaust denial honor killing HRW Human Rights Humanitarian crisis humor Hypocrisy ICRC Ilan Pappe impossible peace incitement Indonesia international law intransigence iran Iraq Islamic Judeophobia Islamism Israel Loves America Israeli culture Israeli high-tech J Street jabalya jeremy bowen Jerusalem jewish fiction Jewish Voice for Peace jihad jimmy carter John Kerry jokes jonathan cook Jordan Juan Cole Judea-Samaria Kairos Karl Vick ken roth khalid amayreh Khaybar Lebanon leftists Linkdump lumish mahmoud zahar Malaysia max blumenthal McGraw-Hill media bias Methodist Miftah Mohammed Assaf Mondoweiss moonbats Morocco music Muslim Brotherhood Nakba Natural gas Nazi nftp NGO NIF norpac NYT Occupation offbeat Omar Barghouti oxfam PA corruption PalArab lies Palestine Papers pallywood pchr PCUSA Peter Beinart poll Poster Preoccupied Prisoners propaganda Proud to be Zionist purimshpiel Qaradawi Qassam calendar Rafah Ray Hanania real liberals reference Richard Falk rogel alpher roger cohen roger waters Saudi Arabia saudi vice self-death self-death palestinians sex crimes SFSU shechita sheikh tamimi Shujaiyeh SodaStream South Africa Speech stamps Syria Tarabin Temple Mount Terrorism This is Zionism Thomas Friedman Tunisia Turkey UCI UK UN unesco unhrc United Arab Emirates Unity unrwa UNRWA hate unrwa reports UNRWA-USA Vic Rosenthal Washington wikileaks work accident X-washing Yemen zahran zionist attack zoo Zvi

Blog Archive