.

Wednesday, July 25, 2012

Iran's nuclear facilities infected with rock music virus

Information security company F-Secure writes on its blog:
Over the weekend, I received a series of emails from Iran. They were sent by a scientist working at the Atomic Energy Organization of Iran (AEOI).

The scientist reached out to publish information about Iranian nuclear systems getting struck by yet another cyber attack.

He wrote:

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert.

There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC.


I'm not sure what to think about this. We can't confirm any of the details. However, we can confirm that the researcher was sending and receiving emails from within the AEOI.
This is obviously the work of regular - but smart - hackers meaning to harass Iran. Metasploit is freely available and easily exploits known security vulnerabilities. While it is possible to write new exploits for Metasploit, using it is not indicative of a super-secret spy organization or nation/state behind it.

Not to mention that a nation state is not going to advertise that they hacked into a nuclear facility!

Most interesting from that email is the idea that Iranian nuclear facilities are accessible to the Internet via a VPN. And the VPN had access to the Siemens controllers. That is astonishingly poor security for a critical facility which should be completely cut off from the world. I assumed it was because Stuxnet was spread via USB drives, not the Internet, it was reported at the time.

So this is the work of mischievous hackers. But that doesn't stop "foreign policy experts" from saying stupid things implying this was a US operation:
This sort of thing isn't new. Music was central to 1989's Operation Just Cause, in which U.S. soldiers attempted to coerce Panamanian President Manuel Noriega from his refuge in the Vatican embassy by blaring loud music at the building. In documents acquired by the National Security Archives, U.S. SOUTHCOM admitted U.S. military DJs took requests, blaring a playlist that ranged from Paul Simon's 50 Ways to Leave Your Lover, Bruce Springsteen's Born to Run and, an apparent favorite, AC/DC's You Shook Me All Night Long.

More recently, U.S. Psychological Operations Company (PsyOps) admitted to the use of heavy metal in Iraq as a mechanism to break uncooperative prisoners' resistance. Similar use was reported by the International Committee of the Red Cross as part of the "cruel, humane and degrading" treatment of Guantanamo inmates. Though the use of heavy metal as a interrogation technique incited some record companies to warn that the United States may owe royalty fees, military officials were unrepentant. As one officer told Newsweek, "Trust me, it works."
One can only hope that Iran remains as clueless about cyber-security as it has been so far. If hackers can get into a nuclear facility in Iran, hopefully the entire infrastructure is riddled with hidden viruses, trojans, and backdoors that cannot be removed without a wholesale replacement of every computer component and computer controller.

(h/t Yoel)