I have been fascinated by Cyber War since I read my first Stuxnet article on Wired Magazine. I feel we have entered a new era where the first attacks will happen via computer code that is targeting Countries infrastructure and command and control facilities. Stuxnet will go down as significantly as the first test of the Atomic Bomb. Warfare has forever been altered. If you search my posts on this blog I have always been saying that was the case since the news broke mainstram news of the Iran cyber attack.
IN JANUARY 2010, inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the Iranian technicians replacing the centrifuges as to the inspectors observing them.
Five months later a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until the researchers found a handful of malicious files on one of the systems and discovered the world’s first digital weapon.
Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, written by WIRED senior staff writer Kim Zetter, tells the story behind Stuxnet’s planning, execution and discovery. In this excerpt from the book, which will be released November 11, Stuxnet has already been at work silently sabotaging centrifuges at the Natanz plant for about a year. An early version of the attack weapon manipulated valves on the centrifuges to increase the pressure inside them and damage the devices as well as the enrichment process. Centrifuges are large cylindrical tubes—connected by pipes in a configuration known as a “cascade”—that spin at supersonic speed to separate isotopes in uranium gas for use in nuclear power plants and weapons. At the time of the attacks, each cascade at Natanz held 164 centrifuges. Uranium gas flows through the pipes into the centrifuges in a series of stages, becoming further “enriched” at each stage of the cascade as isotopes needed for a nuclear reaction are separated from other isotopes and become concentrated in the gas.
As the excerpt begins, it’s June 2009—a year or so since Stuxnet was first released, but still a year before the covert operation will be discovered and exposed. As Iran prepares for its presidential elections, the attackers behind Stuxnet are also preparing their next assault on the enrichment plant with a new version of the malware. They unleash it just as the enrichment plant is beginning to recover from the effects of the previous attack. Their weapon this time is designed to manipulate computer systems made by the German firm Siemens that control and monitor the speed of the centrifuges. Because the computers are air-gapped from the internet, however, they cannot be reached directly by the remote attackers. So the attackers have designed their weapon to spread via infected USB flash drives. To get Stuxnet to its target machines, the attackers first infect computers belonging to five outside companies that are believed to be connected in some way to the nuclear program. The aim is to make each “patient zero” an unwitting carrier who will help spread and transport the weapon on flash drives into the protected facility and the Siemens computers. Although the five companies have been referenced in previous news reports, they’ve never been identified. Four of them are identified in this excerpt.
The operation launced byt the US was the first shots in a new form of war.
The militarization of cyberspace has been under way for more than a decade, but only in the last few years have the telltale signs appeared suggesting that the United States is erecting a new digital wing of its permanent national-security state. Three years ago, for example, came the birth of the 24th Air Force, at Lackland Air Force Base, Texas, and Robins Air Force Base, Georgia. The 24th claims to be “the newest numbered air force,” as well as “the first-ever unit designated for the sole purpose of cyberspace operations.” According to its fact sheet,
Over 5,400 men and women conduct or support 24-hour operations … including 3,339 military, 2,975 civilian, and 1,364 contractor personnel.
There is less public information about the work of these seven thousand digital warriors than about the supposedly top secret, yet hiding-in-plain-sight, lethal drone program, about which my colleague Amy Davidson recently wrote, in response to a revelatory Times story about President Obama’s personal engagement with “kill lists” of terrorist suspects.
And yet armed drones and cyber war are of a piece. They have evolved opaquely from syntheses of new technologies and military imaginations. The laws governing them are secret, as are the mechanisms of Presidential decision-making and field command.
Last week, the Times shed more light, by publishing an excerpt of David Sanger’s new book, “Confront and Conceal,” which describes a joint American-Israeli offensive cyber-attack operation in 2010 against Iran’s nuclear industry. The existence of the weapon used against Iran—a piece of malware called Stuxnet—was previously known, and there was rough knowledge of the authorship. Sanger, though, describes both—and President Obama’s hands-on role—more fully than any previous account. The attack was designed to disable Iranian centrifuges that enrich uranium. (The enriched uranium could ultimately be used to make nuclear bombs.) Cyber Command and the 24th Air Force presumably played at least a supporting role, along with the National Security Agency, although it remains unclear exactly who did what in the operation, which may be continuing.
The operation’s code name—“Olympic Games”—suggests some of the complacency and self-satisfaction among the President’s advisers. The malware was built, for example, to convince the Iranians that the sabotage of their centrifuges was a result of their own incompetence. “The intent was that the failures should make them feel they were stupid, which is what happened,” one participant boasted.
Operation Olympic Games started in 2006. Signed off by the George W. Bush administration, this operation targeted the Iranian nuclear facility at Natanz. The operation accelerated after the election of Obama.  The computer virus was first discovered by the Belarus antivirus company VirusBlokAda and later analyzed in-depth by the security company Symantec.   It is worth mentioning that various security companies reported other malware, such as “Duqu”, “Flame” and “Gauss” were sharing the same or similar code and techniques of Stuxnet.  Kleissner & Associates sinkholed (registered) the first Stuxnet C&C domain “www.todaysfutbol.com” on 10/9/2013 and the second “www.mypremierfutbol.com” on 6/8/2014. Through our custom developed Virus Tracker system we are able to monitor infected machines that connect to these domains. Interestingly, and despite the monetary (likely in the millions EUR) and coding efforts of the Stuxnet developers, the C&C protocol was not properly secured. Information being sent from the infected machine to the C&C server is passed in the HTTP GET string as
“/index.php?data=[data]” where the data is only hex encoded and XOR encrypted with the 31-byte key (hex bytes) 67 A9 6E 28 90 0D 58 D6 A4 5D E2 72 66 C0 4A 57 88 5A B0 5C 6E 45 56 1A BD 7C 71 5E 42 E4 C1 and XOR encrypted with FF. After decrypting the data, this information from the infected machine becomes clear: Unique identifier of the Stuxnet infection (GUID) Main internal IP address Computer Name Domain Name IP address of interface 1 IP address of interface 2 IP address of interface 3 Windows major and minor version Windows Service Pack version Whether Siemens SCADA software is installed Project path of a found SCADA program According to the Symantec analyst who investigated Stuxnet there is a kill switch which will stop Stuxnet from spreading after June 24, 2012.